Module 1 - Unit 5 (RA2 - Risk Analysis & Evaluation)

Question 1

Define ‘risk analysis’ according to the IRM (2002)

Answer 1

• Risk analysis is used to provide a risk profile
• Gives a rating of significance to each risk
• Provides a tool for prioritising risk treatments
• Note: risk analysis helps us to determine the severity of the risks an organisation faces by analysing the likelihood of the risk materialising together with the severity of the impact on the organisation.
• It’s the ‘risk rating’ stage of ISO 31000

Question 2

List four aims of risk analysis

Answer 2

1. Prioritises risk for risk treatment
2. Achieves a consistent perceptions of significance
3. Inform decisions on allocation for scarce resources
4. Inform decisions on the viability of strategies, investment and projects
5. Facilitates review and monitoring of risk
6. Allows all concerned to see the overall risk profile
7. To be clear about the difference between residual risk and inherent risk

Question 3

Define ‘target risk’

Answer 3

Target risk is the risk rating that is within the tolerance and appetite of the organisation (where you want to ‘control’ the risk to).

Question 4

Define ‘probability’ in terms of likelihood.

Answer 4

Probability is expressed numerically as a value between 0 and 1 (or 0% to 100%).

Question 5

Define ‘frequency’ in terms of likelihood.

Answer 5

Frequency is expressed numerically as chances of occurrence / a frequency measurement (1 in 100 years, or 1 in 10 chance)

Question 6

Impact may be described as qualitative and quantitive, state the difference between the two.

Answer 6

Qualitative: high, medium, low (generates non-numerical data)

Quantitative: financial, market
share, number or customers, time, resources (can be measured and hold a numerical value).

Question 7

State four types of information you can use as a source to determine your impact and likelihood.

Answer 7

1. Past records
2. Relevant personal experience
3. Relevant industry experience
4. Published literature
5. Testing or experiments (e.g. market research)
6. Economic or statistical forecasting
7. Expert judgement
8. Organisation and performance indicators.

Question 8

Draw a ‘three by three’ risk matrix, showing appropriate labels and measures of severity

Answer 8

• Square split into 9
• Likelihood on the x-axis (low, medium, high)
• Impact on the y-axis (low, medium, high)
• Green, yellow, and red colours to show the RAG ratings associated to each square
• Likelihood x impact numbers in each square.

Question 9

Explain one benefit for pre-defined criteria for analysing and quantifying Impact of a risk event.

Answer 9

This helps provide comparability and consistency otherwise the same risk event could place in different cells in a matrix by different people.

Question 10

What does ALARP stand for?

Answer 10

As Low As Reasonably Practicable

Question 11

ALARP is one of the fundamental principles of risk management for health and safety.
Describe how you would determine that the risk has been reduced “as low as reasonably practicable.”

Answer 11

• This would be the point at which the costs of any reasonable measures to reduce risks were disproportionate to the benefit that could be achieved.
• Cost of additional controls > benefits

Question 12

What is a significant risk?

Answer 12

• A risk is significant if it could impact in excess of the benchmark test for significance for that type of risk.
• Benchmark tests can reduce the number of identified risks from hundreds or thousands to those few which are most significant and which we must treat first.
• An example of a benchmark test for significance = FIRM risk scorecard.

Question 13

Provide examples of a typical benchmark test for significance for the components of the FIRM risk scorecard.

Answer 13

FINANCIAL
• Impact on balance sheet of 0.25%
• Profit and loss impact of 2.5% of annual profit

INFRASTRUCTURE
• Destruction to normal operations of 1/2 day
• Increased cost of operation exceeds 10% budget

REPUTATIONAL
• Share price falls by 10%
• Event is on national TV, radio, or newspapers

MARKETPLACE
• Impact on balance sheet of 0.5% turnover
• Profit and loss impact of 1% annual profit

Question 14

Define ‘risk analysis’ according to ISO 31000

Answer 14

• According to ISO 31000, risk evaluation is the final element of risk assessment.
• It compares the results of risk analysis with the established risk criteria (appetite) to determine where additional action is required.
• Therefore, it’s a decision point in which we decide whether or not to respond to risk.

Question 15

Define ‘risk appetite’ according to ISO guide 73.

Answer 15

Risk appetite is the amount and type of risk that an organisation is willing to pursue or retain.

Question 16

Define ‘risk appetite’ according to IRM (2011).

Answer 16

• Risk appetite is the amount of risk that an organisation is willing to seek or accept in the pursuit of it’s long-term objectives
• Those risks that an organisation actually wants to engage with.

Question 17

List two aims of risk appetite.

Answer 17

1. Aids consistent approach to risk management across the organisation.
2. Supports consistent decision making about how to respond to risk.
3. Reduces overall risk exposure
4. Reduces bias

Question 18

Who is responsible for defining the risk appetite?

Answer 18

The board

Question 19

Define the following terms:
A. Risk tolerance
B. Risk capacity
C. Risk universe

Answer 19

A. The boundaries of taking risk outside of which the organisation is not prepared to venture in pursuit of it’s long-term objectives (if push comes to shove, the organisation might just be able to put up with).

B. The maximum level to which the organisation should be exposed, having regard to financial an other resources.

C. All the risks which the organisation might face.

Question 20

“The risk tolerance (capacity) of an organisation is likely to be a subset of the risk appetite and the risk universe.”

