RM FINALS 4- 5 Flashcards by MARIAN CHELSEA COLLADO

The overall process of risk identification, risk analysis and risk evaluation.

Risk Assessment

How well did you know this?

Not at all

Perfectly

It should be conducted ______, ____, and _____, drawing on the knowledge and views of stakeholders, and should use the best available information.

systematically

iteratively

collaboratively

How well did you know this?

Not at all

Perfectly

The purpose of risk assessment is to identify the _____ that could impact the corporate objectives, stakeholder expectations, core processes and key dependencies.

significant risks

How well did you know this?

Not at all

Perfectly

The purpose of ______ is to find, recognize and describe risks that might help or prevent an organization in achieving its objectives.

risk identification

Relevant, appropriate and up-to-date information is important in identifying risks.

The organization should identify risks, whether or not their sources are under its control

How well did you know this?

Not at all

Perfectly

Give 11 Factors to Consider in Risk Identification

Tangible and intangible sources of risks

Causes and events

Threats and opportunities

Vulnerabilities and capabilities

Changes in the external and internal context

Indicators of emerging risks

The nature and value of assets and resources

Consequences and their impact on objectives

Limitations of knowledge and reliability of information

Time-related factors Biases

How well did you know this?

Not at all

Perfectly

The purpose of ______ is to comprehend the nature of risk and its characteristics including, the level of risk.

risk analysis

Note:
■ Analysis techniques can be qualitative, quantitative or a combination of these, depending on the circumstances and intended use.

How well did you know this?

Not at all

Perfectly

_______ involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness and can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of information, and the resources available.

Risk analysis

How well did you know this?

Not at all

Perfectly

■ Risk analysis provides an input to ______ , to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods

risk evaluation

How well did you know this?

Not at all

Perfectly

Factors to consider in Risk Analysis

■ The likelihood of events and consequences
■ The nature and magnitude of consequences
■ Complexity and connectivity
■ Time-related factors and volatility
■ The effectiveness of existing controls
■ Sensitivity and confidence levels

How well did you know this?

Not at all

Perfectly

The purpose of _______ is to support decisions.
It involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required.

risk evaluation

How well did you know this?

Not at all

Perfectly

Decisions after Risk Evaluation

– Do nothing Further
– Consider Risk Treatment options
– UNdertake further analysis to better understand the risk
– Maintain existing controls
– Reconsider objectives

How well did you know this?

Not at all

Perfectly

______ recommend the assessment of inherent risk, while _____ states that risk assessment should be undertaken at inherent and at residual level.

– Internal auditors
– ISO31000

Note:
The benefit of undertaking assessment of inherent risk is that the difference between the current (residual) level and the inherent level can be identified.

How well did you know this?

Not at all

Perfectly

______ is only useful if the conclusions of the assessment are used to inform decisions and/or to identify the appropriate risk responses for the type of risk under consideration.

Risk assessment

How well did you know this?

Not at all

Perfectly

One of the approaches to Risk Assessment

■ When risk assessment is being undertaken by the Board of Directors, the Chief Executive Officer (CEO) and the other top-level management of an organization.

Top-down Risk Assessment

How well did you know this?

Not at all

Perfectly

One of the approaches to Risk Assessment

When risk assessments are undertaken by involving individual members of staff and local department management.

Bottom up Risk Assessment

How well did you know this?

Not at all

Perfectly

Read only:
Bottom Up Risk Assessment advantage and Disadvantage

Adv
– Buy in at all levels
– Ops awareness of local risks
– Varied Methodology

Dis Adv
– No focus on External or strat risks
–Time Consuming
– Too Detailed

How well did you know this?

Not at all

Perfectly

Top Down Risk Assessment advantage and Disadvantage

Adv:

– Enterprise wide Approach
– Significant risks quickly identified
– “Buy-in” from top

Dis Adv:
– Too much Focus on External Risks
– No focus on Internal ops
– Too Superficial

How well did you know this?

