Unit 4 Flashcards
(9 cards)
The 5Es for Opportunities (vs the 4Ts and control theory for threats)
e.g start up:
Explore their new opportunities, assessing whether it is worth taking the risk.
During the Growth phase, the operation Expands the opportunity, for example through raising investment or making sales. The risk, therefore, stays the same, but the reward increases.
The operation may then decide to Exit the opportunity through a successful and profitable sale of the opportunity (‘cashing-out’), with the same risk, but massive reward. In some cases, however, the operation may decide to Exit the opportunity altogether if the investment is outside of its risk appetite, OR,
as a Mature operation, the opportunity is Exploited
further, for example by securing investors or acquisitions. Here, the level of risk has reduced, butthe reward stays the same.
Operations in Decline have not changed ahead of or in line with market demand and opportunities will just Exist. Here the level of risk and potential reward are both low, with low sales in a shrinking market.
3 types of loss control
Loss prevention
– controls designed to stop a risk from occurring (managing the causes).
Damage limitation
– controls designed to reduce the size of the risk as soon as it has occurred (managing the impacts)
Cost containment
– controls designed to reduce the long-term effect of the risk, such as business continuity management
Control Theory (PCDD)
Preventive controls
- prevention may not always be cost-effective, especially if the likelihood of a risk occurring is low. For risks that we have no control over, such as some external risks, it might be impossible to prevent them anyway, in which case we are left with considering only the other three options. In that sense, a cost-benefit analysis of any preventive control is vital. Preventive controls are effective before the risk occurs.
Corrective controls
- these are in place where preventive controls are not feasible, desirable, or cost-effective (although they could be used also as a
secondary defence, should the preventive controls fail). Again, alongside their adequacy and effectiveness, the corrective controls’ value for money also needs to be tested. Corrective controls need to be developed prior to the risk occurring but become effective once a risk has occurred.
Directive controls
- these are a common type of control and are based on giving directions to another person or party as to how they should be have in certain circumstances. This type of control is based on the behaviour of individuals and, therefore, may not be very reliable. As noted earlier, directive controls, on their own, are not real controls. Contracts are directive controls because a contract instructs the parties to the contract what they should do in specified circumstances.
Detective controls
– these detect a risk occurring, such as a fire alarm or the detection of a project off-track through an audit review taking place six months into a project.
Preventative and Directive Controls are pre-event manifestation and
Corrective and Detective are post-event manifestation
Anticipatory controls.
These controls are forward looking, similar to directive controls, but theytend to be more long term and strategic in nature; they are controls set in advance of possible future scenarios and their aim is to help the organisation toadapt itself effectively and in good time to those future scenarios, should they occur. Anticipatory controls, could be used for risks with a long risk proximity
Hierarchy of controls (Safety) ESEAP
Not rely in humans:
Elimination – physically remove the hazard.
Substitution – replace the hazard.
Engineering controls – isolate people from the hazard.
Rely in Humans:
Administrative controls – change the way people work.
PPE – protect the worker with equipment
Risk lifecycle (Draft, Active, Ongoing, Closed/Managed, Closed/Occurred
Draft
– the risk has only just been raised and needs to be assessed to ensure it is a real risk and that is belongs in the scope of the activity beingaddressed
Active
– we are actively dealing with a real risk, and further actions are required to manage it to an acceptable level. Active risks and their controlsshould be monitored regularly to ensure controls are effective and the risk is moving from the current to target level
Ongoing
– we have managed the risk to an acceptable level, but it has not been closed and may change. Ongoing risks are reviewed less frequently,and KRIs and KCIs should be developed to help recognise underlying changes to the risk.
Closed / managed
– the risk can be closed due to successful management and lessons can be learnt to ensure risks of this type are managed in asimilar manner in the future
Closed / occurred
– the risk can be closed because it has occurred, and lessons can be learnt to ensure risks of this type can be better managed in thefuture
Name the 4 decision making styles
Analytical (problem solving), Conceptual (achievement oriented, creative), Directive (driven by results, aggressive nature), behavioral (team player, empathetic)
In terms of loss control, what the DRP and BCP are considered?
DPRs can be seen as primarily damage limitation controls, BCP are more concerned with cost containment.
Name some approached to evaluate the control environment
LILAC (leadership, involvement, learning, accountability and communication - for risk culture), CoCo model (Criteria Of COntrol framework) and Risk Maturity models such as FOIL (Fragmented, Organised, Influential, Leading) and the 4Ns (Naive, Novice, Normalised, Natural)
