1
Q
What does a good risk register look like?
A
Collates risks & controls
Tailored to your organisation Updated regularly
Informs decision making
Enable team to prioritise & manage their risks
2
Q
What is risk policy?
A
Risk policy is the ‘what’, framework and guidelines to manage risks
3
Q
What are risk procedures?
A
Procedures is the ‘how’
4
Q
What are the ISO 31000, 8 key RM steps?
A
Communication & Consultation; Scope, Context & Criteria; Risk Identification; Risk Analysis; Risk Evaluation; Risk Treatment; Monitoring & Review; Recording & Reporting
5
Q
What are the COSO (2004), 8 Key RM steps?
A
Internal Environment; Objective Setting; Event Identification; Risk Assessment; Risk Response; Control Activities; Info, Comms, Monitoring
6
Q
What are the 4 RM standards?
A
ISO 31000, COSO (2004), COSO (2017), The Orange Book
7
Q
What are the 5 components of COSO (2017)?
A
Governance & Culture; Strategy & Objective Setting; Performance; Review & Revision; Info, Comms & Reporting
8
Q
What is Principle A of the Orange Book?
A
RM as an essential part of governance & leadership
9
Q
What is Principle B of the Orange Book?
A
RM an integral part of all organisational activities to support decision making
10
Q
What is Principle C of the Orange Book?
A
RM shall be collaborative
and informed by the best available
information and expertise
11
Q
What is Principle D of the Orange Book?
A
RM to have structured processes incl, risk identification & assessment, risk treatment, risk monitoring risk reporting
12
Q
What is Principle E of the Orange Book?
A
RM shall be continually
improved through learning and experience
13
Q
What are the 3 components of context?
A
Internal, External, Risk Management
14
Q
What is the purpose of establishing context according to ISO 31000?
A
To enable effective risk assessment & treatment
15
Q
What is the extended enterprise?
A
Organisation’s come together to achieve objectives they could not achieve on their own
16
Q
What are the key elements of the extended enterprise?
A
Core activities, key inputs & outputs, external influences
17
Q
What does PESTLE help to do?
A
Anlysis an organisation’s context
18
Q
What is Mendelow’s matrix?
A
Helps with stakeholder mapping
19
Q
What are some difficulties in setting objectives?
A
Picking ones that support the mission; conflicting stakeholder expectations; context constantly changing;
20
Q
What is the attachment of risk?
A
The process of transferring or assigning a specific risk or liability from one party to another
21
Q
What are the 3 stages of risk assessment?
A
Risk identification, risk analysis, risk evaluation
22
Q
What is the purpose of risk identification?
A
To find, recognise and describe risks that might prevent/help org from achieving its objectives
23
Q
What is a cause? risk? consequence?
A
Thing happening now or has happened. The uncertainty. Impact on objectives.
24
Q
What are Hopkins 5 techniques for risk assessment?
A
Checklists & questionnaires; workshops & brainstorming; inspections & audits; flowcharts & dependency analysis; crowd sourcing technology
25
Words to describe emerging risks?
Ambiguous, chaotic, complete, uncertain, volatile
26
What is the definition of an emerging risk?
A risk that is new or a familiar risk in new/unfamiliar context/under new context conditions. Potentially signification but not fully understood, cannot allow RM with confidence.
27
What is the importance of risk classification?
Structure to risk identification process; facilitate identification of more risks; consistent risk terminologies; assign responsibilities; estimate total exposure; bundle risk treatment
28
What does FIRM help with and stand for?
Risk classification. Financial, Industrial, Reputational, Marketplace
29
What are the 5/4 Ts for risk control?
Terminate, Treat, Transfer, Tolerate, Take
30
Sartarla designed a flow chart to ...?
Decide what is a real control? To challenge effectiveness.
31
How does the ISO 31000 define a control?
A measure that maintains/modifies a risk
32
What are the 5 response strategy types (5 E's)?
Explore opportunities; opportunities Exploited further; opportunities in decline must Exit; Expand;Exist in maturing or decling markets.
33
What is damage limitation?
Reducing the magnitude/severity of risk when it occurs, manage impacts
34
What is loss prevention?
Reducing likelihood of risk and also impact if it does
35
What is a preventative control?
Before risk occurs, internal control used to avoid undesirable event occuring
36
What is cost containment?
