Unit 6 Risk Response and Risk Treatment Flashcards
Unit 6: Risk response and risk treatment Introduction to risk treatment and risk response, the 4Ts, risk control techniques (PCDD), control of selected hazard risks, introduction to monitoring and review, insurance and risk transfer, business continuity planning (BCP).
Which one of the following best describes a risk prior to any risk treatment?
Gross risk.
Which one of the following options from the 4Ts of hazard risk management
would not result in a reduction in risk severity for the organisation?
Tolerating the risk
Which one of the following types of control is a fire insurance policy a good
example of?
Directive
Which one of the following outcomes does a fire alarm produce as a risk
treatment in the case of a fire?
Reduce impact but not likelihood
Which of the following scenarios is an anticipatory response relevant to?
Emerging future situations
Which one of the following types of risk can a ‘fifth T’ be used as a
response to?
Opportunity risk.
Activity 6.1. By looking in Hopkin and The Orange Book (HM Treasury, 2004), see if you can find where COSO ERM (2017), the 8Rs and 4Ts process and The Orange Book show the activity of risk treatment. (Clue: Look at pages 50 and75 respectively in Hopkin and page 13 in The Orange Book.)
The Orange Book (HM Treasury, 2004) describes risk treatment as ‘addressing risks’ in its chapter 6. The Orange Book is referred several times in this unit, as it goes through the subject of the 4Ts and PCDD.
The IRM (2002) process includes a special section on risk treatment, which it defines, on page 7 of the standard, as “the process of selecting and implementing measures to modify the risk”.
Referring to the COSO ERM (2004) model, we can see that “risk treatment” can be accommodated in the following two stages of the process, which are taken from the original executive summary (COSO, 2004: 4):
- ‘Risk response: Management selects risk responses – avoiding, accepting, reducing, or sharing risk; developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
- Control activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.’
Finally, the 8Rs and 4Ts process describes risk treatment as “responding to risks” using the 4T approach
Activity 6.2. Can you recall what aspect of risk evaluation helps us to identify our ‘target risk’?
It is of course the risk appetite.
It tells us not only whether to treat a risk, but also when to stop treating it.
Referring to scenario presented on figure 12.2 in Hopkin (page 144), do you think this is likely to be risk aggressive or risk averse in relation to the risk presented?
Activity 6.3. Provide one practical example in your organisation of each of the 4T responses. Try to identify if the focus of the response is to try to reduce the risk’s impact or the likelihood, or both, or neither!
This is a useful exercise to reinforce your learning of the differences between each of the 4Ts.
You should find it quite easy to identify a “treat” since, as Hopkin says, this is the most common form of response.
But you might find it harder to detect a “terminate” since by implication this is something that is likely to have happened in the past; moreover, people might regard it not as a defensive withdrawal as a result of high risk, but a positive decision to take advantage of an opportunity.
Activity 6.4. Consider your organisation’s responses to project and strategic risks (as opposed to hazard risks).
Do you have an alternative way to the 4Es and 5Es of classifying these types of responses?
You might find that you have a specific set of procedures in dealing with project activities, including their management of risks, that is distinct from operational ctivities; you might also well find that the project procedures focus more on project hazards than project opportunities.
However, it is highly likely that strategic level risk management will be a separate activity and possibly an informal one, led by the board of directors. Perhaps youbest way of answering this question is to see if you have any procedures which cover strategic level risks.
Activity 6.5. Provide one practical example in your organisation of each of the PCDD responses for a single risk of your choice.
Then consider whether your organisation has any anticipatory controls in place – try to find out how important people think anticipatory controls are.
Fraud Risk Example
In the case of fraud risk, a detective control could be a review of new suppliers set up by staff on the organisation’s accounting system, to try to detect any false or ghost suppliers to which money could be channelled. Another example would be the encouragement of confidential whistleblowing arrangements and fraud hotlines.
Preventative Control - A preventative control could be applied by suitable vetting of candidates’ backgrounds at job interview stages, or a range of penalties that could be invoked on any members of staff who are found to be defrauding the company, thus reducing the incentive to be fraudulent.
Corrective Control - A corrective control might be in areas of media handling activities, designed to mitigate any damage that might arise through reputation and bringing in the olice to take charge of the fraudsters in order to remove the cause of the fraud from the business.
