D7 CHIA Guide Risk Management Flashcards
(244 cards)
1
Q
What is project risk?
A
The potential that a circumstance could arise that alters the outcome of a project, affecting deliverables, timelines, and budgets.
Project risks can lead to a project’s failure if not managed properly.
2
Q
What factors can cause project risks?
A
Project risks can be caused by:
* Political factors
* Environmental factors
* Economic factors
* Social factors
* Technological factors
* Legal factors
* Internal factors like restructuring or illness
Examples include poor project management practices, supply chain delays, and major weather events.
3
Q
How does project risk differ from individual risk?
A
Individual risk refers to a single possible circumstance affecting a project; overall project risk refers to the possibility of any one or more circumstances occurring that might alter a project’s outcome.
4
Q
What is the PMBOK® Guide’s definition of risk?
A
An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objective.
5
Q
What is risk management in project management?
A
The process of identifying, assessing, and managing risks to reduce chances of drastic failure and allow for proactive problem-solving.
6
Q
What is the difference between implicit risk management and explicit risk management?
A
Implicit risk management deals with overall project risk tied to project management decisions, while explicit risk management focuses on unique risks to a specific project.
7
Q
What are positive risks in project management?
A
The potential for a circumstance to alter the outcome of a project positively, such as favorable environmental conditions or positive customer response.
8
Q
What is residual risk in project management?
A
The remaining level of risk present after steps have been taken to reduce the chances of risk events occurring.
9
Q
What is the role of a project manager regarding project risks?
A
To ensure successful project completion by identifying risks, avoiding them when possible, and mitigating their effects when unavoidable.
10
Q
What is the responsibility of a project sponsor regarding project risks?
A
To create competent teams, empower leaders to manage project risks, and ensure that managers are knowledgeable about risks.
11
Q
Fill in the blank: Project risks affect the outcomes of __________.
A
[individual projects]
12
Q
True or False: All risks in project management are negative.
A
False
13
Q
What types of risks are included in the broader context of business risks?
A
Business risks can affect:
* High-level financials
* Materials
* Employment
* Physical buildings of the business
Examples include new products not being well received or labor disputes.
14
Q
What approach can project managers take to identify project risks?
A
Implement risk management into everyday processes and encourage teams to look ahead to recognize and anticipate new possibilities.
15
Q
What is a risk event?
A
An event that, if it occurs, will alter the outcome of a process.
16
Q
What should project managers do when they identify a risk event?
A
Determine the likelihood of it occurring and decide whether to monitor, mitigate, or avoid it.
17
Q
Fill in the blank: The process of assessing the strengths, weaknesses, opportunities, and threats is known as a __________ analysis.
A
[SWOT]
18
Q
Three Line Model for embedding risk management within an organisation
A
19
Q
What is the main goal of embedding risk management in an entity?
A
To influence decision making and behaviours.
20
Q
What are the key components to test how well risk management is embedded?
A
- Is a risk assessment part of key business processes?
- Is there a culture of openly discussing risks?
- Are risks communicated and managed collectively?
- How diligently are officials monitoring risks?
- Is there a senior champion for risk management?
- Are governance arrangements appropriately informed?
- Do officials reference the entity’s risk appetite in decisions?
- Are realized risks used to improve management?
21
Q
What should each activity or process in an entity begin with?
A
Objectives that link to the objectives of the entity.
22
Q
Fill in the blank: The initial focus of risk management might be identifying the risks to achieve _______.
A
[objectives]
23
Q
What is a practical strategy for embedding risk management?
A
Weave risk consideration into existing activities.
24
Q
How should risk management processes be tailored?
A
To the nature of risk in different business processes.
25
What is important for building staff awareness of risk management?
* Relevant risk management training
* Access to guidance materials
* Collaborative forums for sharing practices
26
What does 'tone from the top' refer to?
The influence of senior executives on the value staff perceive in risk management.
27
True or False: Rewarding those who manage risk well can encourage risk management adoption.
True
28
What model is commonly used for embedding risk management?
The 'Three Lines Model'.
29
What should a risk management framework provide?
* A risk appetite statement
* Clearly defined accountabilities
* A common vocabulary and process
30
What is a key step in embedding risk management?
Establish a staged plan with target maturity states.
31
Fill in the blank: Embedding risk management requires time because it involves changing _______.
[behaviours]
32
What are some examples of embedded risk management in common processes?
