Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

IRM > UNIT 4 > Flashcards

UNIT 4 Flashcards

1
Q

ISO31000 (2018) definition of control

A

A measure that maintains and/or modifies a risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List the 4 risk management approaches to a risk (beware this is different than risk responses)

A

A risk is getting Chased by a RAT:
- Avoiding the risk by not starting the activity
- Taking the risk to pursue a opportunity
- Removing the risk source
- Changing the likelihood of the risk occurring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Response strategies to threats

A

4 Ts:
- Tolerate = a org will tolerate a risk if its perceived severity is less than the actual impact (warning, this is different than tolerating a opportunity)
- Treat = similar to tolerate, the org will retain the risk but take action to treat it by modifying its severity or likelihood
- Terminate = terminate the activity associated with the risk
- Transfer = share the risk with another org (joint venture) or insurer. This will minimise the impact of the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Response strategies to opportunity

A

5 Es:
- Explore = A org will explore the new opportunity and assess whether it is worth taking the risk
- Expand = if the org decides to take the opportunity, it will expand it by investing (risk level stays the same, reward increases)
- Exit = the org may decide to exit the opportunity either because it wants to cash out or because the investment necessary above is out of its risk appetite / capacity. Therefore, the level of risk will decrease, and reward (massive)
- Exploit = The org. Will continue exploring the opportunity / now its day to day by further invest in the opportunity or create a joint venture (low risk, reward the same)
- Exit = a failing company will just not take on any opportunities and thus the risk and reward are both low

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A method for TREATING threats

A

Loss control, which is split into three methods of treatment:
- Loss prevention
- Damage limitation
- Cost containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Loss prevention

A

Controls designed to prevent the threat occurring or to manage the causes ; policies to ban smoking in a factory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Damage limitation

A

Controls designed to limit the damage once the threat / event has occurred ; sprinklers or a fire alarm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cost containment

A

Controls designed to limit the long term impacts / consequences of a event / risk ; BCP to rebuild a building after a fire

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Another classification of responses to treat threats

A

PCDD
- Preventative controls
- Corrective
- Detective
- Directive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Preventative controls

A

Designed to prevent the risk from occurring or minimise the likelihood of it occurring. (Before the event has happened)

This is the most desirable control but there needs to be a cost-benefits analysis for them, as the benefit of preventing a low likelihood risk is minimal and not cost-effective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Corrective controls

A

These controls are developed prior to an event occurring but become effective once it has occurred.

These controls try to correct (minimise or enhance) the impact of an event. These are the most common controls and their effectiveness needs to be constantly monitored

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Directive controls

A

These controls direct or instruct a person on how they should behave in circumstances. This can be both before a event occurs or after. For example, a fire route policy on where to congregate if a fire occurs or policies on how to behave in a warehouse.

Important = they are not real controls because they do not actually do anything to change the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Detective controls

A

These detect a risk occurring in real time ; fire alarm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Preventative controls

A

ISO 31000 (2018) defines these as ones that manage the causes and change the likelihood of a risk occurring.

  • Also known as proactive controls
  • In the PCDD acronym, these controls are the preventative and directive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Corrective controls

A
  • Also known as reactive, designed to remediate errors and try to lower the impact on the org
  • Detective control, damage limitation, cost containment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Anticipatory controls

A

These are put in place to detect anticipated changes to the environment. Therefore, they are long term and strategic in nature. They are implemented in order to prepare an org for changes by helping it to adapt effectively and in good time

17
Q

Insurance

A

It is a risk transfer mechanism and reactive control that needs to be planned in advance but comes into effect once the risk has occurred. It is used to limit the impact of the event.

  • Insurance is where an org. Makes a contract with the insurer to indemnify them. To indemnify someone against something bad happening means to promise to protect them if it happens.
18
Q

What standard refers to business continuity planning

A

ISO 32301:2019

19
Q

What does the standard ISO 32301:2019 expect of an organisation

A
  • This standard is in regards to business continuity planning
  • It expects organisations to first have an idea and understand all the disruptive risks it faces
  • It expects that the org has controls in place for these risks
  • An org. Needs to have an idea of the impacts these risks could have and plan strategies to overcome them and thus continue day-to-day operations
  • Furthermore, the standard describes that orgs need to continuously monitor, test and improve these plans to ensure that the org is more resilient in the future
20
Q

The theory of diminishing level of return

A

How much return the org gets from controlling a risk in comparison to the cost of doing so

Risk response vs risk exposure

21
Q

The purpose of reviewing and monitoring according to ISO 31000 (2018)

A

To assure and improve the quality and effectiveness of process design, implementation and outcomes

22
Q

The difference between monitoring and reviewing

A

Monitoring is ongoing and review is periodic

Monitoring is the checking of the STATUS of risks, controls as well as changes in the context / environment.

