Module 3: Risk Assessment Flashcards
(104 cards)
1
Q
What are the deliverables of risk management?
A
Risk registers
Risk matrices
Risk reports
2
Q
How does the ISO 31000 risk management standard describe the process of risk management?
A
“The systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording, and reporting risk”
3
Q
What is the process for “Establishing the Context” set out by ISO 31000?
A
External context (what does world look like, what are drivers and trends)
⬇️
Internal Context (what are our objectives, capacity, business processes, how do we make decisions)
⬇️
Context of the risk management process (what is the process expected to achieve, who is responsible, what resources are required)
⬇️
Defining risk criteria (What determines whether risk is acceptable and if it should be controlled, how can we measure our total risks)
4
Q
What risks can the external environment present?
A
Regulatory or legal requirements Societal conditions Political challenges Financial/ economic constraints Cultural restrictions Competition Environmental conditions
These can be international, national, regional or local.
5
Q
How can stakeholder analysis help us to understand external risk sources?
A
Stakeholder analysis is often carried out during the development of a communications plan. It can provide focus on who may be affected by, or may perceive themselves to be affected by, or who may be interested in your organisation.
6
Q
What are the internal sources of risk information
A
Historic risk information - usually found in previous risk registers or databases.
Historic results from performance indicators.
Audit or quality assurance outcomes.
Use of isomorphic learning from within the business (also external). This is the learning that can take place across a business sector. Risks that impact one department/ sector may also impact others.
Internal risk community groups.
7
Q
What are the external sources of risk information?
A
External consultants.
External risk community groups.
Regional, national, or international professional bodies. E.g the IRM.
Industry focused or risk management specific media.
Government bodies and standards.
8
Q
Define’Risk Source’
A
The ISO 31000 standard defines risk source as the ‘…element which alone or in combination has the potential to give rise to risk’ (ISO, 2018:2)
9
Q
Why do people assume risk is a “hard discipline”
A
Risk is assumed to be a hard discipline because it involves statistics, analysis and a rigorous approach. However the reality is that risk is managed by people not process or techniques.
People also think risk is hard because because it is difficult to do, however when done properly it should be an easy and intuitive process.
10
Q
Which professional bodies or industry bodies would be able to provide useful information to help with the risk assessment process?
A
Ensuring that you keep yourself informed of what is going on in your industry, sector, and organisation, will help you to recognise emerging risks that although affecting others currently, may affect you in the future.
Resources: IRM Lexology ABI BIBA
11
Q
What does PESTLE stand for
A
Politics, Economic, Sociological, Technological, Legal, and Environmental (or Ethical)
12
Q
What are the responsibilities of each stage of the 3 lines of defence model
A
Own - senior managers, employees
Advise - risk ma after, compliance
Assure - internal/ external audit
13
Q
Why might a risk assurance model fail?
A
- lack of board and senior management sponsorship and commitment
- risk management framework not sufficient developed
- different terminology and methods used by assurance providers
- no one taking ownership
- different self interests
- lack of competency or skills amongst staff
- timing of activities- risk management is not an overnight process
- reluctance among some assurance providers / risk managers to share information
14
Q
What are the top 10 priorities for risk management?
A
- understand your stakeholder needs and expectations
- validate the purpose and position of risk management
- communicate with the ARC
- facilitate positive change
- drive efficiency
- attract, retain and develop talented people
- promote risk as a key element of good governance
- focus on maturity levels and continuous improvement
- add value and show this by measuring performance
- link risk and assurance
15
Q
PESTLE may be considered a risk classification system with a emphasis on hazard risk. What are the advantages of PESTLE?
A
- simple framework
- facilitates an understanding of the wider business environment
- encourages the development of external and strategic thinking
- anticipates future business threats
- helps identify actions to avoid or minimise impact of threats
- facilitates identification of business opportunities
16
Q
What are the disadvantages of using the PESTLE analysis as a means of identifying risks?