[specific examples not provided in the text]
33
What is a risk management framework?
A set of components that set out the entity arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout an entity.
34
What is the purpose of a risk management policy?
To communicate to all stakeholders why and how an entity manages risk and to provide a clear mandate for the entity’s risk management framework.
35
What are the core elements of a risk management framework?
* An overarching risk management policy
* An overview of the entity’s approach to managing risk
* Key risk management responsibilities
* Risk reporting processes
* Attributes of the risk management culture
* Integration with business processes
* Managing shared risks
* Measuring risk management performance
* Periodic review and improvement of the framework
36
What should an effective risk management framework describe?
The risk management processes used in the entity, including risk identification, risk assessment, and risk treatment.
37
Who are the key risk management responsibilities typically defined in a risk management framework?
* Accountable Authority
* Chief Risk Officer
* Senior Executives
* Audit Committee
* Risk Committee
* Risk owners
* Control owners
* Treatment owners
* All staff
38
What is the importance of risk reporting?
To provide information on monitoring risk against the entity's objectives and allows for escalation of risks if realized.
39
What does risk culture refer to?
The set of shared attitudes, values, and behaviours that characterize how an entity considers risk in its day-to-day activities.
40
What is a shared risk?
A risk where more than one entity is exposed to or can significantly influence the risk.
41
What elements should be included in a review of an entity's risk management framework?
* Reviewing the framework for fitness for purpose
* Mechanisms to measure compliance
* Review of the entity's risk profile
* Review of individual risks and their controls
42
What is risk appetite?
The amount of risk that an entity is willing to accept or retain in order to achieve its objectives.
43
List the benefits of defining risk appetite and tolerance.
* Supporting conscious and informed risk taking
* Promoting consistent risk management
* Guiding risk decision making
* Structuring executive conversations on risk taking
* Calibrating the entity risk assessment process
44
What are risk appetite statements?
A series of behavioural statements that guide decision makers about how much risk is acceptable in pursuit of business objectives.
45
Fill in the blank: Risk management is most effective when it is _______.
[aligned and integrated with other business processes]
46
True or False: There is a standard format for risk management frameworks across all entities.
False
47
What role does the accountable authority play in risk management?
Determines and articulates the entity’s risk appetite and tolerance, champions the risk management framework, and approves the enterprise risk profile.
48
What should be done to embed risk management into existing business processes?
Describe how the risk management program supports the achievement of objectives and integrates into business processes.
49
What is the role of risk owners?
Maintain responsibility for monitoring a specific risk and actively monitor the risk context.
50
Who is responsible for maintaining controls in risk management?
Control owners
51
What is the purpose of a risk management education and awareness program?
To ensure successful implementation of the risk management framework and enhance understanding among officials.
52
What are some typical risk management roles and responsibilities?
* All officials: Manage and escalate risks
* Accountable Authority: Establish risk appetite
* Senior Executives: Model risk management behaviours
* Audit Committees: Provide assurance of effectiveness
53
What should an entity do regarding shared risks?
Implement arrangements to understand and contribute to the management of shared risk.
54
What is the significance of embedding risk appetite within an entity?
It assists entities in making better choices by considering risk effectively in decision making.
55
What is the purpose of a risk appetite statement?
To outline the amount and type of risk an entity is willing to take to achieve its objectives
## Footnote
A risk appetite statement typically includes a high-level statement of risk appetite and risk tolerance statements aligned with risk categories or strategic objectives.
56
What key questions should be considered when formulating a risk appetite statement?
* How much risk do we need to take to achieve our objectives?
* How much risk are we willing to take?
* What activities do we currently do to manage our risk and to what extent?
* Where do we need to do more?
* Where should we do less?
## Footnote
These questions help clarify the entity's approach to risk management.
57
What are the typical components of a risk appetite statement?
* Endorsement of senior executive
* Definition of risk appetite statement
* High-level statement of risk appetite
* Risk tolerance statements
## Footnote
Risk tolerance statements describe the relative level of tolerance for different categories of risk.
58
True or False: Risk tolerance statements are used to operationalise risk appetite statements.
True
## Footnote
They define specific limits for risk-taking behavior related to specific risk categories or strategic objectives.
59
What is the first step in developing a risk appetite statement?
Appoint a core reference group
## Footnote
This group should consist of key subject matter experts, staff members, and senior leaders.
60
What should be reviewed to identify key risk themes in the risk appetite development process?
