Module 1, Unit 1 Key concepts in RM

Question 1

What is ISO31000 definition of RISK MANAGEMENT

Answer 1

Coordinated activities to direct and control an organisation with regard to risk.

Question 2

Name some risk specialisms

Answer 2

Project
Clinical/Medical
Energy
Financial
IT
Information security

Question 3

Explain a definition of risk for ISO guide 73

Answer 3

Effect of uncertainty on objectives. May be positive, negative or deviation from expected.
Risk often described by an event, a change in circumstances or a consequence

Question 4

Explain Inherent level of risk

Answer 4

The level of risk before any actions have been taken to change the likelihood or magnitude of the risk

Sometimes referred to as the ‘gross’ or absolute risk.

Question 5

Explain Residual level of risk

Answer 5

The level of risk after initial control measures have been put in place

The current or residual level of risk is sometimes referred to as the ‘net’ or the managed level of risk.

Question 6

Explain target level of risk

Answer 6

The level of risk that is desired or will be obtained with the application of further control measures

Question 7

Name four areas of improvement that managing risks can bring to an organisation (STOC) and why

Answer 7

Strategy: Because the risks associated with different strategic options will be fully analysed, better strategic decisions will be reached.
Tactics: Because consideration will have been given to selection of the tactics and the associated risks involved, available alternatives can be evaluated.
Operations: Because events that can cause disruption will be identified in advance and actions taken to reduce their likelihood of occurring, the damage caused by these events will be limited and the costs contained.
Compliance: This will be enhanced because the risks associated with failure to achieve compliance with statutory and customer obligations will be addressed.

Question 8

What is an organisations approach to assess, pursue, retain, take or turn away from risk called….

Answer 8

Risk Attitude

Question 9

What is the amount and type of risk an org is willing to take to pursue or retain its objectives

Answer 9

Risk Appetite

Question 10

Define the word Impact and what it affects ‘Acroymn’

Answer 10

How the event affects the finances, infrastructure, reputation and or marketplace (FIRM) of the org

Question 11

Define a cause

Answer 11

OB - an element which alone or in combination has the potential to give rise to the risk

Question 12

Define an event

Answer 12

an occurrence or change of circumstances (can be something that is expected which doesn’t happen, or something that is not expected that does happen)
Events can have multiple causes and consequences and can affect multiple objectives

Question 13

Define a consequence

Answer 13

‘should the event happen’. Consequences are the outcome of an event affecting objectives, which can be certain or uncertain, can have positive or negative direct or indirect effects on objs, can be expresses qualitatively or quantitatively and can escalate through cascading and cumulative effects.

Question 14

What’s the difference between Risk and Risk Management

Answer 14

Risks are considered as uncertainties that matter i.e. the effect on objectives, considering both sides of the coin, threats and opportunities,
ISO 31000 defines risk management
‘Coordinated activities to direct and control an organisation with regard to risk.’
Effective risk management helps organisations to identify, understand and manage the risks, thereby maximising the likelihood of achieving their objectives. And this is the first and overriding purpose of risk management.

Question 15

What is ERM

Answer 15

Recognises risks in one area can relate to risks occurring elsewhere and these links and relationships need to be managed just as much as individual risks in isolation.

Also strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio

Question 16

Name Risk Specialisms

Answer 16

insurance, health and safety, information technology and financial risk management.

ERM was developed to overcome silo based approach

Question 17

Name the three recognised international standards and frameworks

Answer 17

ISO31000 (2018)
COSO (2004 and 2017)
Orange book (2023)

Question 18

Name the three important historic events in RM

Answer 18

Intro of Hindu Arabic numbering system In Europe
* This introduced the first numbering system to allow advance calculations in 100s, 1000’s and negative numbers. This provided basis for modern maths and science

Invention of probability theory 17th Century
* Invented first for games of chance and gambling (dice/ cards)
* Used to mathematically calculate the odds of winning (probability theory) which meant people could make predictions and theories with the help of numbers

Growth of modern bureaucratic states 19th Century
* Where we collect large quantities of information like Economic affairs and population which generated lots of data used to analyse and predict a wide variety of events

Question 19

What are four areas of improvement an organisation can achieve by using RM

These are also the four CORE areas - Acroymn

Answer 19

STOC
Strategy: Because the risks associated with different strategic options will be fully analysed, better strategic decisions will be reached.

Tactics (actions): Because consideration will have been given to selection of the tactics and the associated risks involved, available alternatives can be evaluated.

Operations: Because events that can cause disruption will be identified in advance and actions taken to reduce their likelihood of occurring, the damage caused by these events will be limited and the costs contained.

Compliance: This will be enhanced because the risks associated with failure to achieve compliance with statutory and customer obligations will be addressed.

Question 20

Name some soft and hard benefits of risk management

Answer 20

Soft: People benefits such as improving working relationships
Hard: Higher return on investment.

Question 21

What’s the importance and value (benefits) of RM from Governance Perspective

Answer 21

Complies with legal and regulatory req,
Enhances corporate gov
Embed the risk process through org
Rationalise Capital.