A
- can over simplify the amount of data used for decisions
- needs to be undertaken on a regular basis to be effective
- requires different people being involved with different perspectives
- access to quality external data sources can be time consuming and costly
- difficult to anticipate developments that may affect an organisation in the future
- risk of capturing too much data that makes it difficult to see priorities
- can be based on assumptions that subsequently prove to be unfounded
17
Q
PESTLE classification system:
Define ‘Political’
A
Tax policy, employment laws, environmental regulations, trade restrictions and reform, tariffs and political stability
18
Q
PESTLE classification system:
Define ‘Economic ‘
A
Economic growth/ decline, interest rates, exchange rates and inflation rate, wage rates, minimum wage, working hours, unemployment, credit availability, cost of living etc
19
Q
PESTLE classification system:
Define ‘Sociological’
A
Cultural norms and expectations, health consciousness, population growth rate, age distribution, career attitudes, emphasis on safety, global warming
20
Q
PESTLE classification system:
Define ‘Technological’
A
Technology changes the impact your products or services, new tech, barriers to market entry, financial decisions like outsourcing and supply chain
21
Q
PESTLE classification system:
Define ‘Legal’
A
Change to legislation that may impact employment, access to materials, quotas, resources, imports/ exports, taxation etc
22
Q
Why is the inclusion of reputations risk in the FIRM risk scorecard not universally accepted?
A
It is sometimes argued that damage to reputation is a consequence of other risks materialising and should not be considered as a separate risk category.
23
Q
What is the link between PESTLE and SWOT
A
It is often suggested that the PESTLE risk classification system should be used in conjunction with an analysis of the strengths, weaknesses, opportunities and threats (SWOT) facing an organisation. A SWOT analysis of each of the 6 PESTLE categories is recommended by the Orange Book
24
Q
Why don’t the main risk management systems identify compliance risks?
A
Risks can be defined as hazard, control and opportunity, or they can be classified as long term, medium term or short term. If either of these classifications systems is used there is a possible that compliance risks will not be identified because they do not fit with a classification system based on timescales. A further difficulty with compliance risks is that there is often a requirement for a trigger event. An organisation can be exposed to a number of compliance risks but it may be difficult to identity the particular issue that will become a problem.
25
What are the advantages of having a risk classification system? (BS 3100)
* Accumulations of risk that could undermine a key dependency or business objective can be identified
* Responsibility for improved management of each different type of risk can be more easily identified/ allocated if risks are classified
* Decisions and knowledge about the type of control(s) that will be implemented can be taken on a more structured and informed basis
* Circumstances where the risk appetite of the organisation is being exceeded (or the risk criteria not being implemented) can be more easily identified
26
What does FIRM stand for
Financial
Infrastructure
Repetitional
Marketplace
27
FIRM risk scorecard
What is the measurement/ performance indicator for each of the FIRM attributes
Financial- usually quantifiable. Measured by gains and losses from internal financial control
Infrastructure- sometimes quantifiable. Level of efficiency in processes and operations
Reputation - not always quantifiable. Nature of publicity and effectiveness of marketing profile
Marketplace - quantifiable. Income from commercial and market activities
28
FIRM risk scorecard
What is the performance gap for each of the FIRM attributes
Financial - procedures - failure of procedures to control internal financial risks
Infrastructure- process - failure of processes to operate without disruption
Reputation- perception- failure to achieve the desired perception
Marketplace- Presence - failure to achieve required presence in the marketplace
29
What are the main risk classification systems?
COSO, IRM standard, BS31100, and FIRM risk scorecard.
Other commonly used risk classification systems that can be used to provide structure to a risk assessment are the SWOT and PESTLE analysis.
30
What are the classification headings for the main risk classification systems?
COSO - strategic, operations, reporting, compliance
IRM standard- Financial, strategic, operational, hazard
FIRM - financial, infrastructure, reputation, marketplace
31
What is the benefit of classifying risks as short, medium and long term?