Current risk profile
## Footnote
Understanding the current risk profile helps inform subsequent discussions on risk appetite and tolerance levels.
61
What is the role of senior executives in defining the risk appetite statement?
They provide a valuable reference point to discuss and agree on the overarching risk appetite
## Footnote
Their input helps in defining risk tolerance statements for specific objectives.
62
What is essential for the final review and validation of risk appetite statements?
Governance committee validation
## Footnote
Endorsement from an entity's Risk Committee is typically sought before statements take effect.
63
How can an entity effectively embed risk appetite and tolerance statements?
* Build on existing risk culture
* Ensure strong messaging from leaders
* Keep it simple
* Make statements easily accessible
## Footnote
These strategies help integrate risk appetite into daily practices.
64
What does the risk management process in AS/NZS ISO 31000:2018 involve?
* Identification
* Analysis
* Evaluation
* Treatment of risks
* Communication and consultation
* Monitoring and review
* Recording and reporting
## Footnote
This structured approach allows for uniform risk management.
65
What are the three core elements of risk management according to ISO 31000?
* Principles of good risk management
* Risk management framework
* Risk management process
## Footnote
These elements support effective risk management and the creation of value.
66
What is the first activity in establishing the risk management process?
Establish the scope, context and criteria
## Footnote
This involves defining the objectives and influences of the risk management process.
67
What is the purpose of risk identification?
To develop a comprehensive list of uncertain future events that could impact objective achievement
## Footnote
Risks should be documented with their potential causes and consequences.
68
What are current, emerging, and future risks?
* Current risks: Visible and realizable now
* Emerging risks: On the horizon, may affect soon
* Future risks: Further ahead, shape and scale unknown
## Footnote
Understanding these categories helps in comprehensive risk assessment.
69
What is risk analysis?
The process of rating the potential impact and likelihood of each risk
## Footnote
It determines the severity of risks, which can be positive or negative.
70
Define inherent risk.
The level of risk to the organization before any mitigation measures are taken
## Footnote
It reflects the risk before treatments or controls are implemented.
71
Define residual risk.
The level of risk that remains after controls have been put in place
## Footnote
It indicates the effectiveness of risk management strategies.
72
What defines the specific matrix employed in an entity's risk management framework?
It should be considered and agreed in the ‘establish the scope, context and criteria’ step.
73
Why is it important for entities to assess all risks consistently?
To ensure effective communication and understanding of ownership and severity of shared risks.
74
What is the significance of interdependence in risk analysis?
It refers to how risks can affect each other and become more severe.
75
What does the speed of onset refer to in risk analysis?
It denotes how some risks are easier to identify as they develop over time.
76
Qualitative vs quantitative analysis: what is the primary difference?
Qualitative analysis does not rely on past data, while quantitative analysis uses historical data for likelihood and consequence calculations.
77
What does risk evaluation determine?
The tolerability of each risk.
78
How is tolerability different from severity?
Tolerability assists in determining which risks need treatment based on the level of risk an entity is willing to accept.
79
What is meant by risk appetite?
It refers to how much risk an organization is comfortable being exposed to.
80
What should a risk appetite statement articulate?
Details of when the entity is willing to accept higher levels of risk and the required level of control and monitoring.
81
Why is it important to consider the broader context of risk tolerability?
To understand the impact of the risk on other entities outside of the organization.
82
What is the primary goal of risk treatment?
To take action in response to risk evaluation when controls are deemed ineffective.
83
List common strategies for risk treatment.
* Avoiding the risk entirely
* Removing a source of the risk
* Sharing the risk with other parties
* Retaining the risk by informed decision
* Taking more risk to achieve objectives
* Modifying controls to change likelihood or consequence.
84
What is a risk treatment plan?
A document that includes reasons for treatment selection, accountabilities, resource requirements, and monitoring needs.
85
True or False: Good risk communication is only about formal risk reporting.
False.
86
What attributes should good risk communication include?
* Encourages stakeholder engagement
* Maximizes information to reduce uncertainty
* Meets stakeholders' reporting needs
* Informs other entity processes.
87
What is the purpose of a communication plan in risk management?
To ensure the right information is communicated to the right people at the right time.
88
What are the key objectives of risk monitoring and review?
* Detecting changes in the environment
* Identifying new or emerging risks
* Ensuring effectiveness of controls
* Learning from events.
89
What should a risk report include?