Not at all

Perfectly

risk Assessment Techniques

_________
■ The use of structured questionnaires and checklists to collect information that will assist with the recognition of the significant risks.
________
■ Collection and sharing of ideas at workshops to discuss the events that could impact the objectives, core processes or key dependencies.
_______
* Physical inspections of premises and activities and audits of compliance with established systems and procedures.
_____________
■ Analysis of the processes and operations within the organization to identify critical components that are key to success

1– Questionnaires and Checklists
2– Workshops and Brainstorming
3– Inspections and Audits
4– Flowcharts and Dependency Analysis

How well did you know this?

Not at all

Perfectly

Risk Assessment Techniques

____________

■ An analysis of the strengths, weaknesses, opportunities, and threats faced by the organization.

■ It has the benefit that it also considers the upside of risk by evaluating opportunities in the external environment.

One of its strengths is that it can be linked to STRATEGIC decisions.

SWOT ANALYSIS

How well did you know this?

Not at all

Perfectly

Risk Assessment Techniques

_____________
* Considers the political, economic, social, technological, legal and ethical (or environmental) risks faced by the organization.

■ IT IS is a well-established structure with proven results for undertaking brainstorming sessions during risk assessment workshops.

PESTLE Analysis

How well did you know this?

Not at all

Perfectly

Risk Assessment Techniques

_________
* A structured approach that ensures that NO RISKS s are omitted. IT studies are often undertaken of hazardous chemical installations and complex transport structures, such as railways and nuclear power stations.
■ It can also be applied to the analysis of the safety of products.
■ It is a very analytical and time consuming.

HAZOP (hazard and Operability

How well did you know this?

Not at all

Perfectly

Risk Assessment Techniques

__________

■ it is a process that is being used by reliability engineers to understand potential industrial hazards and PREVENT ACCIDENTS.

■in risk management, it is used to evaluate the severe consequences of failure, how likely it is for the failure to occur and the chance of detecting the failure before it happens.

FMEA (Failures Modes and Effect Analysis

NOTE:
■ A very analytical and time-consuming approach

Problems and defects are expensive. Customers understandably place high expectations on manufacturers and service providers to deliver quality and reliability.

■ Often, faults in products and services are detected through extensive testing and predictive modeling in the later stages of development. However, finding a problem at this point in the cycle can add significant cost and delays to schedules. The challenge is to design in quality and reliability at the beginning of the process and ensure that defects never arise in the first place.

How well did you know this?

Not at all

Perfectly

Risk Assessment Techniques

__________

■ The first stage is to put the risk description into the middle box.
■ The causes of the risk then need to be recorded along with the preventive controls to stop the risk occurring and these are placed on the left side of the tie.
■ The impact of the risk and the identified response controls to lessen the impact of the risk are then placed on the right side of the tie.

bow tie analysis

Source - Preventive controls

Impact - Response Contols

How well did you know this?

Not at all

Perfectly

______ is a qualitative and systematic tool, usually created within a spreadsheet, to help practitioners anticipate what might go wrong with a product or process.

■ In addition to identifying how a product or process might fail and the effects of that failure, It also helps find the possible causes of failures and the likelihood of failures being detected before occurrence.

It is one of the best ways of analyzing potential reliability problems early in the development cycle, making it easier for manufacturers to take quick action and mitigate failure. The ability to anticipate issues early allows practitioners to design out failures and design in reliable, safe and customer-pleasing features.

■FMEA

How well did you know this?

Not at all

Perfectly

* When completing FMEA, it's important to remember Murphy's Law: "_______." Participants need to identify all the components, systems, processes and functions that could potentially fail to meet the required level of quality or reliability. The team should not only be able to describe the effects of the failure, but also the possible causes.

Anything that can go wrong, will go wrong

THREE Criteria of FMEA

-- Severity -- Occurence -- Detection

■ To determine the significance of a risk, a test should be conducted using a "_____"

benchmark test

Example of Benchmark test for risk significance

FIRM RISK SCORECARD Financial Infrastructure Reputational Marketplace

The most commonly use risk matrix is the ____, one that demonstrates the relationship between the likelihood of the risk materializing and the impact of the event should the risk materialize.

likelihood/impact matrix

Example of Benchmark test for risk significance

FIRM RISK SCORECARD Financial Infrastructure Reputational Marketplace

Identify each Likelihood _____ Can reasonably be expected to occur, but has only occurred 2 or 3 times over 10 years in the organization or similar organizations. _____ Has occurred in the organization more than 3 times in the past 10 years or occurs regularly in similar organizations, or is considered to have a reasonable likelihood of occurring in the next few years. _____ Occurred more than 7 times over 10 years in the organization or in other similar organizations, or circumstances are such that it is likely to happen in the next few years. _____ Has occurred 9 or 10 times in the past 10 years in this organization, or circumstances have arisen that will almost certainly cause it to happen.