Although not a formalised risk classification system, the classification of risks into short , medium, and long term helps to identify risks as being related (primarily) to operations, tactics, and strategy, respectively
32
What would be classified as a short term risk?
A short term risk has the ability to impact the objectives, key dependencies and core processes, with the impact being immediate. These risks can cause disruption to operations immediately when the event occurs. Short term risks are predominantly hazard risks.
Short term risks usually impact the ability of the organisation to maintain effective and efficient core processes that are concerned with the continuity and monitoring of routine operations. There is a need to mitigate short term risks.
33
What would be classed as a medium term risk?
A medium term risk has the ability to impact the organisation following a (short) delay after the event occurs. Typically the impact of a medium term risk would not be apparent immediately but would appear with a year, maximum, of the event. Medium term risks usually impact the ability of the organisation to maintain effective and efficient core processes that are concerned with the management of tactics, projects and other change programmes. These medium term risks are often associated with projects, tactics, enhancements and other developments. There is a need to manage these medium term risks.
34
What could be classified as a long term risk?
A long term risk has the ability to impact the organisation some time after the even occurs. This would typically be 1-5 years. These risks usually impact the ability of the organisation to maintain the core processes that are concerned with the development and delivery of effective and efficient strategy.
35
What is the purpose of the bow-tie illustration?
To demonstrate that sources of risk can lead to events that have consequences
36
How do we summarise the need to respond to risks according to whether they arise from strategy, tactics, operations, or compliance (STOC)?
EM3
Embrace, Manage, Mitigate & Minimise
37
What is the benefit of a a formalised risk classification system
Formalised risk classification systems enable the organisation to identify where similar risks exist within the organisation. Classification of risks also enables the organisation to identify who should be responsible for setting strategy for management of related or similar risks. Finally, appropriate classification of risks will enable the organisation to better identify the risk appetite, risk capacity and total risk exposure in relation to each risk, group of similar risks or generic type of risk.
38
What is at the centre of the bow tie illustration?
The event in the centre of a bow tie illustration lists the components of the organisation that is impacted by the event - 4p’s
People, premises, processes, and products
39
How are the impacts of a an event described in a bow tie illustration?
FIRM
40
What are the sources of project risk?
The primary sources of project risk will include the following, but will vary depending on the project context such as the industry, location, and sector. There is no one size fits all.
```
Business environment
Host industry
Sponsors organisation
Business case
Project brief
User requirements
Project team
Design, specification, layout
Internal approvals
External approvals
Change controls
Procurement
Implementation
Testing and commissioning
Handover
```
41
What are the potential benefits of project risk management?
```
Supporting the business case
Increased chance of success
Make objectives clear/ prioritised
Procurement will reflect risk appetite
Forces team to think collaboratively
Validated funding requirements
Protects reputation
Improving accountability/ decision making
Better understanding of legal requirements
Improved integration into operations
```
42
What is the difference between a PEST and a SWOT analysis?
A PEST analysis measures a market, a SWOT analysis measures a business unit, a proposition or an idea.
PEST only covers environmental analysis, whereas SWOT considers both company (internal) and environmental (external) analysis.
43
What can a SWOT analysis be used for?
A SWOT analysis can be used to draw out the risks and opportunities facing an enterprise and has the advantage of being quick to implement and easily understood. Analysis of SWOT brings together the results of analysis of the company (internal) and environment (external).
SWOT is good because it stimulates thinking that is not overly structured or restrictive.
44
What might supervisory authorities expect an operationally resilient firm to have in place?
A clear understanding of most important business services.
A comprehensive understanding and mapping of the systems and processes that support these services, including those over which the firm might not have direct control.
Knowledge of how a failure in one area could impact other areas.
Knowledge of which systems or processes could be substituted.
Tested continuity plans.
Effective internal comm plans.
Effective escalation procedures.
Specific external comm plans including information for customers.
45
Why is it important to plan on the basis that operational disruptions will occur?