* Environmental context analysis
* Risk assessment process
* Communication and consultation details
* Monitoring and review processes.
90
What is the role of recording and reporting in risk management?
To communicate activities and outcomes, inform decision-making, and improve risk management.
91
What is risk culture?
A subset of organisational culture that shapes the collective approach to managing risk and making decisions
## Footnote
It includes beliefs, values, and behaviours throughout an organisation.
92
What are the key factors that influence an entity's culture?
* Role Models
* Explicit messages
* Incentives
* Symbols and actions
* Business strategy, risk appetite statement, and internal policies
* Education and training
## Footnote
These factors help shape how individuals view and manage risk.
93
Why are role models important in risk culture?
They display risk management behaviours that influence others, instilling values that become core beliefs about acceptable behaviour
## Footnote
Both positive and negative behaviours can be modeled.
94
What role do explicit messages play in risk culture?
They set out expectations and influence behaviour through policies and procedures
## Footnote
Important during recruitment and induction to communicate entity values.
95
How do incentives affect risk management behaviours?
They indicate how risk management is valued and encourage appropriate risk-taking behaviours
## Footnote
Punishment for risk-taking can deter individuals from engaging in risk management.
96
What is the purpose of a risk culture survey?
To understand the current risk culture and provide a benchmark for measuring progress over time
## Footnote
Surveys can highlight staff attitudes and identify root causes of undesirable behaviours.
97
What are the three broad stages of improving risk culture?
* Stage 1: Building awareness of risk culture
* Stage 2: Changing an entity’s culture
* Stage 3: Refining the entity’s culture
## Footnote
Each stage focuses on different aspects of cultural change.
98
What does Stage 1 of improving risk culture involve?
Establishing basic expectations for managing risk and defining roles and responsibilities
## Footnote
Continuous communication from leadership is crucial.
99
What is the focus of Stage 2 in changing risk culture?
Developing and implementing practical strategies to achieve the desired risk culture
## Footnote
This includes motivational systems to reward desired behaviours.
100
What is the goal of Stage 3 in refining risk culture?
Monitoring cultural performance against expectations and making adjustments as necessary
## Footnote
This ensures the maintenance of a positive risk culture over time.
101
Fill in the blank: A positive risk culture is one where _______.
[everyone engages in informed risk taking within the entity’s appetite and tolerance for risk]
102
What is the role of a risk champion?
* Communicating risk information
* Supporting others in managing risk
* Identifying emerging opportunities
* Raising issues with leaders
* Hosting training sessions
## Footnote
Risk champions help foster a positive risk culture.
103
What is psychological safety in a team?
The belief that no one will be punished for speaking up with ideas, questions, concerns, or mistakes
## Footnote
It encourages open communication about risks.
104
What should be included in regular status updates regarding risk?
A summary of key risks to identify emerging risks and draw attention from decision-makers
## Footnote
This helps maintain a holistic view of the risk environment.
105
What are some effective habits to foster a risk intelligent culture?
* Clearly outline roles and responsibilities
* Conduct regular risk meetings
* Implement positive risk management practices
* Foster psychological safety
* Discuss preferred ways of working
## Footnote
These habits contribute to accountability and ownership in risk management.
106
True or False: Cultural change can successfully address more than 5 aspects of an entity’s culture in a 12 to 18 month period.
False
## Footnote
It is recommended to focus on a few key changes at a time.
107
What is a positive risk culture?
A positive risk culture is one where everyone in the team manages risk as part of their day-to-day work.
## Footnote
It encourages informed risk-taking through decisions aligned with the organization's appetite and tolerance for risk.
108
How can risk practitioners develop a positive risk culture?
* Defining the desired risk culture behaviours
* Leveraging data to measure, monitor and evaluate the risk culture
* Changing risk behaviours across the organisation
* Supporting the business and leadership in enabling an effective risk culture.
## Footnote
These actions help in shaping the organization's approach to risk management.
109
What is risk culture?
Risk culture is the component of an organisation’s culture that encourages informed risk taking through decisions made within the entity’s appetite and tolerance for risk.
110
What should be considered when defining the target risk culture state?
* Desired behaviours (what people do)
* Mindsets (what people think and feel)
## Footnote
This definition should support the values, strategy, and risk appetite of the organisation.
111
What are some open-ended questions to define desired behaviours and mindsets?
* What should people stop doing to manage risk effectively?
* What should people start doing to manage risk effectively?
