Risk Flashcards
(67 cards)
1
Q
Risk
A
- The effect of uncertainty on objectives
- It is potential - what could happen (not positive or negitive)
2
Q
Antifragility
A
Ability to not just withstand high-impact events or shocks but to improve and benefit from them.
3
Q
Risk management
A
- Coordinated activities to direct and control an organization with regard to risk
- Designed to change the probability of risk event occurring and/or degree of impact on organization’s objectives
4
Q
Known knowns
A
Events to be expected and involve little uncertainty
5
Q
Known Unknowns
A
Uncertainties we know exist, but don’t know much about their probability or impact
6
Q
Unknown knowns
A
- Risks we mistakenly think we understand
- Black swans - unforseen outlier events that are rare and have a major impact
7
Q
Types of risk
A
- Strategy
- Operations
- Financial reporting
- Compliance
8
Q
Internal and preventable risks
A
- Come from inside the organization
- Could include violations of ethics and failures in routine processes
9
Q
Strategy risk
A
Risks that affect the organization’s ability to achieve its objectives
10
Q
Operations Risk
A
Risks that affect the ways the organization creates value
11
Q
Financial reporting risk
A
Risks that affect the accuracy and timeliness of information about the organization’s financial performance and condition
12
Q
Compliance risk
A
Risks associated with meeting the requirements of laws and regulations
13
Q
Benefits of risk management
A
- Aligns risk management process process with the organization’s strategy and objectives
- More effective and consistent response to risk
- Losses are reduced and less resources wasted
- Risks are understood and managed
14
Q
Barriers to risk managemeng
A
- Structural
- Cognitive
- Cultural
15
Q
Structural barrier to risk management
A
- Silo organizations
- Respond to risk in operational rather than strategic
16
Q
Cognitive barrier to risk management
A
Need to think past “if then” scenarios to “what if” scenarios
17
Q
Cultural barrier to risk management
A
- Be aware of the diverse workforce and their beliefs and attitudes toward risk
- Communicate the organization;s position and appetite for risk
18
Q
An effective risk management program should
A
- Create and protect value
- Be integral part of all orgnizational process
- Be apart of decision making
- Address uncertainty
- Be systematic, structured and timely
- Based uponthe best available information
- Fit an organization’s risk and control environment
- Take into account human and cultural factors
- Transparent and inclusive
- Dynamic, iterative and respond to change
- Facilitate continual improvement of the organization
19
Q
Risk Organizational Framework Steps
A
- Management commitment
- Design a framework for managing risk
- Implementing risk management
- Periodic monitoring and review of the framework
- Continual improvement of the framework
20
Q
Risk Management Process
A
1. Establish the context of risk
1. Define risk appetite and set risk management goals 2. Identify and analyze risks 3. Manage risks 4. Evaluate
The circle then goes back to 1
21
Q
Risk position
A
The organization’s desired gain or acceptable loss in value
22
Q
Risk appetite
A
- Also called risk tolerance
- Amount of uncertainty an organization is willing to pursue or to accept to attain its risk management goals
23
Q
Risk appetite/risk tolerance affect
A
- Amount that risk that will help organization reach or interfere with the strategic goals
- Characteristic attitude toward risk
- Resources or risk capacity
- Externally imposed requirements (fire prevention programs)
- Loss expectancy
24
Q
Single loss expectancy (SLE)
A
- Expected monetary loss every time a risk occurs
- Single loss expectancy = asset value * exposure factor
25
Annualized loss expectancy (ALE)
* Expected monetary loss for an asset due to a risk over a one-year period
* Annualized loss expectancy = single loss expectancy \* annualized rate of occurrence
26
Misaligned risks
* Moral hazard
* Principal-agent problem
* Conflict of interest
27
Moral hazard
* One party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss.
* Ex: insurance
28
Principal-agent problem
* Situation in which an agent (employee) makes decisions for a principal (employer) potentially on the basis of personal incentives that may not be aligned with the principal's incentives.
* Ex: providing incentives
29
Risk control
* An action taken to manage a risk
* First step when evaluating a risk is to see if risk controls are in place and then if they are effective
* Ex: safety training, require signitures
30
MECE
* Mutually exclusive and comprehensively exaustive
* Identify all possible risks and all strategic and operational aspects of the business and avoid duplication or overlapping identification
31
Duty of care
* Principle that organizations should take all steps that are reasonably possible to ensure the health, safety, and well-being of employees and protect them from foreseeable injury
* Occurs throught the entire employment lifespan
32
Duty of care how to understand the risks
* Consult with experts and information sources
* Focus groups and individual interviews
* Surveys
* Analyzing processes
* Direct observation
33
Hazard
* Potential for harm
* Often associated with a condition or activity that, if left uncontrolled, can result in injury or illness.