It is not possible to prevent every risk materialising, and dependencies are often only identified once something has gone wrong.
46
Why might priorities between firms and supervisory authorities not be aligned?
Supervisory authorities may believe that a disruption to a business service would harm their objectives, while a firm might consider any disruption to be a manageable risk.
47
What do supervisory authorities consider to be the most effective focus for managing operational resilience?
Supervisory authorities consider that managing operational resilience is most effectively addressed by focusing on business services rather than on systems and processes. Firms are more likely to be operationally resilient if they design and manage their operations on the assumption that disruptions will occur
48
Under requirements such as Internal Capital Adequacy Assessments and Risk Control, boards and senior management should be able to articulate the circumstances which may lead to the firms failure, develop their own risk appetites, and oversee delivery of risk mitigation. What should this include?
An assessment of the adequacy of a firms operational resources to maintain resilience, relevant to the firms ability to remain viable.
Effective risk management of their organisation, people, processes and technology assets, all of which support the continuity of business service delivery during operational disruptions
49
What kinds of harm could arise from operational resilience failures?
Disruption to supply of new business services - applications are rejected and delays occur.
Availability and integrity of existing business services - customers unable to access services e.g. unpaid bacs could lead to fees and impact on credit ratings.
Availability of a vital link in the value chain- a custody bank which is unable to confirm ownership of assets could delay asset valuations.
Unauthorised access to market sensitive data
50
What are the potential benefits of setting impact tolerances?
The supervisor authorities consider that setting impact tolerances for the most important business services could:
A) support firms and markets in prioritising investments and resources
B) provide a clear scope when firms and markets want to test their own resilience
C) provide a focus for supervisory engagement
D) consider substitute options more broadly
51
What FCA rules and guidance are relevant to a firms operational resilience?
The FCA principles - at a high level, the FCAs Principles for business set out general statements on the fundamental obligations for firms and includes “a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”.
Threshold Conditions - represent the minimum conditions which a firm is required to continue to satisfy to be given and retain permission to carry on regulated activities under part 4A FSMA.
COND - provides guidance on how the FCA will approach its assessment of applicable threshold conditions. Of particular relevance is the FCAs assessment of the risks to the continuity of the services under the appropriate non-financial resources threshold condition COND 2.4.4G
SYSC - includes rules and guidance about risk management and risk centric governance arrangements
Many of these derive from EU law such as the markets in financial instruments directive.
52
What do the FCA rules say about operational risk management?
SYSC 4.1.1R: “A firm must have robust governance arrangements, which includes a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to”
SYSC 4.1.6R to 4.1.7R: sets out rules relating to business continuity for common platform forms, CRR firms and management companies.
SYSC 7.1: includes further provisions on risk for certain firms.
SYSC 21.1: provides guidance on risk-centric governance arrangements, including guidance on whether a CRO should be appointed and governing body risk committee established.
SYSC 13: sets out detailed guidance for insurers about management of operational risk.
53
What are the supervisory authorities objectives relating to operational resilience?
The bank has an objective to protect and enhance the stability of the financial system of the UK.
The bank sets out in its Financial Stability Strategy that financial stability is the consistent supply of the vital services that the real economy demands from the financial system. These vital devices include providing the mechanism for paying for goods, services and financial assets, and intermediating between savers and borrowers and insuring against and disputing risk.
The bank seeks to ensure markets are designed and operated in a safe way to reduce risk in vital payment and clearing arrangements and the banks operation of the real time gross settlement (RTGS) service and Clearing House Automated Payment system CHAPs) supports this.
The PRA and FCA objectives are also defined in the financial services and Markets Act (FSMA). They seek to promote safety and soundness of firms, provide protection for consumers, and promote competition.
54
What do regulators expect from firms regarding impact tolerances?
Supervisory authorities envisiage that firms can determine their own impact tolerances, explaining their own how their impact tolerance has been arrived at for important business services, how it relates to regulatory objectives and in which scenarios a breach of the impact tolerance could be accepted. These are likely to be limited to the most severe but plausible scenarios.