* What should people continue to do to manage risk effectively?
* How should people think and feel about risks and risk management?
* How should people within the organisation speak about and communicate risks?
112
Why is measuring and reporting risk culture important?
It helps understand the current risk culture state and the drivers of behaviours that create a gap between the current and target risk culture states.
113
What types of data can be used to measure risk culture?
* Surveys
* Interviews
* Focus groups
* Business data
## Footnote
Perception-based data helps illuminate beliefs, norms, and perceptions impacting risk outcomes.
114
What should be done before collecting data on risk culture?
Define areas of interest and develop questions that align with the desired state of behaviour and mindsets in relation to risk.
115
What strategies can be employed to get senior leadership buy-in for a risk culture assessment?
* Identifying a champion in the senior leadership team
* Linking risk culture with the risk and organisational strategy
* Involving senior leadership in survey planning and design
* Planning data collection at appropriate times for senior leaders.
116
What is data triangulation?
Data triangulation is looking for common findings between data sources to draw conclusions and validate findings.
117
What are some tips for reporting on risk culture to leadership?
* Simplify the data presentation
* Summarise key themes and insights
* Showcase data using graphics and tables
* Use perception-based language in reports
* Seek feedback from executives on the report.
118
What is required for creating sustained changes in mindsets and behaviours?
A gradual, multifaceted process focusing on shaping the environment and removing barriers to elicit desired behaviour.
119
What are change levers in the context of risk culture?
* Changes to governance, systems, and processes
* Enhancing organisational communications and relationships
* Identifying mechanisms to motivate desired behaviours
* Targeting individual capability and competency.
120
What role do senior leaders play in risk culture?
Senior leaders set the tone for risk, influencing accepted workplace behaviours and shaping the organisation’s risk culture.
121
What does psychological safety mean in the context of risk management?
Psychological safety is the belief that no one will be punished or humiliated for speaking up with ideas, questions, concerns, or mistakes.
122
How can leaders foster an environment of psychological safety?
* Upholding standards of respect
* Sharing learnings and failures
* Actively seeking feedback
* Ensuring mechanisms for raising grievances are in place
* Taking a just approach to wrongdoings.
123
What are some competencies that contribute to positive risk leadership?
* Decision-making
* Communication
* Support and embedding risk management
* Living the values of risk management.
124
What is the importance of aligning risk culture with strategy?
It ensures that the level of acceptable risk aligns with the entity’s strategy and informs decision-making at all levels.
125
What aspects should be included in risk culture measurement?
* Attitudes
* Behaviours
* Decisions related to risk-taking and risk management.
126
What is the relationship between leadership and risk culture?
Leaders influence the risk culture through their communication and role modelling of desired behaviours.
127
What is the primary goal when seeking to change the risk culture?
To bridge the gap between the current and target risk culture state.
128
Which channels influence people when changing risk culture?
* Role modelling
* Messaging
* Symbolic actions and stories
* Incentives
129
What must be aligned to facilitate risk intelligent decision making?
Policies, processes, systems, and technology.
130
How can understanding mindsets and behaviours enhance risk culture?
By creating change to enhance risk intelligent decision making.
131
Who provides one of the most effective levers for changing behaviours in risk culture?
Senior leaders.
132
What are two ways senior leaders can influence risk culture?
* Communication (what they say)
* Role modelling (what they do)
133
True or False: Senior leaders' actions only influence risk culture through what they say.
False.
134
What is the focus of the content provided by Comcover?
Managing risk and internal accountability under the PGPA Act.
135
What are the elements of embedding risk management according to Comcover?
* Element 1: Embedding Risk Management
* Element 2: Risk Management Framework
* Element 3: Risk Culture
* Element 4: Risk Responsibilities
* Element 5: Control Effectiveness
* Element 6: Shared Risks
* Element 7: Emerging Risks
* Element 8: Risk Management Capability
* Element 9: Reviewing a Risk Management Approach
136
Fill in the blank: The benefits of an active risk culture are detailed in _______.
[Embedding an active risk culture Part 2]
137
What does RMG 211 refer to in the context of Comcover?
Risk Management Guidelines.
138
What type of events or training does Comcover currently have scheduled?
No events/training is currently scheduled.
139
What is the last updated date mentioned for the content?
27 April 2023.
140
What is the significance of understanding the root causes of mindsets and behaviours?
It helps in creating change that strengthens an organisation's risk culture.
141
What is a control?
