8. The Risk Management Process

Question 1

Objective setting should be an integrated process linking what to what?

Answer 1

Top level corporate planning

To business activities and operations

Question 2

As objectives are cascaded down the organisation, they become more —

Answer 2

Specific

Question 3

Objectives should be SMART, which means…

Answer 3

Specific
Measurable
Achievable
Realistic
Time bounded

Question 4

Once objectives have been agreed, they should be — for clarification and referral

Answer 4

Documented

Question 5

Define risk IDENTIFICATION

Answer 5

The process of determining what events might occur
To affect the objectives of the organisation
And their root causes

Question 6

Define risk ANALYSIS

Answer 6

The systematic use of available information
To determine the likelihood of specified events occurring
And the magnitude of their consequences

Question 7

Define risk EVALUATION

Answer 7

The process used to determine risk management priorities
By comparing the level of risk against
Predetermined standards
Target risk levels
Or other criteria

Question 8

Risk ASSESSMENT is composed of which three sub-processes?

Answer 8

Risk identification
Risk analysis
Risk evaluation

Question 9

Risk identification needs to be set in the context of what three things?

Answer 9

The organisation’s
Environment
Strategy
Attitude to risk

Question 10

The organisation’s environment includes what six contexts?

Answer 10

Political
Economic
Socio-cultural
Technological
Legislative
Ethical
(PESTLE)

Question 11

Strategy is how the organisation plans to…

Answer 11

Achieve its objectives

Question 12

Ideally the risk management process should be — in the organisation

Answer 12

Embedded

Question 13

What is the aim of risk identification?

Answer 13

To generate a comprehensive list of events
That might affect each business objective
Including the possible causes and scenarios
So that risks are well understood
And their management can be planned and implemented

Question 14

Risk management needs to be practise at — — within an organisation

Answer 14

All levels

Question 15

Why does risk management need to be practised at all levels of the organisation?

Answer 15

Because different kinds of risk, different impacts and probabilities are apparent to people at different levels and locations

Question 16

What are the four high-level methods for identifying risks?

Answer 16

Checklists
Benchmarking
Vulnerability assessment
Scenario planning

Question 17

An off-the-shelf checklist of sources of risk should include both — and — factors

Answer 17

Internal and external factors

Question 18

When identifying risk, some organisations use a checklist of areas of impact, such as…

Answer 18

Increased cost
Loss of revenue
Assets
Personnel
Reputation
Quality
Capacity
Capability to deliver

Question 19

In risk identification, what are the limitations of checklists?

Answer 19

Difficult to adapt to organisation’s circumstances

May not prompt identification of NEW risks

Question 20

In risk identification, BENCHMARKING provides useful — — on other organisation’s risk activities

Answer 20

Comparative information

Question 21

In risk identification, vulnerability assessment entails what?

Answer 21

1. Analysing processes supporting overall business objectives
2. Flagging up where failure or opportunities may occur

Question 22

In risk identification, how does SCENARIO PLANNING basically work?

Answer 22

Analysts review PESTLE trends
And devise scenarios
Assigning a probability of occurrence to each

Question 23

Each of the four main methods of risk identification may be used in a range of exercises. These exercises may include…

Answer 23

Questionnaires
Brainstorming sessions
CRSA workshops

Question 24

In risk identification, names some advantages of using risk questionnaires

Answer 24

Standardised risk model can be circulated

Cheap and easy to employ

Question 25

In risk identification, name some drawbacks to the use of risk questionnaires

Answer 25

Depends on level of understanding of respondents
Tend to ask closed questions
Often drawn up by head of IA and may not have management support

Question 26

In risk identification, name some advantages of using brainstorming sessions

Answer 26

Creative - may lead to identification of new risks

Uses knowledge and experience of management and staff

Question 27

In risk identification, name some disadvantages of brainstorming sessions

Answer 27

Unless used as part of broader programme with other techniques, does not lend itself to risk evaluation, analysis, assessment or risk response selection

Question 28

Where time and management preferences allow, what is the most favoured technique of risk identification?

Answer 28

The risk identification workshop

Question 29

What elements of the risk management process can the risk identification workshop be used to identify?

Answer 29

All of them:
Risks
Existing risk management actions
Processes for embedded monitoring
Additional assurance available to management
Evaluation of risks and responses

Question 30

USUALLY, participants in a risk identification workshop are restricted to…

Answer 30

Top management of a business unit

Question 31

The value of a risk identification workshop lies as much in participants — — the process as the documentation generated

Answer 31

Working through

Question 32

Risk identification workshops have the potential to build — — throughout the organisation and provide a sense of — over risks

Answer 32

Risk awareness

Ownership

Question 33

Name some drawbacks of risk identification workshops

Answer 33

Can be expensive and tie up people for long sessions
Quality of output dependent on level of understanding and commitment
Sometimes impossible to get entire management team together in the required time frame

Question 34

In risk identification, CRSA is the assessment of risk and controls by —, not just management

Answer 34

Staff

Question 35

In risk identification, what may CRSA entail?