Impact tolerances would need to be expressed clearly and would be separate from any risk appetite or recovery time objectives (RTO). Impact tolerances express an upper limit where a breach is to be avoided in all but the most extreme scenarios. Risk appetite and RTOs on the other hand tend to express a desired outcome that is achieved with high probability. The regulators anticipate that firms will be able to explain the relationships between impact tolerances, risk appetites and RTOs.
An example of an impact tolerance in practice: the bank sets a time and volume based impact tolerance as operator of CHAPs. The Bank states that all payments (volumes) should be settled by the end of the day (time) in all, even extreme, circumstances.
55
How would you describe a risk using metalanguage?
A three part structures description of a risk that separates cause, risk and effect, in the form:
As a result of a , may occur, which would lead to .
Understanding cause and effect allows the grouping of risks in the assessment step. Cause and effect information can also assist when planning responses.
56
Explain the issues in trying to be comprehensive in identifying risks.
We cannot foresee everything that might happen.
Joharo window.
There will always be risks that we have not identified but risk identification process should minimise these.
57
Describe four risk identification tools and techniques.
Brainstorming through structured risk workshops which produces a large number of ideas. Group thinking is more productive than individual thinking.
Delphi - a systematic collection and coalition of judegements from subject experts.
Structured or semi-structured interviews.
SWOT analysis.
58
Explain the key skills of a risk facilitator in implementing risk identification.
Some of the key skills of a facilitator include:
Being able to work with large and increasingly diverse groups, working face to face or virtually, dealing with conflict, sustaining participation, guiding groups to outcomes.
59
How should risks initially be prioritised?
The prioritisation I’d identified risks should initially by undertaken through qualitative rating.
The highest priority risks cannot be identified until all risks have been identified. We then need to assess the likelihood (probability, chance or frequency) of occurrence and the effect (consequence , severity* or impact) it would have should it occur.
* Wording is key and should be consistent. The term severity is only used in relation to threats.
60
What are the pros and cons of quantitative analysis?
Quantitative analysis is not a precise science as it is based on subjective estimates however it can be helpful to articulate perceptions of likelihood and impact in order to aid decision making and to provide a framework for thinking about the problem.
Decision making becomes ‘tighter’ as soon as the risks are quantified and the assessment is progressively refined as more information becomes available.
61
How can you lessen the impact of subjectivity in risk rating?
Qualitative risk analysis is a subjective task which can be influenced by the priorities and knowledge of those involved - people have different opinions of what is high, medium or low impact based on their experience and culture (human factors).
Objectivity is added to prioritisation process to ensure a consistent rating is used which is understood by all involved, and which provides a priority for risks in a ‘holistic, non-prejudiced manner’ (Hillson & Simon, 2012). This can be done by introducing and analysis scheme where likelihood and impacts are given values. There is a standard 5 point scale for both likelihood and impact, although some organisations use a 3 point, or even a 7 point scale.
62
What is the purpose of P-I scales?
The purpose of probability - impact scales is to determine if a risk matters or not in relation to our objectives.
63
Why is it important to set percentage ranges correctly?
A low upper range will result in more ‘top’ risks being prioritised.
Ranges should be used instead of single point estimate, otherwise the upper and lower points will be fixed beyond the point at which you are not expecting any risk to occur.
Ranges should not be used for health and safety risks - cannot grant a range of acceptability to someone dying!
Hopkin (2018) considers where risks may occur more than once within the timeframe set, which means that percentage ranges may not be relevant for the likelihood scale. Some risks are better described using frequency, especially if they may occur more than once.
64
Define frequency in the context of likelihood.
Hills on and Simon (2012) define frequency as “a measure of likelihood for a specific risk that could occur repeatedly over a given period of time or in a given number of trials. Frequency of occurrence is usually expressed as a number of occurrences per unit of time or per total number of trials.”