Any process, policy, device, system, practice or other action to modify the likelihood or consequence of a risk or detect if a risk is happening
142
What must be periodically reviewed to assess control effectiveness?
The effectiveness of controls
143
Who are the three key roles in risk management?
Risk Owners, Control Owners, Treatment Owners
144
What are the responsibilities of Risk Owners?
Managing, monitoring, reporting and escalating risks
145
What is the role of Control Owners?
Implementing and maintaining effective controls, assessing their effectiveness, and reporting to Risk Owners
146
What do Treatment Owners do?
Implement and monitor treatments for ineffective controls
147
Fill in the blank: Preventative controls reduce the likelihood of ______ occurring.
[causes of the risk]
148
What type of controls identify failures in the risk management environment?
Detective controls
149
What do corrective controls do?
Mitigate consequences and/or rectify failures after they are discovered
150
What is a common mistake regarding controls?
Assuming everything done by the team is a control
151
What are critical controls?
Controls crucial to preventing a risk or mitigating its consequences
152
What questions help determine if a control is critical?
Does the control represent a significant barrier? Is it the only barrier? Does it prevent multiple threats? Does it operate independently?
153
What should controls be reflective of?
The size, nature, and risk profile of the entity
154
What is a Control Profile?
A document that includes control name, purpose, relevant risk, control owner, activities, and testing methods
155
True or False: Just because a risk has not happened means all controls are effective.
False
156
What is the most effective way to determine control effectiveness?
Developing a regular testing program based on documented evidence
157
What are some common methods of control effectiveness testing?
* Spot checks/routine tests
* Pressure testing
* Assurance reviews/health checks
* Internal audit/Management Initiated Review
158
Who can undertake control effectiveness testing?
Control owners, framework owners, control advisory team, peer reviews, internal audit function, regulators
159
What does a system of control refer to?
A group of controls within an entity
160
What characteristics define a good system of controls?
* Reliable to prevent risks
* Formally documented and understood
* Clear ownership
* Regularly reviewed and monitored
161
What is the first step in a control effectiveness review?
Understand the control's purpose and the risk it aims to mitigate
162
What is the purpose of gathering evidence in a control effectiveness review?
To test whether the control is having its intended effect
163
What scale can be used to evaluate control effectiveness?
Effective, Partially Effective, Ineffective
164
What should be updated after a control effectiveness review?
The risk register
165
What is an active risk culture?
An organizational culture that actively identifies, assesses, and manages risks
166
What are the benefits of an active risk culture?
Enhances decision-making and improves organizational resilience
167
What is the purpose of the Commonwealth Risk Management Framework?
To provide a structured approach to risk management across Commonwealth entities
168
What does RMG 211 Element 1 focus on?
Embedding Risk Management
169
What does RMG 211 Element 3 emphasize?
Risk Culture
170
What is the role of the Commonwealth Risk Committee?
To oversee risk management practices and ensure compliance with the framework
171
Fill in the blank: RMG 211 Element 5 focuses on _______.
Control Effectiveness
172
List the elements of RMG 211.
* Element 1: Embedding Risk Management
* Element 2: Risk Management Framework
* Element 3: Risk Culture
* Element 4: Risk Responsibilities
* Element 5: Control Effectiveness
* Element 6: Shared Risks
* Element 7: Emerging Risks
* Element 8: Risk Management Capability
* Element 9: Reviewing a Risk Management Approach
173
What is Comcover?
The Australian Government's self-insurance scheme
174
True or False: The Commonwealth Awards for Excellence in Risk Management are held annually.
True
175
What type of information can be found in Comcover Insurance Factsheets?
Details about various insurance products and services
176
What does the term 'risk appetite' refer to?
The level of risk an organization is willing to accept in pursuit of its objectives
177
What is meant by 'organisational resilience in a crisis'?
The ability of an organization to anticipate, prepare for, respond to, and recover from adverse situations
178
What does the term 'indemnity' refer to in insurance?
A security or protection against a financial loss or legal liability
179
What is the purpose of the 'Claims Management' process?
To handle and resolve claims made against an insurance policy
180
What is the significance of the Department of Defence in risk management?
It plays a crucial role in managing risks associated with national security
181
What is included in the Information Sheet - Cyber Risk?
Guidelines for managing risks associated with cyber threats
182
What is the purpose of a risk management framework?
Sets the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management capability.
183
When should a risk management framework be reviewed?