Reviewing is checking the EFFECTIVENESS of controls in place

23
Q

What are the core methods of MONITORING risks, controls, changes in context etc.

A

Key risk indicators = these are anything that measure the change (status) in risk.KRIs are usually repurposed KPIS and measure things such as change in business performance, increase in sales etc. These are leading indicators that provide early warning signals of change

Key control indicators = these measure the effectiveness of changes in controls. This could include the monitoring of the number of unauthorised trades that occurred before and after a control was put in place / this indicates the number of trades caught by a control. These are lagging indicators that measure outcomes and results

24
Q

5 risk statuses of a risk

A

Allows for the appropriate focus to be given to risks

  • Draft = risk has just been raised and needs to be assessed to ensure that it is a real risk
  • Active = actively dealing with the real risk and further actions required to manage it to a acceptable level
  • Ongoing = risk managed to an acceptable level, but not closed and may still change
  • Closed / managed = successfully managed, therefore it can be closed and lessons learnt from it
  • Closed / occurred = it can be closed as it has occurred but not necessarily managed
25
Q

ISO 73:2009

A

Describes the meanings of communication and consultation

Communication = “continual and iterative processes that an organisation conducts to provide, share or obtain info, and to engage in dialogue with stakeholders regarding the measurement of risk”

Consultation = a process that impacts decision making thorugh the influence of stakeholders. It is a two way process of informed communication between an org and its stakeholders on an issue prior to making a decision.

26
Q

What does the FRC expect to see in an annual report

A

The principal risks
Review of the Features of the RM system
Review of the Features of the internal control system
Expectations of directors
The going concern

27
Q

The Orange Book (2020) definition of risk treatment

A

Selecting the most appropriate risk treatment options involves balancing the potential benefits derived in relation to the achievement of the objectives against the costs, effort or disadvantages of implementation.

28
Q

ISO 31000 (2018) purpose of risk treatment

A

To select and implement options for addressing risk

29
Q

BCP

A

Business continuity planning

A key risk treatment mechanism and component of cost containment. It is about planning in advance for a potentially disruptive event

30
Q

Check list for control effectiveness =

A

It consists of a check list regarding control effectiveness, considering the design, implementation and maintenance of the controls, the effect the controls will have on the likelihood and impact of the risk (both threats and opportunities) and the cost of the control

31
Q

HSE suggestion of hierarchy of controls

A

Elimination = physically remove the hazard
Substitution = replace the hazard
Engineering controls = isolate people from the hazard
Administrative controls = change the way people work
PPE = protect the worker with equipment

32
Q

How many times a year does the UK Corporate Governance code state that the board should carry out a review of the effectiveness of a company’s risk management and internal control systems

A

Annually

33
Q

What does the UK Companies Act 2006 require companies to do

A

Report their principal risks and uncertainties in the annual report and accounts

34
Q

List the 6 steps for effective decision making as explained by Peter Druker (Harvard Business Review, 1967)

A

1) Classify the problem
2) Define the problem
3) Specify the answer to the problem - what are the boundaries
4) Decide what is right, rather than what is acceptable, in order to meet the boundaries
5)Build the decision into the action to carry it out
6) Test the validity and effectiveness of the decision

35
Q

How do Hillson and Murray Webster (2007) define risk attitude

A

Chosen responses to uncertain situations, driven by whether uncertainty is perceived as favourable, neutral or hostile. As such, perceptions are a fundamental factor of risk attitude. They also consider how these risk attitude influence the different steps in the rM process and decision making

36
Q

Risk aggregation

A

It describes the process of summing up and developing an overall risk position within an orgs delivery chain. In doing so, risk aggregation enables the identification and management of several risks, which may be assessed as manageable when considered in isolation but require enhanced management when considered as a whole. Provides orgs with an idea of risk interdependencies.

37
Q

IRM report (2012) on risk appetite says that it should be =

A

Measurable and relate to strategic, tactical and operational level and it should reflect the risk capacity and rm maturity of the company.
It should be integrated with the control culture of the company

IRM (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions