ERM IRM M1U3.1 Establishing Internal & External Context Flashcards
3 Components of Context
Hopkin and Thompson argue that there are three components of context:
the organisation’s risk management context
the internal context
the external context
ISO 31000 - Purpose of the establishing scope,the context and criteria
ISO 31000(2018)states that “the purpose of establishing the scope, the context and criteria is to customize the risk management process, enabling effective risk assessment and appropriate risk treatment. Scope, context and criteria involve defining the scope of theprocess andunderstanding the external and internal context”.
PESTLE risk classification system
Many organizations use the political, economic, social, technological, legal and environmental/ethical (PESTLE) risk classification system.
FIRM risk scorecard
The finance, infrastructure, reputation, marketplace (FIRM) risk scorecard provides a structure for carrying out a detailed evaluation of the context of the organization.
FIRM - Reputation - External
when evaluating the reputational component of the external context, the following issues should be addressed:
public perception of the industry sector in which the organization operates;
corporate social responsibility standards achieved by the organization;
governance standards and whether the sector is highly regulated;
quality of products or services and/or after-sales service standards.
FIRM - Marketplace- External
The other component of the FIRM risk scorecard relevant to the external environment is the marketplace and the level of presence of the organization within the marketplace. This will impact the level of customer trade or expenditure. In particular, when evaluating the marketplace component of the external environment, the following issues should be addressed: level of revenue generation in the marketplace and return on investment;
presence of aggressive competitors and/or high customer expectations;
level of economic stability, including exposure to interest rates and foreign exchange rates;
complexity of the supply chain and volatility of raw material costs;
exposure to disruption through either technology or geopolitical reasons (political risks, war and terroris
FIRM - Financial - Internal
. In particular, when evaluating the financial component of the internal context, the following issues should be addressed:
availability of adequate funds and future flows of funds to fulfil strategic plans;
existence of robust procedures for correct allocation of funds for investment;
nature of internal financial control environment to prevent fraud; availability of funds to meet historical and anticipated future liabilities.
FIRM - Infrastructure - Internal
The other component of the FIRM risk scorecard relevant to the internal context is infrastructure, as this influences the nature of the processes undertaken within the organization.
Infrastructure risks define the level of inefficiency and dysfunction that may arise during internal processes.
In particular, when evaluating the infrastructure component of the internal context, the following issues should be addressed:
senior management structure and the nature of the risk culture;
availability of adequate people resources and skills, including intellectual property;
availability of adequate physical assets to support operational activities;
information technology infrastructure sufficient to achieve resilience and protect data;
business continuity plans in place to ensure continuity of activities following major disruption;
arrangements for service delivery and/or transportation and reliable communication infrastructure.
Mechanism to evaluate context
SWAT and FIRM
Which risks PESTLE is most applicable?
More applicable to Hazard risks.
PESTLE should be used with SWOT analysis
PESTLE Pros and Cons
There are several advantages and disadvantages to the PESTLE approach. The advantages are as follows: simple framework; facilitates an understanding of the wider business environment; encourages the development of external and strategic thinking; anticipates future business threats; helps identify actions to avoid or minimize impact of threats; facilitates identification of business opportunities. However, there are certain disadvantages associated with the use of the PESTLE analysis as a means of identifying risks. These disadvantages are as follows: can over-simplify the amount of data used for decisions; needs to be undertaken on a regular basis to be effective; requires different people being involved with different perspectives; access to quality external data sources can be time-consuming and costly; difficult to anticipate developments that may affect an organization in the future;
ISO Stakeholder Definition
ISO Guide 73 defines a stakeholder as a ‘person or group concerned with, affected by, or perceiving themselves to be affected by an organization’.
Stakeholder Types
There will be a wide range of stakeholders in a typical organization that can be summarized as CSFSRS, as follows: customers; staff; financiers; suppliers; regulators; society.
Analysis of stakeholder expectations & BPR
The analysis of stakeholder expectations is also one of the fundamental requirements of the business process re-engineering (BPR) approach.
BPR is a technique to ensure that an organization has the most effective and efficient processes and operations.
A starting point for many BPR exercises is to identify stakeholders and their expectations.
Primary and Secondary Stakeholders
Primary and secondary stakeholders could include: Primary stakeholders: shareholders; employees; customers; suppliers.
Secondary stakeholders: government – central or local government bodies; media – press, broadcasters, online and especially social media; consumer groups, pressure groups, community groups; competito
