Acronyms Flashcards

1
Q

RASP - what is it? What does it stand for?

A

RASP provides details of the risk management framework and helps define risk management context.

R = "Risk"
A = Architecture (as in Risk Architecture. Committees, roles responsibilities etc.)
S = Strategy (as in the RM philosophy, appetite, how its embedded)
P = Protocols (tools, techniques, assessment procedures)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CHOC - what is it? What does it stand for?

A

CHOC are the 4 different CATEGORIES of risk used by Hopkin.

C = Compliance Risks: Minimize these.
H = Hazard Risks: Mitigate these. 'Pure Risk'. Impact always negative
O = Opportunity Risks: Embrace these. 'Speculative'. Impact has the potential to be positive.
C = Control Risks:  Manage these. 'Speculative'. Impact uncertain.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

FIRM - what is it? What does it stand for?

A

FIRM Is an example of a Risk Categorisation approach that can also be used when developing a ‘Scorecard’ fir Risk.

F = Financial - Internal  (the way money is managed, profitability)
I = Infrastructure - Internal (efficiency of processes)
R = Reputational - External (perception)
M = Marketplace - External

Other categorisation approaches include PESTLE (best used for Hazard Risks), or the COSO ERM approach (SORC). Could also overlay CHOC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The 4N’s of Risk Maturity - what are they?

A

The 4N’s relate to Risk Maturity Model - The “Status Levels” or “Stages” of Risk Maturity. Each stage matches well with a level of embedment under FOIL

Naive - Fragmented ERM embedment
Novice - Organised ERM embedment
Normalised - Influential ERM embedment
Natural - Leading ERM embedmetn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

FOIL - what is it?

A

FOIL relates to the characteristics of Risk Management (or ERM) embedment in an organisation

F = Fragmented (legal and compliance only, e.g. HSE)
O = Organised (coordinated and planned across all types of risk)
I = Influential (ERM is now influencing process and behaviours)
L = Leading (Risk is a substantial factor in decision making)

Different levels of embedment are often seen accompanied by a level of Risk Maturity in an organisation which are the ‘4 N’s or Risk Maturity’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

PACED - what is it?

A

PACED are the 5 Principles of a Risk Framework (what a successful ERM initiative and Framework should be / ‘what does good look like’)

P = Proportionate (to the level of risk in an org)
A = Aligned (with other business activities)
C = Comprehensive (systematic, structured)
E =  Embedded (within the business, procedures etc.)
D = Dynamic (iterative and responsive to change)

While ‘PACED’ shows ‘what good looks like’ ‘MADE2’ tells us ‘what good give us’ and what objectives good Risk Management will achieve

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

MADE2 - what is it?

A

MADE2’ tells us ‘what good give us’ and what objectives good Risk Management will achieve.

M = Mandatory requirements will be met (rules, regulations, laws etc.)
A = Assurance that control activities are working and are 'PACED'
D = Decision making will be able to use appropriate risk based information
E(2) = Effective and Efficient core processes, which will help achieve 'STOC' (strategic, tactical, operational and compliance objectives)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

STOC - what is it?

A

STOC are the core processes of an organisation

S = Strategy (what the org intends to achieve and how it plans to achieve it)
T = Tactics (the means by which Strategy will be delivered)
O = Operations (the actual activity)
C = Compliance (the processes, protocols and procedures in place to ensure mandatory obligations are met)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

PESTLE - what is it?

A

PESTLE is another Risk Classification system (like FIRM, or SORC).

P = Political (Tax policy, employment laws, regulations)
E = Economic (Growth, Interest Rates, Inflation, Credit)
S = Sociological (Norms, cultures, age distribution)
T = Technical (Disruption, barriers to entry, tech changes)
L = Legal (changes to laws impacting business)
E = Enviromental (or Ethical)

Best applied for HAZARD risks and EXTERNAL risks - and less applicable for financial, infrastructure, reputational.