Unlikely Possible Likely Almost Certain

Likelihood analysis and probability estimation Source: ISO IEC 31010 Risk Assessment Techniques a) The use of _____ to identify events or situations which have occurred in the past and hence be able to extrapolate the probability of their occurrence in the future. b) ____ using predictive techniques. c) ____ can be used in a systematic and structured process to estimate probability.

a.) relevant historical data b.) Probability forecasts c.) Expert opinion

Identify each Magnitude _____ Serious impact on health; serious loss of reputation that will influence trust and respect for a long time; violation of law that results; large economic loss that cannot be restored. _____ No impact on patient health; minor reduction of reputation in the short run; no violation of law; negligible economic loss which can be restored. _____ Death or permanent reduction of health of patient; serious loss of reputation that is devasting for trust; serious violation of law; considerable economic loss that cannot be restored. _____ Minor temporary impact on patient health; small reduction of reputation that may influence trust for a short time; violation of law that results in a warning; small economic loss that can be restored.

Severe Small Catastrophic Moderate

* ______determines the nature and type of impact which could occur assuming that a particular event situation or circumstance has occurred. * An event may have a range of impacts of different magnitudes and affect a range of different objectives and different stakeholders.

Consequence analysis NOte: * Consequence analysis can involve: a. taking into consideration existing controls to treat the consequences, together with all relevant contributory factors that have an effect on the consequences; b. relating the consequences of the risk to the original objectives; c. considering both immediate consequences and those that may arise after a certain time has elapsed, if this is consistent with the scope of the assessment; d. considering secondary consequences, such as those impacting upon associated systems, activities, equipment or org

4Ts of Hazard Management ____ the risk to another party ____ the risk and its likely impact ____ the risk to reduce the likely impact or exposure ____ the activity generating the risk

Transfer Tolerate Treat Terminate

* _____ is the amount of risk that remains after controls are accounted for.

Residual or current level risk

___ represents the amount of risk that exists in the absence of controls.

Inherent risk

* ____ is the level of risk that is of interest to risk managers

Target level of risk

■ ______ reflects the AMOUNT and TYPE of risks that an organization is willing to PURSUE or retain or the more immediate need to take risk in order to achieve objectives.

Risk appetite NOTE IMMEDIATE

______ represents the long-term APPROACH of the organization to risks

Risk attitude NOTE LONGTERM

RISK APPETITE MATRIX ____ includes all of the risks that have already been identified, plus any emerging risks that are starting to appear

UNIVERSE OF RISK

RISK APPETTITE MATRIX _____is the level of risk that the organization feels comfortable taking and embedding into core processes because, regardless of the likelihood of the risk materializing, the impact is so small that it would not be significant if it did materialize or there will be a likelihood of a risk materializing that is considered so remote that it is assumed that it will not occur, even though it would be very serious if it did

COMFORT ZONE

____ includes all of the risks that have high likelihood/high-impact and will be intolerable for the organization.

CRITICAL ZONE

_____ include all the risks with medium-likelihood/medium impact that will require some judgement before acceptance.

Concerned zone and cautious zone NOTE: RISK AVERSE = more Concerned zone Risk Aggressive = Less concerned zone and more comfort zone

Identify Classification headings coso

Strategic Operations Reporting Compliance SORC

Identify Classification headings IRM

FINANCIAL OPERATIONAL STRATEGIC HAZARD FSOH - FOSH

Identify Classification headings BS 31100

FINANCIAL OPERATIONAL STRATEGIC PROGRAMME PROJECT SPPFO - FOSPP

Identify Classification headings FIRM RISK SCORECARD

FINANCIAL INFRASTRUCTURE REPUTATIONAL MARKETPLACE FIRM

Identify Classification headings PESTLE

POLITICAL ECONOMIC SOCIOLOGICAL TECHNOLOGICAL ENVIRONMENTAL

read only Simplified business model 1. Strategy 2. Operations 3. Tactics 4. Events 5. Results of Operations

British Standard states that the number and type of risk categories employed should be selected to suit the ___, ____, ____, ___ and context of the organization.