Regularly, depending on the nature of the entity’s operations and changes in risk exposure.
184
What factors might necessitate a more frequent review of a risk management framework?
* Significant changes in the entity
* Increased exposure to risk
* Identification of near misses and incidents.
185
What is the typical frequency for conducting a comprehensive review of a risk management framework?
Up to every 3 years.
186
Who is typically responsible for conducting a review of the risk management function?
The entity’s risk function or designated risk role.
187
What is an independent review of the risk management framework intended to provide?
A fresh perspective and assurance that the framework is effective.
188
What are the four key considerations when establishing the scope of a risk management framework review?
* Efficient identification of risks
* Contextual consideration of objectives and processes
* Adequate treatment and control of risks
* Regular monitoring and review.
189
What are the three levels of review in a risk management framework?
* Level 1: Regular checking and monitoring
* Level 2: Management review
* Level 3: Independent review.
190
What activities are included in the planning for a risk management framework review?
191
What is meant by 'risk profile'?
A description of any set of risks related to the whole entity or specific parts.
192
What can cause a change in an entity’s risk profile?
* Changes in internal context
* Changes in external context.
193
What are the implications of a change in risk profile for a risk management framework?
The framework should be reviewed to ensure it aligns with the updated risk profile.
194
What are Key Performance Indicators (KPIs) in risk management?
Measures of progress toward an intended result that help focus attention on critical areas.
195
What types of KPIs can be used in reviewing an entity’s risk management arrangements?
* Qualitative
* Quantitative
* Lagging
* Leading.
196
What are the steps to develop effective KPIs for a risk management framework?
* Identify risk management objectives
* Identify data needs and availability
* Develop indicators.
197
What are characteristics of good KPIs?
* Measurable
* Provide objective evidence
* Allow for trends analysis
* Track efficiency, effectiveness, and quality.
198
Fill in the blank: A risk management framework should be ______ to reflect changes in risk exposure.
reviewed.
199
True or False: An independent review must always be conducted by external auditors.
False.
200
What should an entity do if its risk appetite changes?
Review the risk management framework to align with the new risk appetite.
201
What is the role of senior executives in the review of a risk management framework?
Engage on risk and leverage changes for better business outcomes.
202
What should be included in the risk escalation and reporting cycle?
Consideration of changes in the entity’s risk profile and exposure.
203
What are the characteristics of good KPIs?
* Capable of being measured
* Provide objective and quantitative evidence
* Allow for trends analysis and performance comparison over time
* Track efficiency, effectiveness, and quality
## Footnote
Good KPIs contribute to effective risk management and performance assessment.
204
What should an entity outline regarding KPIs?
Trigger levels and thresholds that determine the need for review or escalation
## Footnote
This ensures timely responses to changes in performance.
205
What factors are important in determining methodology for KPIs?
* How data will be collected
* When and how often data will be collected
* Responsibility assigned for data ownership, collection, and analysis
## Footnote
Clear methodology aids in effective monitoring and reporting.
206
How often should performance be tracked?
Timely intervals such as quarterly, bi-annually, or annually
## Footnote
Regular tracking is essential for systematic performance evaluation.
207
What should monitoring and performance reporting meet?
The needs of stakeholders
## Footnote
Stakeholder needs guide the effectiveness and relevance of performance reporting.
208
What should be done whenever there is a change in the risk management framework?
Review and update KPIs to ensure relevance and alignment with desired performance
## Footnote
Continuous improvement of KPIs aligns them with evolving objectives.
209
What does the number of risks with negative consequences realized over a 12 month period indicate?
* Effectiveness of the framework
* Effectiveness of escalation processes
* Sufficiency in information/knowledge sharing
* Staff engagement
* Effectiveness of incentives, rewards or recognitions
* Adequacy and quality of training and induction programs
## Footnote
This KPI helps assess the overall risk management effectiveness.
210
What does the risk training completion rate measure?
Staff engagement and awareness of the entity’s risk management practices
## Footnote
High completion rates indicate strong engagement with risk management.
211
What is assessed by the number of overdue mitigation actions?
* Effectiveness of current mitigating strategies
* Effectiveness of escalation processes
* Adequacy of risk monitoring
* Efficiency of resource allocation
* Effectiveness of implementation
* Sufficiency in information/knowledge sharing
## Footnote
This KPI highlights potential gaps in risk management strategies.