65
When should you use percentage ranges and when should you use frequency ranges when discussing likelihood?
One off events can be discussed with frequency ranges and risks that may occur more than once should be given frequency ranges.
66
Define Risk Appetite
Risk appetite is defined by the IRM as “the amount of risk an organisation is willing to seek or accept in persuit of its long term objectives”.
Risk appetite relates to the risks you want to take, within the boundaries of a tolerance of risks you don’t want to take. This needs to be set in the context of risk capacity, defined by Hollson and Murray-Webster as “the ability of an organisation to bear risks, quantified against objectives“.
67
Define risk tolerance
Risk tolerance is defined as “the boundaries of risk taking outside of which the organisation is not prepared to venture in persist of its long term objectives”
68
How do appetite and tolerance relate to risk ratings?
Risk appetite tends to be descriptive but express a range of performance that is acceptable around each objective. Objectives therefore need to be described in a measurable way I.e using a performance indicator which can include the best tolerable result.
In most cases the medium impact scale will represent either the worst tolerable threshold (for threats) or the best realistic threshold (for opportunities) and these will be within risk appetite.
69
Should risk impact scales be changed over time?
No. Risk appetite may change over time due to external factors, however if the impact scales change it will be difficult to undertake comparisons between risks over time because the measurement has altered.
70
What are the techniques for causal analysis?
Cause and effect (also called fishbone or Ishikawa) diagram - this does not have a statistical basis but is excellent for uncovering the sources of a risk and mapping relationships. Simple and adaptable, this diagram is commonly developed in brainstorming sessions. The diagram is commenced by writing the potential effect on the far right side and adding risk events as bones attached to the backbone ‘arrow’.
71
What are the advantages of an Influence diagram?
They provide a framework for discussion of interdependencies of decisions and events and the management of the problem without requiring and formal mathematical, probabilistic or statistical notation.
They provide a significant contribution towards reducing large volumes of data to their essential parts.
They can provide a degree of sensitivity analysis to show how much influence particular decisions or uncertain events have upon outcomes.
72
Define ‘consequences’.
ISO 31000 defines consequence as the “outcome of an event affecting objectives’.
73
Define ‘probability’.
ISO guide 73 defines probability as the measurement of the chance of occurrence expressed as a number between 0 and 1, where 0 is impossible and 1 is absolute certainty (2009).
74
What is Pareto Analysis?
Pareto Analysis is the simple process of ranking or ordering risks once they have been assessed to determine the order in which they should be managed.
Once the risks have been ranked they can be expressed pictorially as a bar chart with most frequently occurring cause appearing first on the left. This is known as a Pareto diagram (available in excel).
Commonly Pareto diagrams reveal that 20% of risks within an analysis contribute to over 80% of risk exposure, following the 80/20 rule or Pareto principle. The “vital few and trivial many”.
75
Define inherent risk
Inherent risk is defined in BS 31100 as exposure arising from a specific risk before any action has been taken to manage it (2011)
76
Define current or residual risk.
Residual risk is defined in BS31100 risk remaining after risk treatment.
77
What additional scales can be used to evaluate a risk?
Strategic impact
Manageability
Impact window/ proximity/ velocity
78
What is an action window?
The period of time when effective action can be taken is another important factor when assessing a risk. The urgency of addressing a risk might increase its priority. Impact and action windows are often presented on an overlay chart indicating risks with high proximity and urgency.
79
Explain how risk appetite can be used to inform the impact scales.
Organisations should express their risk appetite through the impact scales used to measure risks.
Risk appetite is most usefully expressed as a threshold around target objectives.
Objectives therefore need to be described in a measurable way.
Impact scales should be developed so that even if the organisations appetite, and therefore, thresholds change, the impact scales should still accommodate those changes.
80
Explain a bow tie analysis.
A risk bow tie is used to map out the progression of a risk from underlying cause to risk event to effect. In the middle the knot of the bow represents an event which the potential to affect the achievement of objectives.