Size purpose nature complexity

The purpose of ___ - Enable the organization to identify where similar risks exist within the organization. * Enable the organization to identify who should be responsible for setting a strategy for the management of related or similar risks. * Enable the organization to better identify the risk appetite, risk capacity, and total risk exposure in relation to each risk, group of similar risks, or generic type of risk.

Risk Classification Systems

________ * Offers a classification system for the risks to the key dependencies in the organization. ■ It also reflects the idea that every organization should be concerned about its finances, infrastructure, reputation and marketplace success.

Firm Scorecard

* ______ is the measure of how much risk the organization SHOULD TAKE or can afford to take and this is compatible with the organization's attitude to risks.

Risk capacity * Risk capacity of an organization will depend on: ■ organization's financial strength ■ robustness of its infrastructure ■ strength of its reputation ■ the brands and the competitive nature of the marketplace in which it operates

■ In simple terms, risk appetite should be within the _______ of the organization and greater than or equal to the ______ that the organization faces.

risk capacity actual risk exposure

___ is the actual risk the organization is taking and this may not be the same as the risk appetite of the organization.

* Risk exposure

MAJOR CATEGORIES OF RISKS

MARKET R CREDIT R LIQUIDITY R OPERATIONAL R LEGAL AND REGULATORY R BUSINESS R STRATEGIC R REPUTATION R MC LOL BSR

8 MAJOR CATEGORIES OF RISKS ___ risk that changes in financial market prices and rates that will reduce the value of a security or a portfolio

MAKET RISKS

UNDER MARKET RISKS _____ -risk that the value of a fixed-income security will fall as a result of an increase in market interest rates. _____ -RIsk associated with volatility in stock prices * _____arises from open or imperfectly hedged positions in particular foreign currency denominated assets and liabilities leading to fluctuations in profits or values as measured in a local currency. _____ - risk associated with commodity prices volatility

* Interest rate risk * Equity price risk - Foreign exchange risk- * Commodity price risk

8 MAJOR CATEGORIES OF RISKS ____ risk of an economic loss from the failure of a counterparty to fulfill its contractual obligations, or from the increased risk of default during the term of the transaction

CREDIT RISK

UNDER CREDIT RISK ____ -corresponds to the debtor's incapacity or refusal to meet his/her debt obligations, whether interest or principel payments on the loan contracted, by more than a reasonable relief period from the due date.. _____ risk of taking over the collaterized, or escrowed, assets of a defaulted borrower or counterparty ______ -risk that the perceived creditworthiness of the borrower or counterparty might deteriorate. _____ -risk due to the exchange of cash flows when a transaction is settled. This risk is greatest when payments occur in different time zones, especially for foreign exchange transactions, such as currency swaps, where notional amounts are exchanged in different currencies

Default risk Bankruptcy risk * Downgrade risk Settlement risk

LIQUIDITY RISK COMPRISES OF

FUNDING LIQUIDITY RISK TRADING LIQUIDITY RISK

UNDER LIQUIDITY RISK _____ risk relates to a firm's ability to raise the necessary cash to roll over its debt, to meet the cash, margin, and collateral requirements of counterparties, and to satisfy capital withdrawals. ____ often simply called liquidity risk, is the risk that an institution will not be able to execute a transaction at the prevailing market price because there is, temporarily, no appetite for the deal on the other side of the market

FUNDING LIQUIDITY RISK TRADING LIQUIDITY RISK

8 MAJOR CATEGORIES OF RISKS ____ refers to potential losses resulting from a range of operational weaknesses including inadequate systems, management failure, faulty controls, fraud, and human errors, in the banking industry, operational risk is also often taken to include the risk of natural and man-made catastrophes (e.g.. earthquakes, terrorism) and other nonfinancial risks

OPERATIONAL RISKS

OPERATIONAL RISKS COMPRISES OF

HUMAN FACTORS RISK TECHNOLOGY RISKS FRAUD RISKS

8 MAJOR CATEGORIES OF RISKS ___ are risks related to legal or governmental actions that can have a material impact on the achievement of business objectives.

