Unit 3

Question 1

3 components of context

Answer 1

International context
Risk management context
External context

Question 2

Internal context

Answer 2

Organisations structure, risk management philosophy, culture, attitudes, strategies, policies, processes and people’s values

Question 3

External context

Answer 3

Anything outside the control of the organisation.

External stakeholder expectations, industry regulators, competitor behaviour, economic environment, PESTLE trends

Question 4

Risk management contezt

Answer 4

Otherwise known as the RM framework (RASP)

Question 5

4 TECHNIQUES to assess the external and internal context

Answer 5

Stakeholder mapping
Horizon scanning
PESTLE
Extended enterprise

Question 6

Extended enterprise definition

4 elements used to understand the EE

Answer 6

The structure where a number of organisations come together in a joint endeavour to achieve outcomes that none of them could have achieved on their own.

1) Core activities of the team, function, Organization you are looking at (what is it that you do?)
2) Key inputs to those core activities
3) Key outputs from the activities
4) The external influences that can affect any of the above

Question 7

PESTLE

Answer 7

Tool used to understand the external context or categorise risks into political, economic, social, technological, legal and enviornmental

Question 8

Stakeholder definition

Answer 8

People and or organisations with whom they have some form of relationships, contractor influence

Question 9

Stakeholder mapping

Answer 9

Tool used to identify and categorise stakeholders.

Stakeholders put on a matrix depending on their attitude and influence they have on achieving the orgs. Objectives (materiality of the stakeholders)

Question 10

Horizon scanning

Answer 10

Horizon Scanning is a systematic examination of information to identify potential threats, risks, emerging issues, and opportunities allowing for better preparedness and to support decision making.

Question 11

Objectives should be SMART

Answer 11

Specific - what do you want to accomplish exactly
Measurable - define the metrics so you can see if you met your goal at the end
Achievable - do you have the skills needed?
Relevant - do the objectives align to the strategy of the firm?
Time bound - have a specific target date for delivery

Question 12

Definition of strategy

Answer 12

A strategy sets out how an organisation is to be successful, which is broken down into objectives across the organisation

Question 13

Three levels of objectives

Answer 13

1) Organsiation-wide strategic objectives
2) Tactical objectives at level of departments, divisions etc. These normally focus on the implementation of strategy
3) Operational objectives of teams and individuals

Question 14

what should risk criteria do?

Answer 14

Risk criteria should be developed to evaluate the significance of risk and to support decision making

It should consider the nature and type of uncertainties (i.e., what the categories of risk are), as well as how consequences and likelihood
are defined

Question 15

Definition of risk criteria

Answer 15

Measures of how much risks matter to an organsiation.

Question 16

What can risks attract to ?

Answer 16

Core processes
Objectives / stakeholder expectation
Key dependencies

Question 17

Definition of key dependencies

Answer 17

Key things that the org. Needs to be successful; internal or external. They support the core processes of the org

Question 18

Core processes

Answer 18

Fundamental to an organisation’s success because they are the means of delivering strategy and continuity of operations

Question 19

Stakeholders

Answer 19

Group or groups of individuals who have a stake in the business or are affect by what the org does.

Question 20

Elephant risks

Answer 20

We know the risks are there but ignore them / don’t recognise them / assume someone else is dealing with them. Therefore, they are unacknowledged and thus unmanaged risks

Question 21

Black swan risks

Answer 21

Also known as surprise risks. We don’t know, what we don’t know. Therefore, they are risks we can’t manage

Question 22

H&T 5 Techniques for risk assessment

Answer 22

1) Checklists and questionnaires
2) Workshops and brainstorming
3) Inspections and audits
4) Flowchart and dependency analysis
5) Crow sourcing techniques

Question 23

Definition of emerging risks

Answer 23

Risks that you know little about when they are recognised

Question 24

Techniques for identifying emerging risks

Answer 24

Horizon scanning, constant monitoring of the external environment

Question 25

Short term risks
Medium term risks
Long term risks

Answer 25

Risks with an immediate impact
Risks whose impact becomes apparent between a few months
Impacting between one and five years after the event

Question 26

FIRM risk classification technique

Answer 26

Used to both classify risks (identification) and impacts

F - financial (derived internally)
I - infrastructure (derived internally)
R - Reputational (derived externally)
M - marketplace (derived externally)

Question 27

What is risk analysis?

Answer 27

It helps to determine the size and nature of risks. It does so by analysis the likelihood of the risk materialising together with the impact on the organisation. It provides an input to how a risk is to be treated

Question 28

iso 31000 definition of risk analysis

Answer 28

The purpose of risk analysis is to comprehend the nature of risk and its characteristics, including, where appropriate, the level of risk.

Question 29

The Orange Book and Coso (2017) on risk analysis

Answer 29

They both place risk analysis within the broader subject of risk assessment. Therefore, risks are analysed and then prioritised. This will inform how resources are to be allocated and whether we can proceed with a strategy or have to think of different options

Question 30

Other risk analysis techniques

Answer 30

Looking at past records, experience, literature, testing, statistical models.