Answer 35

Anything between a control self-certification signed off by management
Through questionnaires
To a full blown programme of enterprise-wide facilitated risk identification, analysis, evaluation and assessment workshops

Question 36

In its most simplistic form, what are the three stages of CRSA?

Answer 36

Identify objectives for area and risks
Evaluate responses in place or required
Implement and monitor effectiveness of responses

Question 37

The right — is critically important for CRSA workshops

Answer 37

Facilitator

Question 38

An essential pre-requisite for understanding the likely success of a CRSA programme is an understanding of the organisation’s —

Answer 38

Culture

Question 39

When using CRSA to identify risks, it is essential to obtain proper and full — from the top, to ensure it is taken seriously and acted upon

Answer 39

Sponsorship

Question 40

Advance — and — are essential for CRSA, to ensure participants understand purpose and process

Answer 40

Planning and preparation

Question 41

When planning a CRSA, it is important to select experienced and skilled — —

Answer 41

Workshop facilitators

Question 42

The right — of participants in CRSA ensures contributions are obtained for those who manage, perform and interact with the activities being reviewed

Answer 42

Mix

Question 43

CRSAs should be organised around agreed — — to prevent dominance by one individual or group

Answer 43

Ground rules

Question 44

In the course of a CRSA, it is advisable to use a — — control framework against which to assess the effectiveness of the risk management activities in place

Answer 44

Good practice

Question 45

In the course of a CRSA, it is vital not to miss — — and — — risk responses

Answer 45

Cross-functional

Inter-departmental

Question 46

The results of a CRSA must be r— to enable appropriate follow-up and ensure agreed actions are pursued to completion

Answer 46

Recording

Question 47

List the potential benefits of CRSA

Answer 47

Articulates organisation’s attitude to risk and control
Raises awareness of RM at all levels
Transfers ownership of risk to management and staff
Considers risks and controls in a constructive way
Improves motivation and performance
Provides assurance to senior management on effectiveness of existing controls against risks
Improves level of assurance given to external stakeholders

Question 48

— — risk management involves the board identifying key risks and then circulating to management for review

Answer 48

Top-down

Question 49

— — risk management involves front line management identifying the key risks and passing them up the line to top management for review

Answer 49

Bottom-up

Question 50

What are the main advantages of top-down risk identification?

Answer 50

Strategic focus
Good buy-in at most senior level
Consistency across business units
Manageable number of risks
Speed

Question 51

What are the main disadvantages of a top-down approach to risk identification?

Answer 51

Lack of realism
Lack of buy-in at lower levels
Lack of management responsibility for risks or responses
Root causes of risk may elude top management
Superficiality

Question 52

What are the main advantages of a bottom-up approach to risk identification?

Answer 52

Buy-in at all levels of the organisation
Establishment of management responsibility for risks and responses
Avoids “one-size-fits-all” attitude
Assists in discovering root causes of risk
Wide involvement is seen as best practice in risk identification

Question 53

What are the main disadvantages of a bottom-up approach to risk management?

Answer 53

Huge volume of detail
May be too blinkered by detail
Lack of strategic focus
Effort required to collect and analyse data
Cost, resources and time commitment

Question 54

In risk analysis, — is the chances or odds of a specific event occurring

Answer 54

Likelihood

Question 55

Likelihood may be expressed in both q— and q— terms

Answer 55

Qualitative and quantitative

Question 56

The two types of quantitative expression of likelihood are…

Answer 56

Probability

Frequency of occurrence

Question 57

What is the advantage of using probability to express the likelihood of a risk occurring?

Answer 57

Simpler to understand

Question 58

What is the disadvantage of using probability to express the likelihood of a risk occurring?

Answer 58

No reference point in time or in severity of impact

Question 59

What is the advantage of using frequency of occurrence to express likelihood?

Answer 59

Takes account of impact and expresses likelihood with reference to time

Question 60

What is the disadvantage of using frequency of occurrence to express likelihood of a risk occurring?

Answer 60

More complex and may be confusing to senior management

Question 61

In risk analysis, — is the outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain

Answer 61

Impact

Question 62

What are the three broad approaches to risk analysis?

Answer 62

Quantitative
Qualitative
Hybrid

Question 63

The quantitative approach to risk analysis expresses risks — relative to each other

Answer 63

Numerically

Question 64

Describe the steps in a quantitative approach to risk analysis

Answer 64

Financial value of impact estimated
Assessment made on a number of probability factors to which weightings are assigned
Financial value multiplied by various probability factors
Single rating calculated for each risk
Risks ranked by ratings

Question 65

What are the main advantages of the quantitative approach to risk analysis?

Answer 65

Appeals to quantitative style of management
Clearly ranks risks so that management attention can be focused on key priorities
If only two factors used, risks can be plotted on a graph

Question 66

What are the disadvantages of a quantitative approach to risk analysis?

Answer 66

Complex and time-consuming when multiple risk factors are analysed
If results contrary to common sense they may be ignored - assessor may fudge results
If ratings include adequacy of controls as probability factor they do not make explicit perceived effectiveness of RM activities

Question 67

— methods of risk analysis judgmentally rate risks relative to each other with descriptive adjectives such as high, medium or low

Answer 67

Qualitative

Question 68

Generally, qualitative risk analyses consider only two risk factors, — and —

Answer 68

Impact and likelihood

Question 69

How may impact be rated when using a qualitative method of risk analysis?