LEGAL AND REGULATORY RISK

8 MAJOR CATEGORIES OF RISKS ___ refers to the classic risks of the world of business, such as uncertainty about the demand for products, or the price that can be charged for those products, or the cost of producing and delivering products.

BUSINESS RISK

8 MAJOR CATEGORIES OF RISKS ___ refers to the risk of significant investments for which there is a high uncertainty about success and profitability. It can also be related to a change in the strategy of a company vis-à-vis its competitors.

STRATEGIC RISK

8 MAJOR CATEGORIES OF RISKS _____ the potential loss to financial capital, social capital and/or market share resulting from damage to a firm's reputation. It can be divided into two main classes: the belief that an enterprise can and will fulfill its promises to counterparties and creditors, and the belief that the enterprise is a fair dealer and follows ethical practices.

REPUTATIONAL RISK

8 MAJOR CATEGORIES OF RISKS __-concems the potential for the failure of one institution to create a chain reaction or domino effect on other institutions and consequently threaten the stability of financial markets and even the global economy

SYSTEMIC RISK

____ * Are being applied to lessen the likelihood of the risk occurring and minimize the impact of the risk to the organization

LOSS CONTROL

ELEMENTS OF LOSS CONTROL ___ is about reducing the likelihood of an adverse event occurring, although it will also be concerned with reducing the magnitude of an event that does occur

LOSS PREVENTION NOTE LIKELIHOOD

ELEMENTS OF LOSS CONTROL ____ is concerned with reducing the magnitude of the event when it does materialize

DAMAGE LIMITATION NOTE MAGNITUDE

ELEMENTS OF LOSS CONTROL * is concerned with reducing the impact and consequences of the event. It will be concerned with ensuring the lowest cost of repairs, as well as business continuity plans to ensure that the organization can continue operations following damage to the asset that has been affected

COST CONTAINMENT NOTE CONSEQUENCE AND IMPACT

3 SEGRAGATION OF DUTIES

SAFEKEEPING AUTHORIZATION RECORD KEEPING

____ * The reward for taking the risk in the first place. ■ It is simply achieving what the organization set out to achieve, by taking the risks that were embedded in the strategy, tactics and/or operations that were involved. ■ when an organization realizes that solving a particular risk-based problem has brought a benefit, rather than a cost.

UPSIDE OF RISK

* The benefits of good risk management within projects are that the project is more likely to be delivered on time, to budget and at the required quality. * Risk management activities will assist the delivery of the project and, at the same time, help manage a situation when an outcome is different from what was expected as the project progresses.

UPSIDE OF PROJECTS

* Strategic issues are vitally important, and failure to implement strategy or the selection of an inappropriate strategy can be amongst the most devastating risks to hit an organization. * The upside of risk in strategy is that risk management efforts help with the design of an effective and efficient strategy

UPSIDE OF STRATEGY

* Risk management evaluation of operations can enable the organization to deliver the most effective and efficient activities, operations and processes. - By delivering the most effective and efficient operations, an organization can achieve advantages over a competitor and undertake work for a lower cost and still make a profit.

UPSIDE OF OPERATIONS

ISO 31000 considers that _____ is the main heading under which various options exist, such as: Avoiding the risk by deciding not to start or continue with the activity, Taking or increasing the risk in order to pursue an opportunity, Removing the risk source; Changing the likelihood or the consequences; Sharing the risk with another party or parties, Retaining the risk by informed decision.

TREAT RISK NOTE: RISK RESPONSES AVOIDING TAKING REMOVING CHANGING SHARING RETAINING

_________defines RISK TREATMENT Process of Developing, Selecting, and Implementing Controls Note: Controls

BS 31100

_________defines RISK TREATMENT as development and implementation of measures to modify risk NOTE: risk

ISO 3100

4 Ts of Hazard Risks

Tolerate Treat Transfer Terminate

4 Ts of Hazard Risks The exposure may be _____ without any further action being taken. Even if it is not, the ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained.

tolerable

4 Ts of Hazard Risks For some risks the best response may be to ______ them. This might be done by conventional insurance, or it might be done by paying a third party to take the risk in another way. This option is particularly good for mitigating financial risks or risks to assets.

transfer

4 Ts of Hazard Risks By far the greater number of risks are addressed this way. The purpose of ______ whilst continuing within the organization with the activity giving rise to the risk, action (control) is taken to constrain the risk to an acceptable level.