Explain why this statement is incorrect.

Answer 20

• The IRM guide show clearly that the risk appetite is a sub-set of the risk tolerance (capacity)
• Risk tolerance (capacity) is a sub-set of the risk universe

Question 21

Draw a diagram that links risk with uncertainty (i.e the range of outcomes for different risk exposures)

Answer 21

See Figure 25.2 ‘Risk and Uncertainty’ Hopkin (2018).

• By including all three types of risk (hazard, control, and opportunity) in a single figure, it is possible to demonstrate that the three types of risk are related, interdependent, and form a continuum.

Question 22

Describe the six stages of Risk Appetite Statement.

Answer 22

1. Identify stakeholder expectations
   - making reference to CSFSRS
2. Define Company-wide risk exposure
   - through analysis of STOC
3. Established the desired level of risk exposure
   - that will lead to a RAS that provides a set of qualitative and quantitative statements).
4. Define the range of acceptable uncertainty around each of the types or risks
   - leading to a statement of acceptable risk tolerances
5. Reconcile the risk appetite and risk tolerances with the current level of risk exposure
   - and plan actions to bring exposure in line with risk appetite
6. Formalise and ratify a RAS
   - communicate the statement with stakeholders and implement accordingly.

Question 23

What is the equation for loss control?

Answer 23

LOSS CONTROL = LOSS PREVENTION + DAMAGE LIMITATION + COST CONTAINMENT

• Loss prevention -> focus on reducing likelihood
• Damage limitation -> focus on reducing magnitude
• Cost containment -> focus on reducing impact and consequences

Question 24

Describe what is meant by the term ‘loss control’.

Answer 24

• Loss control explains the need to identify appropriate control measures to prevent a risk materialising, limit the damage, and contain the costs.
• Loss control describes how we can minimise the potential losses by identifying appropriate control measures to treat HAZARD type risks after having completed risk analysis.
• Designed to reduce the likelihood and magnitude of losses by changing the characteristics of exposure so that is it more acceptable to the firm.
• Loss control is concerned with the mitigation of the magnitude, impact and consequences of an adverse event.

Question 25

List two key dependencies that could give risk to hazard risks (using the FIRM risk scorecard).

Answer 25

``` FINANCIAL • Availability of funds/finance • Correct allocation of funds/finance • Internal control • Liabilities under control ``` ``` INFRASTRUCTURE • People skills and experience (people) • Premises/plant and equipment (premises) • IT hardware and software (processes) • Communication and transport (products) ``` ``` REPUTATIONAL • Brand and brand expansion • Public opinion and sector • Regulator’s enforcement action • CSR ``` ``` MARKETPLACE • Regulatory environment • Economic health • Product development (technology) • Competitor behaviour ```

Question 26

Explain the stages of loss control, and link the stages with the bow-tie diagram

Answer 26

Before the event occurs: • the organisation will have controls in place to seek to achieve loss prevention (to reduce the likelihood of the event occurring). As the event is developing: • steps should be in place to limit the damage that the event is causing (to reduce the magnitude of the event) After the event: • cost containment controls by way of business continuity and arrangements to reduce the cost of repair should be achieved (to reduce the impact and consequences of the event) Disaster recovery plans: • will be relevant during both the damage limitation and the cost containment stages. The types of controls associated with hazard risks are: PREVENTATIVE, CORRECTIVE, DIRECTIVE, DETECTIVE.

Question 27

Define the ‘upside of risk’

Answer 27

Either of the following is acceptable: 1. Fewer disruptions to normal operations resulting in less downside to risk (in relation to hazard risks). 2. Gains from accepting an opportunity as well as lower cost from a positive outcome. 3. Ability to seize opportunity that competitors would be unwilling to embrace (the ability to pursue a business opportunity that a competitor has no appetite for). 4. Identifying and managing opportunities through risk management. 5. Strategic opportunity management 6. Unintended or automatic result of good (threat) management.

Question 28

Describe the importance of the upside of risk in relation to strategy, tactics, and operations.

Answer 28

Cycle: strategy -> tactics -> operations -> strategy * The upside of risk in relation to strategy relates implicitly to the 2 E’s of MADE2 (effective and efficient STOC core processes) * All about increasing the likelihood and positive impact of the particular strategic decision. * The implementation of the chosen strategy involves a range of tactical decisions in the form of effectively delivered change projects or programmes. * The object of the change is to improve both the efficiency and effectiveness of core processes. * Delivery of the chosen strategy involves efficient core operational processes. * Efficient processes represent the upside of risk in operations = can place the organisation at a competitive advantage over its competitor = identifying further strategic opportunities.

Question 29

Describe what is meant by the term ‘riskiness index’ and explain its purpose.

Answer 29

• Riskiness index is a snap-shot of the overall level of risk embedded in an organisation (taking into account strategy, projects, and routine operations). * The approach can offer an opportunity to benchmark risk management performance and track changes over time. * It uses the FIRM risk scorecard to categorise risk * Develops consolidated view of risk exposure * Focuses attention on management effort * Tailored questions developed in relation to risk * Each question is marked out of 5 * Having completed the riskiness index, the organisation can then seek additional controls to reduce the level or riskiness within the organisation without affecting its STOC. * Upside becomes that an organisation to follow the desired STOC at the lowest level of threat that is reasonable and cost-effectively achievable.