Module 2 - Unit 3: Risk Culture, Appetite & Tolerance

Question 1

Define “risk culture”

Answer 1

Risk culture is a term describing the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation.

Question 2

Describe the difference between risk appetite and risk tolerance.

Answer 2

Risk appetite relates to the risks a business is willing or unwilling to take. e.g. We will not tolerate high levels of staff turnover

Risk tolerance is the variance a business will allow around this appetite e.g. We will tolerate staff turnover of up to 15%

Question 3

How does IRM’s Risk Culture report indicate how a risk culture may be reinforced?

Answer 3

The report notes that risk culture may be reinforced in a virtuous cycle of positive actions and behaviours over time that match the organisation’s desired risk culture.

Question 4

What are the three attributes of management and staff that are central to risk culture management?

Answer 4

The three attributes central to risk culture management are: Attitudes, Behaviour and Competencies.

(Study guide, pg 39)

Question 5

How can senior management embed the risk culture messages most effectively?

Answer 5

Organisations that take on a proactive communication programme will more effectively embed the risk culture messages.

Question 6

Describe two skills of a risk manager associated with implementing a risk management architecture.

Answer 6

The two skills can be selected from:

• Technical analytical skills,
• Influencing skills
• Presentation skills (oral and written).

Question 7

Provide the definition of a ‘significant risk’

Answer 7

A significant risk is a risk with the ability to impact above the established benchmark for that type of risk.

Question 8

A risk aware culture can be achieved by LILAC. What does LILAC stand for?

Answer 8

Leadership - must be strong across org in relation to strategy, projects and operations

Involvement - all stakeholders in all stages of RM process

Learning - RM training and learning from events

Accountability - no automatic blame culture, accountability for actions

Communication - communication and openness on all risk management issues an lessons learnt

(Hopkin, table 24.3, p 289)

Question 9

What acronym can be used to describe the stages of Risk maturity?

Answer 9

4Ns

Naive - level 1 - unaware of the need for/benefits of ERM

Novice - level 2 - aware of benefits of ERM, but only just started implementation

Normalised - level 3 - Embedded ERM into business processes, but management effort still required to maintain it adequately

Natural - level 4 - Risk aware culture with a proactive approach to ERM, risk is reliably considered at all stages to gain a competitive advantage

(Hopkin, p293)

Question 10

What do the 4Ns measure?

Answer 10

The stages/level of risk maturity in an organisation (Naive, Novice, Normalised, Natural).

(Hopkin, p293)

Question 11

What is the FOIL acronym used to describe?

Answer 11

The FOIL acronym is a measure of how well embedded ERM is within an organisation (Fragmented, Organised, Influential, Leading).

(Hopkin, p 293)

Question 12

What acronym/approach can be used to measure how well embedded ERM is within an organisation?

Answer 12

The FOIL acronym is a measure of how well embedded ERM is within an organisation

Fragmented - RM activities fragmented, focussed on legal/compliance activities (e.g., H&S)

Organised - Actions are planned to co-ordinate across risk types, but may not be fully implemented.

Influential - Embedded ERM processes are influencing processes/behaviours, but may not happen consistently or reliably

Leading - Consideration of risk is a major factor in decisions; strategic decisions are led by ERM considerations. (Hopkin, p293)

Question 13

What approaches might be used to measure the level of Risk maturity within an organisation?

Answer 13

FOIL & 4Ns (Fragmented, Organised, Influential, Leading); (Naive, Novice, Normalised, Natural)

(Hopkin, p 293)

Question 14

Why is it important for the Risk manager to be part of the senior leadership team?

Answer 14

So that the development of strategy and tactics is led by risk considerations, rather than the risk implications being considered after the strategy and tactics have been decided.

Question 15

Draw a diagram to demonstrate Risk maturity

Answer 15

(Hopkin, p295)

Question 16

“To drive a positive risk culture, the senior management must also look at how risk training is carried out and the time and resources dedicated to training and retraining.”

Complete the following sentence:

The ________, ______, ______ and communication components of a risk aware culture are all highly relevant to risk training and risk _____.

Answer 16

The involvement, learning, accountability and communication components of a risk aware culture are all highly relevant to risk training and risk communication.

• Note - all appear to be parts of LILAC, only part missing is “Leadership”

(Study guide, p41, taken from Hopkin chapter 26)

Question 17

Draw a diagram to illustrate the component parts making up an org’s risk culture

Answer 17

From the IRM Risk culture report

Personal Predisposition to risk - Every individual comes to an org with their own personal perception of risk. Personality traits include: Spontaneous/challenge convention vs systematic/compliant, and cautious/pessimistic vs optimistic/fearless

Personal Ethics - Psychometric tools (e.g., Moral DNA) can be used to assess moral values.

Organisational level - Sociability vs Solidarity model (Goffee & Jones, 1998), identifies four org cultures: Networked, Communal, Mercenary, Fragmented.

Question 18

Define risk appetite

Answer 18

Hopkin defines risk appetite as “the immediate or short-term willingness of an organisation to undertake an activity that involves risk” and “the total value of the corporate resources that the board of the organisation is willing to put at risk”

(Hopkin, pg 297)

Question 19

How does ISO guide 73 (2009) define risk appetite?

Answer 19

ISO guide 73 (2009) defines risk appetite as “The amount and type of risk that an organisation is willing to pursue or retain”

Question 20

Compare cost of risk calculations from the 1980’s to today’s approach

Answer 20

In the 1980’s, cost of risk was often calculated by insurance brokers, and enabled a calculation of total cost of hazard risks to the organisation. They were based on insurance premium, money spent on loss-control actions and cost of claims not covered by insurance. They enabled benchmarking against other organisations, and was often used as justification for setting up an in-house or captive insurance co. However, it was based on historical performance, which is not always a good guide to future performance.

Calculations completed now include all types of risk. Organisations often use the concept of risk appetite to calculate the level of risk that the board is willing to take. This can then be compared to the actual risk exposure that the org faces

(Hopkin, pg 300)

Question 21

In relation to risk appetite, draw a diagram that illustrates the range of outcomes for different risk exposures

Answer 21

(Hopkin, pg 302)

Question 22

Explain the EM3 approach related to STOC

Answer 22

EM3

Embrace Opportunity risks (Strategy)

Manage uncertainty risks (Tactics)

Mitigate hazard risks (Operations)

Minimise compliance risks (Compliance)

(Hopkin, pg 310)