Also good to use PESTLE within an assessment workshop. The ‘orange book’ recommends doing a SWOT against each PESTLE category.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The 4 T’s - what are they?

A

The ‘4T’s’ relate to the ‘Risk Response’ and specifically the methods to treat HAZARD risk.

Tolerate - Low Impact, Low Likelihood
Treat - Control or reduce Low Impact, High Likelihood (most common response)
Terminate - Impact is too high, likelihood is too high … just need to stop the activity.
Transfer - High impact but low likelihood. This is via Insurance or other contractual arrangements to offload some risk

Risk responses for Strategic Risks use the 4Es and 5Es approach.

p.175

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

4E’s and 5E’s

A

Both are used a Risk Responses for Strategic Risk or Opportunity Risk.

4E’s :
Exploit (High Reward, Low Risk … until competitors arrive)
Exist (Low Reward, Low Risk … in maturing markets)
Explore (Low Reward, High Risk .. entrepreneurial opportunities)
Expand: (High Reward, High risk … depending on risk appetite and capacity (see 5Es)

5E’s: works as a flow chart and adds to ‘expand’ by saying ‘Expand if you can - if you have resources and appetite - or Exit if not - which may still be for a profit).

Start at Explore (high risk, low (current) reward), move up to Expand OR move up again to Exit, then shift left to Exploit, then shift down to Exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SORC and the COSO Cube

A

The ERM version of the COSO cube was produced in 2004.

COSO = Committee of the Sponsoring Organisations of the Treadway Committee (2004)

SORC = is the top of the cube and are the 4 Categories of Corporate Objectives (similar to STOC).

S = Strategic (high level goals)
O = Operations (effective and efficient use of resources)
R = Reporting (need to report reliably)
C = Compliance with laws.

The front of the cube shows the Risk Management approach aligned to how management runs and organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

LILAC

A

LILAC is how a Risk-Aware Culture is achieved, through:

L = Leadership: Strong leadership on strategy, projects and operations.
I = Involvement: of all stakeholders in the risk management culture.
L = Learning: and emphasis on training in risk management procedures and learning from events.
A = Accountability: for actions and deliverables (but not a 'blame culture'
C = Communication: and openness on issues and lessons learnt.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CoCo and the 4 components of CoCo

A

is the ‘ Canadian Criteria of Control’ framework.

It is a framework to measure, or benchmark, the quality of the Control Environment, known as the ‘internal environment’ in the COSO cube. The quality of the control environment is also a very good indicator or overall ‘Risk Culture’.

The 4 CoCo Components are:

1) Purpose: Sense of direction / what are we here for?
2) Commitment: Sense of identity / do we want to do a good job?
3) Capability: sense of competence / what actions do we need to take?
4) Monitoring & Learning: sense of evolution / what’s next / how do we get better?

Also know LILAC as another indicator or benchmark for Risk Culture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SOx … what are the two to know

A

Step 1: get the data right … SOx 302 - Full and accurate disclosure of all information about the organisation (validated). All data produced by an organisation must be validated.

Step 2: get the data audited … SOx 404 - Accurate reporting of results to a higher authority (must be audited).

Context is with Risk Management Reporting and the Responsibilities of the Board.

SOx recommends use of COSO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The 4c’s ..

A

4C’s relate to ‘Attitude to Risk’

Comfort - what risks are you comfortable to take? (one of the lows … either low impact or VERY low likelihood)
Cautious - a band through the middle
Concerned - a band a bit more ‘upper right’
Critical - far right … high impact (to that business) and likelihood.

Can be an alternative to ‘Appetite’ but ‘Attitude’ can be the longer term overall attitude to particular types of risk while “Appetite” is the more immediate need (or willingness) to take a specific risk

17
Q

CSFRS

A

Just a range of stakeholders.

Customers
Suppliers
Financiers
Regulators
Staff

ISO Guide 73 - Stakeholders: “a person or group concerned with, affected by, or perceiving themselves to be affected by an organisation”

18
Q

CASE

A

relates to Reputation (reminder … ‘get off my case’ I have a good reputation).