TREAT

4 Ts of Hazard Risks to reduce likelihood

Treat

risk tolerance defined by ______ as the orgs readiness to BEAR the risk after risk treatment in order to achieve its objective

guide 75

______ can be influ by legal or regul reqs

risk toler

t o f tolr risk is norm concerned with org being willing to retain or tolr a risk, even if its higher than the org would choose to accept

____ is a RM strat to offset losses in investments by taking an ______ position in a related asset. the reduction in risk provided by it also typically results in a ______ in potential profits

Hedging OPposite reduction

_____ often be undertaken with the risk at the inherent and/or current level, so that when the risk has been treated, the new current level or target level may become tolerable.

Risk treatment

Insurance is estb. mech for _______ the financial impact of losses arising from hazard risks and to control risks

transferring

2 were considered to be risk transfer and treatment options

R. hedging and Neutralization

the cost of risk transfer is a component of ____

risk financing

___ of risk is done by stopping the process or activity

elim

_____ involves cost of contingent arrangements for the provision of funds to meet the financial impat of risk materializing.

risk financing

___ overall approach to the mgmt of CONTROL and OPPT. risks is similar to the approach adopted for the management of hazard risks

Project and Strategic Risk Response

4 RISK CONTROL TECHNIQUES limit the possibility

preventive strongest contro

4 RISK CONTROL TECHNIQUES ARE

DIRECT DETECT CORRECT PREVENT ...IVE

4 RISK CONTROL TECHNIQUES limit the scope for loss and reduce any bad outcomes

corrective

4 RISK CONTROL TECHNIQUES outcome is achieve

directive

4 RISK CONTROL TECHNIQUES identify occasiosn of bad outcomes

detective weakest control

the pooling of fortuitous losses by transfer of such risks to unsurers who agree to indemnify insureds for such losses, to provide other pecuniary benefit on their occurnce m or to render services connected with the risk

insurance

the 6C's of Insurance Buying are

Cost Coverage Capacities Capabilities Claim Compliance

the 6C's of Insurance Buying defined by the insurance prem that is REQ from the org and the level of self insurance that is imposed by the policy

cost

the 6C's of Insurance Buying amount of risk covered for an indiv or entity by way of insurance servis

coverage

the 6C's of Insurance Buying largest amount of insura or reinsurance available from company in gen. determ by financ strength and refer to adtl amount of business that a company or total market could write on excess captial that is surplus capacity

capacity

the 6C's of Insurance Buying used in ref to insurance. may be a demand by indiv to recover under policy

claim

the 6C's of Insurance Buying other services offered in addition to insurance

capabilities

the 6C's of Insurance Buying ___ of insura policy to the laws of the country pertaining to insurance such as taxes

compliance

______ how orgs prepares for future incidents that could jeopardize its existence

BCP Business continuity planning

BS31100:2011 defines ____ as a holistic mgmt process that identifies potential threats to an org and the impacts to business ops that those threats might cause and which provides a framework for building org resilience .... Safeguard interests of its key _____, ___ , ___, _____

BCP stakeholders, reput, brand, value creating actvities

6 successful bcp principles

CCPEMP comprehensive cost-effective practical effective maintained practised

_______ a particular component of BCP and involves a set of policies tools and procedures to RECOVER

DRP DISAST RECOV PLAN

BCP MAJOR COMPONENTS

--- Activate crisis mgmt plant --- seek to recover from the event through DRP --- issue of BCP

5 steps to BC standards BS 25999 pt1 Code of Practice

--- Und. busin Context -- BCM sttrategies --- develop a response --- est. cont. culture --- apply and plan maintenance

______ helps put business contuinutiy plans in place to protect them

ISO 22301

RM FINALS 4- 5 Flashcards

(118 cards)