The left half of the bow tie represents the underlying conditions or causes, the right represents what unfolds after the event occurs, including any modifying capabilities that are in place and the effects of the event upon objectives.
81
What are the components of risk assessment?
Risk identification
Risk analysis
Risk evaluation
Decision making
82
What three rolls does Garlick attribute to quantitative risk assessment?
To help managers understand the risks they are taking.
To help managers be clear that the rewards are commensurate with these risks.
To help managers work more effectively with their partners on risk management, risk sharing and risk allocation, at the right price.
83
Define Accounting
“The process of collecting, measuring, recording, and communicating financial information about a business to those who need that information to help them manage the business, or make other decisions about their engagement with the business “ - Lymer and Azmat, 2010
84
Describe double entry book keeping
In double-entry book keeping the financial value of all purchases of credit items (what you owe to other parties/creditors) and the sales items to customers (what is owed to you by other parties - referred to as debtors) are recorded.
This information is essential in understanding a firms ability to bear risk and its risk appetite. As accounts are usually balanced monthly any changes can affect risk appetite at any given time.
A firms annual accounts can help you to understand the values at risk.
85
What is a balance sheet
A balance sheet is a financial statement that shows what a business is worth at a point in time. A standard balance sheet has thee parts: assets, liabilities and ownership equity or capital. These three segments give an idea of what the company’s owns and owes, as well as the amount invested by the shareholders.
86
Define Risk Evaluation
ISO 31000 defines risk evaluation as the process of comparing the results of risk analysis with the established risk criteria to determine the significance of risk. (ISO, 2018: 13)
87
What methods are used when looking at the overall effect or magnitude of a risk?
These methods have historically fallen within two camps. Health/safety and environment based, such as Failure Mode Effect Analysis (FMEA) and root cause analysis such as Monte Carlo simulation or Bayesian statistics.
88
What are the different types of statistical models according to Garlick?
Reliability model- not often used in business but used for binary situations (fault and effect trees)
Cost models - most common modelling for risk assessment.
Schedule modules - considered essential for project management.
General models- influence diagrams, Bayesian networks and decision trees.
89
What must be considered before embarking on any risk modelling?
Whether all identified risks need to be costed.
Whether the risks should be transferred to another party.
Whether the risk can be managed and the only costs are of actions to manage it.
Whether the impact is lessened already by contingency plans.
90
Where we are uncertain of the probability bands of a risk, and where we want to examine the impact of interconnected risks we may want to examine a set of “what if” scenarios. What technique can be used for this?
The Monte Carlo stimulation technique may be helpful when dealing with a large set of possibilities. Monte Carlo generates possible scenarios which are weighted by the probability of their occurrence. This each risk can be represented by a probability distribution rather than a single value. The objectives is to calculate the combined impact.
91
How does Garlick (2007) group statistical models?
Reliability model - not often used in business but more in relation to binary situations, when something happens or not, such as fault and event trees
Cost models - most common modelling for risk assessment
Schedule models - considered essential for project management
General models - models related to, but separate from the others, including influence diagrams, Bayesian networks and decision trees
92
Define probability
The definition of probability is given in ISO guide 73 as the measure of the chance of occurrence expressed as a number between 0 and 1, where 0 is impossible and 1 is certain.
93
Define impact
Hopkin (2018) uses the term impact “to define how the event affects the finances, operations, reputation and/or marketplace (FIRM) of the organisation”.
94
Which extreme value statistical distributions consider high impact/ low likelihood risks?
There are three extreme value statistical distributions:
Gumbal
Fréchet
Weibull
In practice this kind of risk is usually managed to ensure that it is insured, excluded or transferred, rather than included in a quantitative assessment
95
Why might quantitative risk analysis be required?
Qualitative analysis does not always provide sufficient information to help with risk based decision making. Quantitative analyses helps us to fully understand the potential impact and the cost benefit analysis. As Garlick (2007) notes, we undertake quantitative analysis to help managers understand the risks they are taking, be clear that the rewards are commensurate with these risks, work more effectively with other parties.
