Chapter 12: Risk-control strategies Flashcards
What is risk control?
Risk control is focused on preventing the causes and reducing the effects of loss events. From a wider strategic management perspective, risk control may help an organisation to seize opportunities for higher levels of financial and non-financial performance, allowing it to achieve and sometimes exceed its objectives.
Mechanisms such as market research, and strategic investments such as flexible manufacturing systems or IT systems, can help organisations to seize new opportunities
What are loss prevention tools?
Loss-prevention tools reduce the probability of a loss event by targeting its causes. The causes of a loss event are usually linked to the actions or inactions of people, failures in processes and systems, or external events.
Examples include: IT system firewall, no-smoking policy, door locks, etc.
What is a loss-reduction tool?
Loss-reduction tools target the effects of loss events. Loss events may have financial and non-financial effects. In financial terms, they can affect the resources (physical assets and cash assets) of an organisation. Physical assets may be damaged or destroyed, requiring repair or replacement. Cash assets may be lost via fines or liability claims.
Examples include: insurance, whistleblowing arrangements, fire extinguishers, data backup arrangements, etc
What are the Five Ts of risk control?
- Tolerate – no formal action to control it – risk exposure is considered within organisation’s risk appetite
- Treat – risk treatments are actions taken to manipulate exposure either to mitigate threats or to exploit opportunities – include many loss-prevention and loss-reduction tools
- Transfer – pass impact of loss event to a third party - insurance
- Terminate – any action to stop an activity or leave a location that is creating the exposure
- *** Take the opportunity **– e.g. corporate mergers, new product development and R&D
Risk-treatment includes loss-prevention and loss-reduction tools which can be categorised as PCDD. What is PCDD?
Preventive, corrective, directive and detective
What are preventive controls?
Preventive – focus on addressing the causes of loss events and are a type of loss-prevention tool. Designed to prevent things such as accidents, human error, misconduct, or other sources of hazard. Examples:
o Staff training
o Personal protective equipment
o Asset maintenance
o Shredding confidential documents
o Security arrangements (locks, passwords, etc)
What are corrective controls?
Corrective – help to correct the adverse consequences of a hazard or similar loss event – loss reduction tool
o Near-misses
o Fire extinguishers
o Disciplinary procedures
o Business continuity and recovery
o Data recovery procedures
What are directive controls?
Directive – used to enforce desirable outcomes
o Health-and-safety policies and procedures
o Risk-management policies and procedures
o Code of conduct
o Instructions from line managers
o Roles and responsibilities
What are detective controls?
Detective – indication that something is wrong. They function best when combined with other controls
o Alarms
o Internal audit and compliance reviews
o Tests of business continuity and disaster
o Health and safety inspections
o Inventory checks
o Bank reconciliations
What are formal controls?
Formal controls have one or more of the following characteristics:
* they have a physical presence, for example door locks or a sprinkler system;
* they are documented within a policy or procedure; or
* they involve tangible sanctions, such as disciplinary arrangements.
Formal controls provide a clear and tangible mechanism for risk control. They include a wide range of preventive, corrective, directive and detective controls
Examples include:
- alarms
- automation
- business recovery plans
What are informal controls?
Informal controls are social mechanisms of control. These controls are almost never documented and they do not have a physical presence. The sanctions for informal control violations are intangible, meaning that they are hard to define or quantify.
Informal controls include the culture and risk culture of an organisation. They relate to the social norms, beliefs, values and perceptions that staff members and other stakeholders have concerning the control of risk. For example, safety violations may be tolerated and justified in some organisations to avoid ‘unnecessary’ red tape. In other organisations, safety violations of any kind may not be tolerated because safety is seen as an essential part of a smooth, efficient and ethical operation.
Examples include:
- Soft skills training
- team building
- tone and action from the top
What is risk financing?
Organisations use risk financing mechanisms to help fund the financial consequences of loss events.
What is crisis management?
Crisis management is the process by which an organisation deals with a disruptive and potentially unexpected event that threatens to harm the organisation, its stakeholders or the general public.
The level of potential harm from a crisis is significant. Examples of crisis events include major fires, chemical spills, death or injury of people, terrorist attacks, prolonged technology systems failures or data breaches.
The process of crisis management is the same as for risk-management. It involves the identification, assessment, monitoring and control of crisis risks. The tools used within the crisis-management process are different, however, because crisis events are rare and are more complex in terms of their causes and effects than most other loss events.
The control of crisis events is built around the following areas, each of which represents a different stage in the development of a crisis.
What is a business continuity plan?
A business continuity plan outlines the actions that should be taken to minimise business disruption and to help recover from a major loss event as quickly as possible. For example, in the event that an organisation’s IT systems fail, the organisation will need to determine the priority systems that require rapid recovery, and agree recovery time objectives (the speed with which these systems must be recovered). The plan will show the order in which systems need to be recovered first and how quickly they must be recovered.
Give examples of how you would you control third-party risks
- Contract management - legal review before signing
- due diligence - comprehensive appraisal prior to signing a contract
- relationship management - regular meetings
- service level agreements - documented commitment