Answer 69

High, medium or low
Within broad financial bands
According to non-financial impacts (e.g., minor injury, serious injury, single fatality, etc)

Question 70

What are the advantages of qualitative risk analyses?

Answer 70

Rapid and simple to use
Provide general prioritisation to help direct management
Accord more with common sense

Question 71

What are the disadvantages of a qualitative approach to risk analysis?

Answer 71

Can be turn-off to quantitative style of management

Where many HH risks are identified, further prioritisation may be needed

Question 72

Whether for quantitative or qualitative approaches to risk analysis, list some sources of information that may be used to help establish likelihood and impact

Answer 72

Historical records
Relevant experience
Industry practice and experience
Relevant published literature
Market research
Experiments and prototypes
Economic, engineering or other models
Specialist and expert judgments

Question 73

When trying to establish likelihood/impact, list some techniques that could be used to gather data

Answer 73

Interviews with relevant experts
Use of multidisciplinary groups of experts
Individual evaluations using questionnaires
Computer and other modelling techniques
Fault trees and event trees

Question 74

When evaluating risk, it is important to distinguish between the evaluation of i— risk and r— risk

Answer 74

Inherent and residual

Question 75

What constitutes the difference between inherent and residual risk?

Answer 75

The measure of the effectiveness of the risk management responses

Question 76

What factors may affect risk appetite?

Answer 76

Organisation size
Organisation environment
Organisational culture and ethos
Organisation's products and services
Stakeholder desires
Competitors activities
Knowledge and experience of staff
Legislation and regulation

Question 77

In non-financial businesses, a q— concept of risk appetite based on subjective preferences may be more helpful

Answer 77

Qualitative

Question 78

With reference to risk appetite, what are the six postulates of RISK COMPENSATION THEORY?

Answer 78

Everyone has propensity to take risks
Propensity varies from individual to individual
Propensity influenced by potential rewards of risk taking
Perceptions of risk influenced by experience of accident losses
Individual risk taking decisions balance risk perception against propensity to take risk
Greater risk taken, on average the greater reward or loss

Question 79

Who should dictate the overall risk appetite within an organisation?

Answer 79

The board of directors

Question 80

Why should an organisation identify its risk appetite?

Answer 80

So that decisions about responses are weighed against agreed criteria

Question 81

If the board’s perspective on risk is to prevail over the perspectives of local management, what should be in place?

Answer 81

Clear risk policies

Question 82

List five downsides to a risk averse approach

Answer 82

Failure to treat risks
Leaving critical decisions to other parties
Deferring decisions which organisation cannot avoid
Selecting option because it represents a potential lower risk regardless of benefits
Avoiding or ignoring risk regardless of information available or cost of treating risk

Question 83

What are the main types of risk response?

Answer 83

Terminate
Tolerate
Transfer
Treat
(Exploit)

Question 84

What are the two main internationally known control frameworks?

Answer 84

COSO framework
CoCo framework (Criteria of Control of the Canadian Institute of Chartered Accountants)

Question 85

What is COSO’s definition of internal control?

Answer 85

A process
Effected by an entity’s board of directors, management, and other personnel,
Designed to provide reasonable assurance
Regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with laws and regulations
Safeguarding of resources

Question 86

What are the five components of the COSO integrated framework?

Answer 86

Control Environment
Risk assessment
Control activities
Information and communication
Monitoring activities

Question 87

What are the four fundamental concepts of internal control implied in COSO’s definition?

Answer 87

Internal control:
An integrated process
Effected by people (so imprecise)
Provides only reasonable assurance
Geared to achievement of objectives

Question 88

What are the four categories of control by TYPE?

Answer 88

Directive
Preventive
Detective
Corrective

Question 89

Give some examples of DIRECTIVE controls

Answer 89

Plans and objectives
Policy statements
Processes, procedures and guidance manuals
Signage or traffic lights
Training programmes and CPD

Question 90

Give some examples of PREVENTIVE controls

Answer 90

Physical or logical access controls
Segregation of duties
Protective clothing
Vetting of job applicants
Security guards

Question 91

Give some examples of DETECTIVE controls

Answer 91

Fire or smoke detectors
Account reconciliations
CCTV cameras
Supervisory checks
Asset or stock checks
External audit

Question 92

Give some examples of CORRECTIVE controls

Answer 92

Insurance policies
Business continuity plans
Recovery of overpayments
Refresher training
Conduct and disciplinary activity

Question 93

What are the eight categories of control by FORM?

Answer 93

SOAPMAPS
Supervisory
Organisational
Authorisation
Personnel
Management
Accounting
Physical
Segregation of Duties

Question 94

What four key attributes of an accounting system should ACCOUNTING controls address?

Answer 94

CAVA
Completeness
Accuracy
Validity
Authorisation

Question 95

What is the starting point for the risk management process?

Answer 95

Business objectives