Directive Control - A directive control could be a document with a set of procedures to adopt to either discourage fraud or to invoke if fraud is suspected.
Anticipatory Controls - As for an anticipatory control, have a look to see if there are any procedures inplace for anticipating a complete change in the business model for the future. Going back to the section of the study guide, you will know that anticipatory controls relate to preparing for a changing future rather than managing the present.
Activity 6.6. Firstly, where is ‘monitoring and review’ shown in the various risk management standards? Look at the extract from the IRM (2002) risk management standard in figure 6.1 in Hopkin (page 71), COSO ERM figure 6.3 (Hopkin page 75) and most importantly, ISO 31000 in figure 6.4 (Hopkin page 78).
Most risk management standards have something to say on monitoring and
review as a tool to enable learning and improvement in risk management
activities. Monitoring and review is the last stage of the risk management process.
Activity 6.7. Consider how you determine the value for money of risk management in your organisation.
Is there a consistent evaluation and when does the evaluation of cost-benefit take place?
Who makes the final decision?
Many businesses will find it much easier to estimate the cost of risk management rather than the benefits that come from managing risks.
The costs are here and now. We can estimate much of them by the amounts we pend on staff who spend time managing risks, administering the ERM framework, providing assurance and the payments for running controls or paying for insurance. So while the total cost of risk might be not too difficult to calculate, calculating the costs of managing individual risks will be much harder to compute because of the need to allocate those total costs to the management of individual risks. (Think, for example, how you would allocate your time to all of the individual risks that the organisation faces.)
Assessing the risk management benefits are more elusive than the costs
because risks are future events: they may never actually occur (in which case the value of the control is zero). Moreover, it may be impossible to calculate how much any individual control helped to reduce the likelihood or impact of a risk, since you never know what would have happened if the risk had occurred and you had no controls in place. Nor can you isolate the individual contribution of one control if one risk is managed by several controls.
Even if the risks do or do not occur, the sense of assurance that people feel that things are under control is very valuable, but it is also very hard to calculate. It is therefore most likely that the weighing of the risk cost-benefit scales is an intuitive one, like so much in risk management.
Activity 6.8. A hospital finds that a cause of higher patient deaths is due to ambulances failing to reach emergency patients in sufficient time. The hospital manager’s response to this risk is to issue an instruction that ambulance drivers must reach emergency patients in less than eight minutes if they are to have a reasonable chance of survival. Identify some of the possible unintended consequences of this risk response.
- Try to identify a near miss event in your organisation’s history. What were the reasons for the impact of that risk being much less severe than it could have been?
- Was it good risk management or good luck?
- What lessons did your management learn for the future?
This real example from the healthcare sector of a western country led to manunintended consequences.
First, it encouraged ambulance drivers to drive dangerously if they were in danger of failing to hit the time deadline.
Second, ambulance drivers might give up trying to reach a patient once they knew they were unlikely to hit the eight-minute target – arriving after one hour was no worse a performance than arriving at 8 minutes and one second.
Third, it encouraged the falsification of records. For example:
- those patients living close to the ambulance station were more likely to be regarded as emergencies; or
- a deliberate delay in logging the calls would give ambulance drivers an early start before the clock began.
Fourth, it failed to take account of driving conditions: heavy snow in the rush hour would undoubtedly result in poorer performances compared with clear conditions, early in the morning on a quiet national holiday.
Activity 6.10. Think about this in the context of your organisation.
- What are your organisation’s core activities that you could not afford to lose?
- What type of event could seriously disrupt the continuity of your organisation?
Think of BCM not just for the organisation as a whole, but specifically for your risk management activities.
- Where are your risk team’s (or your risk department’s) highest likelihood continuity risks, and what are you doing about them in order to ensure that the service of the risk team can be maintained in a crisis?
In focusing on your organisation, you should ask the additional question: Which of these set of risks is likely to be most common? If your business handles inflammable chemicals in a dry region of the world, then a catastrophic fire risk is probably more likely than a catastrophic flood risk.
In focusing on the risk function itself, the catastrophic fire risk might be less likely than the catastrophic risk of disruption resulting from multiple staff absences all occurring at the same time due to a flu outbreak. Another continuity risk could result from a catastrophic failure in your risk management software.