Question 31

Techniques to prioritise risks

Answer 31

How they impact objectives, likelihood of them happening, potential velocity

Question 32

Likelihood definition

Answer 32

Term which measures the chances of a specific event occurring. It captures the expected probability and frequency of a risk

Question 33

Probability

Answer 33

Likelihood expressed numerically (0% to 100%) - 2% of it raining today

Question 34

Frequency

Answer 34

Likelihood expressed numerically as a frequency measurement - it rained two times today. This is then converted to a probability measure. It could thus rain more today.

Question 35

how is impact measured

Answer 35

Most orgs used risk criteria to measure impact

Question 36

Risk matrix

Answer 36

Combination of impact and likelihood scales on which risks are positioned

It helps prioritise risks and provide focus for the org where to put effort in

Question 37

Risk vs action matrix

Answer 37

Action used instead of likelihood as this is hard to measure

Amount of action needed to bring the risk to an acceptable level

Question 38

Proximity vs velocity

Answer 38

Proximity = how close an org is to a risk occurring

Velocity = measures how fast a risk can impact an org. Once it occurs. The timescale of risk impact

Question 39

Proximity vs velocity

Answer 39

Proximity = how close an org is to a risk occurring

Velocity = measures how fast a risk can impact an org. Once it occurs. The timescale of risk impact

Question 40

Risk clock speed

Answer 40

The rate at which the info necessary to understand and manage a risk becomes available

• slow clock speed risks are those where enough thinking time is available
• Fast clock speed risks are at or close to real time

Question 41

Risk clock speed window

Answer 41

The range between how well organisations can deal with both fast and slow risk and still function effectively. They do so by having an established rm system

Question 42

Three levels of risk rating

Answer 42

Inherent = level of risk before any controls put in place
Current = level of risk taking into account the current controls in place to manage it. The goal is the target level where the current mitigations get even more effective, or more controls are added
Target = level of risk that is desired because it brings the risk to the acceptable level. Risk appetite

Question 43

definition of risk evaluation

Answer 43

After analysis a risk we must decide whether to respond to the risk or tolerate it. This all depends on the risk appetite level

Question 44

COSO (2004) defines objective setting as

Answer 44

the board should set objectives that support the mission of the Organization that are consisten with its risk appetite

Question 45

ISO 31000 sees the overall attitude of an Organization to risk as

Answer 45

= this can be described by a set of risk criteria

Question 46

Difference between risk appetite and risk attitude

Answer 46

The risk attitude is concerned with the criteria surrounding risk ,and risk appetite is concerned with the amount of risk required to achieve objectives

Question 47

What is a indication of risk attitudes of different Organizations

Answer 47

Different organizations will set their tolerance levels differently

Question 48

What are the advantages of having a risk classification system, as according to the BS 31100

Answer 48

Helps to define the scope of RM in the org, provides a structure and framework for risk identification, and gives the opportunity to aggregate similar kinds of risks across the whole Organization.
The number and type of risk categories employed should be selected to suit the size, purpose, nature, complexity and context of the org. The categories should reflect the maturity of rm within the Organization.

Question 49

Risk classification system: IRM Standard

Answer 49

Financial, strategic, hazard, operational

Question 50

Risk classification system: Orange Book

Answer 50

Strategy, Governance, Operations, Legal, Safety, Financial, Commercial, People, Technology, Information, Secuirty, Project, Programme, Reputational

Question 51

EM3

Answer 51

Summarises the responses to risks as embrace, management, mitigate, minimise

Question 52

Main requirements of a project

Answer 52

Delivered on time, within budget and to specification

Question 53

Three categories of risks that banks usually face

Answer 53

Market, credit and operation

Question 54

Market risks

Answer 54

They occur due to fluctuations in the financial markets. The assets and liabilities of the bank are exposed to various kinds of market volatilities, such as changes in interest rates and foreign exchange rates. Primarily an opportunity risk

Question 55

Credit risks

Answer 55

When the bank lends to a client there is an inherent risk of money not coming back, and this is credit risk. Credit risk is the possibility of the adverse condition in which the client does not pay back the loan amount. Control risk that has to be managed

Question 56

How does BASEL 2 define operation risk

Answer 56

The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.

Question 57

ISO Guide 73 definition of stakeholder

Answer 57

Person or group concerned with, affected by, or perceiving themselves to be affected by an Organization

Question 58

CSFSRS

Answer 58

Customers, staff, financiers, society, regulators, suppliers

Question 59

How does the BS 31100 classify core processes

Answer 59

As strategic, tactical and operational

Question 60

BS 31100: Strategic perspectives =

Answer 60

Set the future direction of the business

Question 61

BS 31100: Tactical perspectives =

Answer 61

Are concerned with turning strategy into action by achieving change

Question 62

BS 31100: Operational perspectives

Answer 62

Related to the day to day operations of the Organization

Question 63

BPR

Answer 63

Business process re-engineering approach. It is a technique to ensure an org has the most effective processes and operations.

• Starts by identifying stakehodlers and their expectations.
• Core processes deliver these shared expectations
• Stakeholders in current and future activities are identified aswell as their expectations in relation to objectives. The core processes can then be defined or refined to deliver these expectations.
• Taking a BPR or core processes approach identifies the core processes that are most vulnerable to risk events. It also enables the identification of stakeholders who are more likely to be dissatisfied because their expectations have not been delivered