212
What does the number/percentage of incomplete or incorrect risk assessments evaluate?
* Compliance with the risk management process
* Effectiveness of implementation
* Effectiveness of risk management training and guidance materials
* Adequacy of risk monitoring
* Management involvement
## Footnote
This KPI indicates the quality of risk assessment practices.
213
What is critical for stakeholders regarding KPIs?
Understanding how the indicators measure progress towards achieving objectives
## Footnote
Clear communication of KPIs ensures stakeholder engagement and support.
214
What is a practical tip for communicating KPIs?
Identify the most effective method or channel to communicate KPIs
## Footnote
Engaging communication enhances stakeholder understanding and involvement.
215
What should be established for reviewing KPIs?
A mechanism to regularly review KPIs for effectiveness and relevance
## Footnote
Regular review ensures that KPIs adapt to changing circumstances.
216
Fill in the blank: The successful implementation of a risk management framework is underpinned by effective _______.
[monitoring, review, and evaluation of applicable KPIs]
217
What is the primary aim of the presented work?
To develop and evaluate a catalogue of measures and indicators to help hospitals implement and evaluate risk management in accordance with IEC 80001-1.
218
What does a two-star symbol indicate in the catalogue?
The measure or indicator is 'very important'.
219
What is the main contribution of the study to the field of IT risk management?
Providing a detailed catalogue for stepwise implementation and evaluation of IT risk management for medical devices.
220
What was the method used to evaluate the effectiveness of the measures in the case study?
Written surveys and a guided group interview.
221
How many qualitative interviews were conducted in the first research step?
2 qualitative oral interviews and 20 qualitative written interviews.
222
What are the three criteria used to evaluate the effectiveness of each implementation recommendation?
Effectiveness, complexity, and satisfaction.
223
What does the traffic light symbol in the catalogue represent?
The level of complexity of implementing a measure or indicator.
224
What is the aim of the IEC/TR 80001-2-7 report?
To guide hospitals in self-assessing their conformance with IEC 80001-1.
225
Fill in the blank: The catalogue aims to provide hospitals with a _______ for IEC 80001-1 implementation.
cookbook.
226
What aspect of IT risk management does IEC 81001-5-111 focus on?
Security activities in the product life cycle for health software and health IT systems.
227
What is the main purpose of the catalogue developed in the study?
To help hospitals implement and evaluate risk management for medical devices connected to a hospital IT network
## Footnote
The catalogue includes 49 measures and 18 indicators.
228
How many relationships were identified between measures and indicators?
Six relationships
## Footnote
These relationships were identified through qualitative content analysis.
229
What percentage of measures were successfully implemented in the case study?
78% (n=38)
## Footnote
Out of 49 measures, 38 were implemented.
230
What was the satisfaction rate with the catalogue's descriptions and instructions for measures?
96%
## Footnote
Satisfaction was 100% for indicators.
231
What complexity level was mainly reported for the implementation of measures?
Low (55%)
## Footnote
Implementation complexity for indicators was exclusively low (100%).
232
What does the catalogue help IT risk managers control?
The complexity of implementing IT risk management according to IEC 80001-1.
233
True or False: The catalogue offers a valid causal relationship between measures and indicators.
False
## Footnote
The indicators are based on estimates and assumptions from expert opinions.
234
What method was used to develop and validate the catalogue?
Delphi method
## Footnote
This method combines qualitative and quantitative research.
235
How many rounds of expert interviews were necessary to reach a consensus in the Delphi study?
Two rounds.
236
What is one of the strengths of the method used in the study?
The self-evaluating character of the Delphi method.
237
Fill in the blank: The catalogue is influenced by both versions of _______.
IEC 80001-1.
238
What are hospitals advised to include in their risk management according to the catalogue?
All medical devices integrated into an IT network.
239
What aspect of the catalogue addresses the needs of hospitals?
It provides a stepwise implementation approach with detailed descriptions and recommendations.
240
What is the expected relevance of the catalogue beyond German-speaking countries?
To evaluate its applicability in other countries.
241
What new trends in digitalisation are mentioned as challenges for IT risk management?
Artificial intelligence and the Internet of Things.
242
What percentage of measures were reported to need moderate resources?
22%.
243
What is the main conclusion of the study?
The catalogue assists hospitals in implementing and evaluating IT risk management for medical devices according to IEC 80001.
244
What does the catalogue provide to assess the effectiveness of implemented measures?
Concrete indicators.