34
Risk level formula
Risk level = probability of occurrence \* magnitude of impact
35
Risk scorecard
* Tool used to gather individual assessments of various characteristics of risk and weighs risk more heavily against strategic importance
* Ex of characteristics of risk (frequency, degree of impact, loss or gain of the organization)
36
Risk Matrix
* Simple grid where horizontal axis is probability and vertical is severity of impact
* Doesn't reflect the degree the organization is prepared against the threat
37
PAPA model includes
* Prepare
* Act
* Park
* Adapt
38
PAPA Prepare
* Low likelihood and fast speed of change
* Contingency plans must be in place and early indicators defined
39
PAPA Act
* High likelyhood and fast speed of change
* Threats and opportunities require immediate response to threat occuring or significant damage
40
PAPA park
* Low likelihood and slow speed of change
* Good time to monitor changes, but not be involved in mitigation or contingencies
41
PAPA Adapt
* High likelihood and slow speed of change
* May affect the organization signifiantly
* Ex: hiring disabled new hires and should update the office accordingly but not necessary immedately
42
Key risk indicators (KRIs)
* Metrics that provide an early signal of increasing risk exposures for an enterprise.
* Changes the way risks are prioritized or management actions
* Need to be strategically aligned
43
Risk register
* Lists the information and responsibilitys for managing specific risks
* Increases transparency and accountability for risk management process
* Can be developed incrementally as part of risk management process
44
Risk management tactics include
* Lists the information and responsibilitys for managing specific risks
* Increases transparency and accountability for risk management process
* Can be developed incrementally as part of risk management process
45
Upside risk management tactics
* Optimize
* Share
* Enhance
* Ignore
46
Downside risk management tactics
* Avoid
* Transfer
* Mitigate
* Accept
47
Avoidance Risk Treatment
Decision not to become involved in or action to withdraw from risk situation
48
Retention Risk Treatment
Acceptance of buden of loss or benefit of gain for a risk
49
Residual risk
Amount of uncertainty that remains after all risk management efforts have been exhausted.
50
Risk management objectives should
* Be strategically focused
* Combine activities and results
* Combine lagging and leading metrics
* Modifying risks related to noncompliance
* Instilling risk management principles in organization's members and processes
51
Lagging metrics
Look backward at what has been accomplished
52
Leading metrics
Measure performance that will affect results in the future
53
Emergency preparedness and business continuity require:
* Contingency plan
* Response capability to secure employee health and safety and continue productivity
54
Contingency plan and its goals
* Protocol that an organization implements when an identified risk event occurs.
* Include time frames
* Supported with training and opportunities for practice
* Developed with specific goals in mind
* Immediate security for employees, company assets and stakeholders
* Comply with local laws and regulations
* Document and report as required
55
HR involvement in contingency plans
* Policies
* Define and communicate policies to avoid or mitigate risk
* Evacuation and relocation
* Maintain rosters
* Communication
* Training
* Continuity
56
Crisis Management and Readiness Process (No Crisis)
1. Identify and manage risks
2. Develop crisis management plan
3. Train, test, drill
4. Learn
5. Evaluate and revise plans as needed
Then goes back to step 1
57
Crisis Management and Readiness Process (Crisis)
1. Identify and manage risks
2. Develop crisis management plan
3. Crisis
4. Activate plans
5. Recover, learn, improve
6. Evaluate and revise plans as needed
Then goes back to step 1
58
Workplace voilence protection
* Policy outlining organizational stance towards workplace voilence and outlining response procedures to prevent response from escelating
* Create a response team
* Conduct drils (including active shooter drills)
59
IT threat prevention
* Create policies and procedures to prevent and respond
* Have rules regarding technology use
* Should be in the employee handbook
* IT training should be required
60
Communicating a disease risk in the workplace includes
* Notification and verification of disease risk
* Understanding the disease and resources
* Identify the scope of the risk
* Determine the employer risk
* Handle internal and HR compliance matters
61
Goals of evolution in risk management
* Increase transparency and accountability by measuring and reporting risk management results
* Make sure of compliance with requirements
* Assess the effectiveness of individual risk management strategies
* Assess effectiveness of organization's risk management framework (values, policies, processes and culture)
* Continually improve by investigating incidents and identifying opportunities for improving strategies and framework
62
Frequency of evaluating risk management
* After every major incident
* Agreed intervalls (ex: annually)
63
After-action debriefs
* Meetings to examine the effectiveness of a risk response strategy
* Ex: workplace evacuations, in-place lockdowns for security reasons, a workplace injury or act of violence, or temporary relocation of operations.
64
Incident investigations
* Meetings that are more limited than after-action debriefs but similar approach
* Ex: angry dispute that becomes physical and needs intervention, workplace injury
65
Documentation of incidents
* Must be well documented and reported to external parties
* Often legally required
66
Whistleblowing
* Reporting of an organization's violations of policies and processes by employees
* Some countries protect whistelblowers from retaliation
67
Quality Assurance (QA)
Actions organization takes to be sure it is performing work according to standards it has set and uses specified processes correctly and completly