96
Summarise the preparation that should be done prior to implementing quantitative analysis.
Before embarking on any modelling it is necessary to first consider:
Whether all identified risks need to be costed (financial or time based)
Whether the risk should be transferred
Whether the risk can be managed
Whether the impact is lessened by existing contingency plans
- 4Ts
97
Explain how annual accounts help you to understand the values at risk within the organisation
Many different parties will have a reason to want to review a firms financial statements such as a bank deciding to offer a loan, or employees evaluating prosperity. Some of the things it might be helpful to look at are:
Gross profit and mark up percentages - wide variations between periods might indicate a problem
Rate of stock turnover
Liquidity rations - ability of firm to pay debts as they become due.
Gearing ratios - describing the mix of loan finance and equity finance. The money invested from borrowed and non-borrowed funds, where a high gearing percentage indicated exposure to financial risk, and interest changes will have to be paid as well as the loan when it is due.
98
Explain how relationships of probability are important in reflecting the relationships of risks to each other and to other activities within an organisation
Most risks have some relationships with other activities or risks. Most have some measure of interdependency and will follow the basic concepts of the use of probabilities such as the complement of an event, conditional probability, additional rules, intersecting events, joint probabilities and multiplication laws.
Some risks can occur instead of other risks. In some cases one event can only occur when another event has already occurred (conditional probability).
Bayes’ theorem can be used to explain how probabilities can be revised when new information is obtained.
99
Discuss the pitfalls of quantitative risk analysis
There are several concerns regarding quantitative analysis. Risks are uncertain future events, which we are thing to put quantities too. When trying to allocate quantities to risk, we should remember that the allocation is an estimate with which we are trying to predict the future. It is essential to spend time ensuring the data that underpins these estimates is as relevant and as accurate as possible, otherwise quantitative assessment will be considered to be not only objective but correct.
Garlick (2007) considers three risks in terms of quantification:
Systematic underestimation it cost and time to carry out activity
Systematic underestimation of management resources and managerial talent to achieve objectives
The essential unpredictability of the future environment
100
What are the most common deliverables from quantitative risk analysis?
Distribution graph and cumulative graph.
The distribution graph identifies the number of time’s something occurred within a range during a simulation. It can highlight anomalies. Low probability/ high impact risks can skew the graph and give a two hump graph where event falls outside main bell shaped curve. These risks should be separated and managed in a different way.
The cumulative graph can be derived from the frequency distribution by summing up the frequencies for all values up to and including the value for which the cumulative frequency is required, thus giving a running total which produces a line graph or an s curve.
101
Explain the basic components of a risk communication plan.
6 rugby players sat on a bench.
```
Who - stakeholders/ target audience
What - information required
Why - what information is used for
Where - depository of information
When - one off? Level of frequency?
How - format e.g. risk register
Who by - who is responsible for producing and delivering the information
```
102
List the main sections of a risk register.
The risk register can hold a great deal of information generated through risk assessment, risk treatment, and monitoring and reviewing, including: risk categories, causes, risks, effects, likelihood, impact, probabilities, cost and schedule ranges, risk owner, existing controls, response strategies, detailed actions, action owners, action review dates, additional likelihood, impact, and risk levels for inherent, residual or target ratings.
103
Describe the Monte Carlo simulation
Monte Carlo is a technique used to understand the impact of risk and uncertainty in financial, project management, cost, and other forecasting models.
A Monte Carlo simulator helps one visualise more or all of the potential outcomes to have a better idea regarding the risk of a decision.
Cabs be used for claims reserving e.g estimating amount lost in a one in two hundred year event. See SCR.
104
Why is NPV superior to ARR and PP?
Net Present Value addresses:
•the timing of the cash flows.
• the whole of the relevant cash flows, irrespective of when they are expected to occur.
• the objectives of the business and shareholders. Positive NPVs enhance wealth, negative ones reduce it.