A good reputation means customers or clients will be willing to do business with you.

C = Capabilities - A clear purpose, strategy and the ability (and resources, skills) to deliver it.
A = Activities - What the organisation does, what sectors it operates in
S = Standards - What are the levels of quality, service, support etc. that you deliver
E = Ethics  - what levels of ethics do you hold selves to, is it regularly monitored and reported on ( improved)

Reputation is a component of the FIRM risk scorecard (the R)

19
Q

4P’s

A

Are the 4 sources of hazard risks or ‘categories of operational disruption’ (which you ‘mitigate’)

People - lack people / skill / behaviours / absence
Premises - unable to access / contamination / theft or loss of physical produce
Process - IT / Communications / Hackers / Transport Systems
Products - Poor product or service quality / supply chain issues

Reminder: CHOC Risks
Compliance - Minimise
Hazard - Mitigate
Opportunity - Embrace
Control - Manager
20
Q

PCDD

A

4 Types or Hazard Control (a heirarchy)

P = Preventive (Terminate) stop these high risk high impact events happening. ‘The most important type of control’ (also eliminate, remove, substitute)

C = Corrective (Treat) … the next best option ..you know these happen (lower impact, high probability) make sure you can limit their scope or limit the impacts … barriers or guards - even passwords (to stop access) are corrective … simple and cost effective

D = Directive (Transfer) relies on people or training to act / operate / behave in a certain way to prevent occurrence.

D = Detective (Tolerate) keep an eye on these, make sure you are able to detect them when they occur. E.g. a stocktake detects minor theft after it occurs. Health monitoring detects lead exposure after it occurs

21
Q

8Rs

A

The 8Rs and 4Ts are a ‘basic representation of the Risk Management Process”

The 8Rs:
Recognition
Rating
Ranking
Responding (with the 4Ts: Treat, Tolerate, Terminate, Transfer)
Resourcing (of controls)
Reaction (planning and event management)
Reporting (and monitoring of risk performance, actions, events, issues)
Reviewing (of the RM system, including architecture, strategy and procedures)

22
Q

CRAM

A

Risk Practitioner Competencies and the PEOPLE skills required

C = Communication (written, oral, presenting)
R = Relationships (influencing, networking, negotiating)
A = Analytical (and strategic skills)
M = Management (manage, lead teams & projects)
Also need to have TECHNICAL skills related to a Risk Management Framework "PIML"
P = Planning
I = Implementing
M = Measuring
L =Learning
23
Q

CORR

A

Are the components of the business model:

C = Customer (segments & markets, marketing & sales)
O = Offering (the customer value proposition and the value being provided to the customer)
R = Resources (data, capabilities and assets of the biz)
R = Resilience (reputation of the business and financial resilience)  

Note that Reputation is a big component of Resilience (and is represented by CASE … Capability, Activities, Standards, Ethics)

24
Q

VMOST

A

Vision & Mission
Objectives
Strategy
Tactics

25
Q

OCK

A

3 Ways that Risks can be attached

O = Objectives 
C = Core Processes
K = Key Dependencies and stakeholder expectations 

Objectives - most common approach but has shortcomings unless objectives are very clearly thought through and understood. Can fail to truly capture all risks

Core Processes - STOC (Strat, Tat, Ops, Compli)

Dependencies - ‘what are the features or components of the organisation AND it’s external context that are key to success) (actually a SWOT) and THEN how can these be impacted. Useful to attached dependencies to a FIRM categorisation

26
Q

What is Loss Control?

A

Loss Prevention (LHS of bowtie) = reduce likelihood
+
Damage Limitation (middle of bowtie / event) = reduce magnitude of the event (while is is occurring) (eg Sprinkler systems)
+
Cost Containment (RHS of bowtie) = reduce subsequent impact and consequences)

27
Q

FOSH

A

is the IRM classifications of Risk (actually FSOH)

Financial
Strategic
Operational
Hazard