Question 22

What is corporate governance

Answer 22

System of rules,
practices,
processes
by which an org is directed and governance.

Question 23

What is the difference between impact and magnitude?

Answer 23

Magnitude is the inherent level of the event whilst impact can be considered to be the risk managed level.

Question 24

Define ‘impact’ - failure to define how the event affects… Acroymn

and ‘consequences’ - results in failure to achieve… Acroymn

Answer 24

Impact is used to define how the event affects the finances, infrastructure, reputation, or market place. (FIRM)

Consequences is used to indicate the extent to which the event results in failure to achieve efficient and effective strategy, tactics, operations, and compliance. (STOC)

Question 25

What are the time frames associated with long, medium and short term impacts?

Answer 25

Long term - impact is several years later. E.g launch o& new product Medium term - some time after the event, typically about a year e.g. a project or programme of work Short term - immediately after event e.g. accident at work

Question 26

Give a definition of risk management

Answer 26

ISO73 - Co-ordinated activities to direct and control an organisation with regard to risk IRM - process which aims to help organisations understand, evaluate, and take action on all their risks with a view to increasing the probability of success HM Treasury - all the processes involved in identifying, assessing and judging risks assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress. LSE - selection of those risks a business should take and those which should be avoided or mitigated, followed by action to avoid or reduce risk Hopkin - the set of activities within an organisation undertaken to deliver the most favourable outcome and reduce the volatility or variability of that outcome.

Question 27

What are the 4 T’s

Answer 27

Tolerate Treat Transfer Terminate

Question 28

What are the principles of a successful risk management FRAMEWORK ? Acronym

Answer 28

PACED Proportionate to the level of risk in the organisation Aligned with other business activities Comprehensive systematic and structured Embedded within business procedures and protocols Dynamic, iterative, and responsive to change

Question 29

What are the desired outputs/objectives of risk management? Acroymn

Answer 29

Mandatory obligations placed on the organisation complied with Assurance regarding the management of significant risks Decision making that pays full regard to risk considerations Effective and efficient core processes (STOC) MADE2

Question 30

How does effective Risk Management help the org

Answer 30

Helps organisations to identify, understand and manage the risks, thereby maximising the likelihood of achieving their objectives. And this is the first and overriding purpose of risk management.

Question 31

What is a definition of ERM

Answer 31

ERM is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio

Question 32

Why is ERM important

Answer 32

Encompasses entire org. Holistic approach driven from the top. Prevents siloed RM so you can assess the effect of their risks better both individually and in total ( this is sometimes called risk exposure) Creates a single view of all risks to manage throughout whole org (one persons risk might be another's consequence or cause.

Question 33

What is OB definition of risk

Answer 33

The effect of uncertainty on objectives. Risk is usually expressed in terms of causes, potential events, and their consequences

Question 34

Why is a Risk Description important

Answer 34

so that a common understanding of the risk can be identified and ownership/responsibilities may be clearly established.

Question 35

What is the FIRM Risk Scorecard

Answer 35

Used to assess and manage various types of risk. It helps in identifying, classifying and analysing risks based on their impact and nature. Finances, Infra, Reputation and Marketplace.

Question 36

Why would you use a FIRM Risk Scorecard

Answer 36

Its a way of classifying your risks - also could use PESTLE.

Question 37

What Aspects of Risk does a FIRM Risk Scorecard consider

Answer 37

Timescale of Impact: WHEN the risk might affect the organisation (short-term, medium-term, long-term). Nature of Impact: HOW the risk affects the organisation (financial loss, damage to reputation, etc.). Type of Risk: WHETHER the risk is a hazard (negative impact), control (neutral impact), or opportunity (positive impact). Overall Risk Exposure: The total amount of risk the organisation faces. Risk Capacity: The organization's ability to manage and withstand risks.

Question 38

Define Risk Management four step process - SATARLA

Answer 38

Define context and objectives - Understand your internal and external context and how it is changing. Within this context and scope, articulate your objectives. Assess the risks - Identify both the potential threats and opportunities (risks), understand them using the most appropriate techniques, and ask yourself: “so what? Do we need to do anything about these risks?”. Manage the risks - Where possible take charge of the risks, or aspects of them through implementing controls. Note – a control is an act, object or system that modifies a risk. If the activity does not actually change the risk, it is not a control. Monitor, Review and Report -Tell people what you are doing and what they need to know (and perhaps do) regarding the status of the risks and how effectively they are being managed.

Question 39

What questions does using SATARLA four step process help you to answer

Answer 39

Given the context in which we are working, and the risks (be they opportunities or threats) that are faced, and the extent to which they are managed (or manageable), is it possible to achieve the stated objectives?" If the answer is “yes” – the system is deemed to be in balance and nothing more needs to be changed. If the answer is “no” – there are two options: a) To apply more effort and resources to managing the risks (implement more controls): Or, if that cannot be done / is not desired b) To change the objectives (if possible) because what is currently set is either too difficult or easy to achieve for optimised balance.

Question 40

How does SATARLA four step process enable integrated risk management to be undertaken and decisions to be made across any enterprise

Answer 40

The simple four step process links to any other risk management process being implemented.

Question 41

Name the Risk Management Standards

Answer 41

ISO 31000: 2018, Risk Management – Guidelines COSO:2004, Enterprise Risk Management - Integrated Framework COSO: 2017 Enterprise Risk Management – Integrating with Strategy and Performance.

Question 42

Provide a definition of a RM standard

Answer 42

A published guide for managing risk, usually comprising a risk framework and (especially) a risk process. Widely used as a way of measuring how an org is managing their risk.

Question 43

Provide the definition of a RM FW

Answer 43

Also known as the risk management context. This comprises the risk strategy, risk architecture and risk protocols and forms the risk context which helps to drive the risk process. 

Question 44

Provide the definition of a RM Process

Answer 44

The stages in the process of managing risk, which is driven mainly by how you set up the framework (but also affected by the internal and external environment).

Question 45

What are the three RM distinct approaches followed in the standard ISO 31000

Answer 45

ISO31000 (2009/2018), Risk Management - Guidelines, is the international standard on risk management which considers: * What good risk management looks like – the Principles *What is needed to implement effective risk management – the Framework (RASP - Architecture, Strategy and Protocols (rules) * What the steps are in risk management – the Process.

Question 46

What are the distinct RM approaches followed in the standard COSO 2004 and 2017

Answer 46

COSO 2004 (Integrated Framework) - big emphasis that RM starts at top of org by the management of entity wide risks and then same methodology spreads from there down and across the enterprise. These entity wide risks may be the strategic types of risk that impact upon the whole of the org. 2017 (Integrating with Strategy and Performance) - rainbow double helix tab irm-report-review-of-the-coso-erm-frameworks-v2.pdf

Question 47

What are the distinct RM approaches of OB

Answer 47

Looks at main principles to adopt rather than detailed processes and procedures. This is the what and why but not the how. Explores 5 main principles of RM; governance and leadership, integration, collaboration and best information, RM processes and Continual Improvement.

Question 49

Explain Definition of risk for Institute of RM

Answer 49

Risk is the combination of the probability of an event and its consequences ( which can be negative or positive)

Question 50

What is the OB definition of risk

Answer 50

The effect of uncertainty on objectives. Risk is usually expressed in terms of causes, potential events and their consequences.

Question 51

What is ISO Guide 73 definition of risk management

Answer 51

Coordinated activities to direct and control an organisation with regard to risk

Question 52

what is Institute of RM (IRM)definition of Risk Management

Answer 52

Process which aims to help org understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure.

Question 53

Explain levels of risk management sophistication

Answer 53

Inform: unaware of obligations; so necessary to INFORM the org of their legal obligations in relation to the risk. reform: awareness of non compliance; once aware, it will need to reform to comply Conform: actions to ensure compliance; need to comply with obligations Perform: achieve business opportunities; may now realise there are benefits so have ability to perform and view risk as Opp Deform: RM techniques applied too negatively meaning important decisions are not taken and risk will disable activity, rather than enable improved activity.

Question 54

Define Mandatory as part of MADE

Answer 54

The basic objective for any RM initiative is to ensure conformity with applicable rules, regulations and mandatory obligations.

Question 55

Define Assurance as part of MADE2

Answer 55

The board and audit committee of an org will require assurance that RM and internal control activities comply with PACED

Question 56

Define Decision Making as part of MADE2

Answer 56

RM activities should ensure that appropriate risk based information is available to support decision making So decision making is enhanced.

Question 57

Define Effective and Efficient Core processes as part of MADE2 Core processes are STOC

Answer 57

RM considerations will assist with achieving effective and efficient strategy, tactics, operations and compliance to ensure the best outcome with reduced volatility of results.

Question 58

What are the five objectives of RM

Answer 58

MADE2 - summary of the main reasons for undertaking a RM initiative

Question 59

Name the four areas of improvement an org can achieve through managing risks

Answer 59

Strategy, Tactics, Operations and Compliance (STOC)

Question 60

What is the S in STOC mean

Answer 60

Strategy: becasue the risks associated with different strategic options will be fully analysed, better strategic decisions will be made

Question 61

What does the T in STOC mean

Answer 61

because consideration will have been given to selection of the tactics (actions) and the associated risks involved, available alternatives can be evaluated

Question 62

What does the O mean in STOC

Answer 62

Operations: because events that can cause disruption will be identified in advance and actions taken to reduce their likelihood or occurring, the damage caused by these events will be limited and the costs contained.

Question 63

What does the C in STOC mean

Answer 63

Compliance: this will be enhanced because the risks associated with failure to achieve compliance with statutory and customer obligations will be addressed.

Question 64

what is ISO guide 73 definition of the measurement of likelihood and impact (or magnitude)

Answer 64

current or residual level of risk

Question 65

The word impact is used to define how the event affects…….

Answer 65

Finances, Infrastructure, reputation and/or marketplace of an org (FIRM)

Question 66

What is Risk Appetite also referred to as:

Answer 66

Risk Criteria

Question 67

What's the difference between Traditional RM and ERM

Answer 67

Question 68

ERM Definitions

Answer 68