When a hazard risk materializes despite the efforts put into loss prevention and damage limitation, there may well still be a need to contain the cost of the event
37
What is the most effective/best type of control?
Preventative control
38
What is a directive control?
Directions for how to behave eg. contracts, pre-event
39
What are detective controls?
Detect a risk eg. fire alarm, post event
40
What are anticipatory controls?
Long-term & strategic
41
What are corrective controls?
Implemented once risk has occured
42
What controls are implemented pre-event?
Preventative, Directive
43
What controls are implemented post-event?
Corrective, Detective
44
What type of control is insurance?
Corrective, post-event
45
What type of control is business continuity?
Corrective, post-event
46
Is business continuity a loss prevention, damage limitation or cost containment?
Cost containment
47
What is an engineering control?
Isolate people from the hazard
48
What is an administrative control?
Change the way people work
49
What is an elimination control?
Physically remove the hazard
50
What is the substitution control?
Replace the hazard
51
What is the swiss cheese model?
A slice of Swiss cheese is symbolic of a given measure taken to minimize risk
52
What is the purpose of monitoring & reviewing according to ISO 31000?
To assess & improve the quality & effectiveness of process design implementation and outcomes
53
What are some methods to monitor risk?
KRIs, KCIs
54
Monitoring is .... but review is ... & ....?
Monitoring is ongoing but review is periodic & changes
55
What a are 4 ways to collect data?
Audits, Customer audits, internet of things, satellite data
56
What is big data?
Data that contains variety, arriving in increasing volume & more velocity
57
How does ISO 31000 define risk?
'effect of uncertainty on objectives'
58
What are Hopkins 4 categories of risk?
Hazard, Opportunity, Compliance, Control
59
How does ISO 31000 define RM?
'coordinated activities to direct & control an organisation with regard to risk'
60
What is needed for ERM to work effectively?
High investment, high risk maturity, strong risk assurance
61
When was RM introduced?
1995
62
Why is it important to know about the history or RM?
To know, where we are now & where we might be in the future, conventional views have to be altered
63
What is a downside risk?
Event whose outcomes are negative
64
What does STOC stand for?
Strategy, Tactics, Operations, Compliance
65
What is risk exposure?
Likelihood of risk materialising and impact when it does
66
What is risk attitude?
Organisation's approach to assess & pursue, retain, take or turn away risk
67
What is risk appetite?
Amount & type of risk an organisation is willing to pursue or retain
68
What does FIRM stand for?
Financial, Industrial, Reputation, Marketplace
69
What are the 4Ts of Hazard RM?
Tolerate, Treat, Transfer, Terminate
70
What is the Sartarla approach to ERM?
Define context & objectives; assess the risks; manage the risks; review & report
71
What is a climate physical risk?
Impact from actual climate change
72
What is climate transitional risk?
Changes as activities to move to a more sustainable approach
73
What is a climate legal risk?
Knowingly continuing to contribute to climate warming
74
What is the law that mandates certain practices in finance recording keeping & reporting called?
Sarbanes-Oxley law
75
Name a banking regulator
International Basel Accordance
76
Name an insurance regulation
European Union Solvency
77
What is an operational risk?
Risk a company faces in the course of conducting its daily business activities, procedures, and systems
78
What does PRAM stand for?
Project Risk Analysis Management Guide
79
Definition of a project?
Unique, transient endevours undertaken to achieve objectives
80
When was H&S legislation enacted?
1800s
81
What does COSHH stand for?
The Control Of Substances Hazardous to Health
82
What does RIDDOR stand for?
The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations
83
When and where was the first RM standard?
1995, New Zealand
84
What does the ISO 31000 include?
What good RM looks like - the Principles; what is needed to implement effective RM - the Framework; steps in RM - the Process
85
What does RASP stand for?
Risk Architecture, Strategy & Protocols
86
What is included in the COSO ERM Cube?
Includes RM PROCESS, ORGANISATIONAL activities & IMPLEMENTATION process of the standard
87
What is the H&S standard?
ISO 45000
88
What is the Legal standard?
ISO 31022
89
What is the projects standard?
PRAM
90
According to ISO 31000, what is the purpose of RM?
The creation & protection of value
91
What does PACED stand for?
Proportionate, Aligned, Comprehensive, Embed, Dynamic
92
What do the elements of PACED mean?
Proportionate- customised to suit org
Aligned - integrated with org activities
Comprehensive - consistency of RM process
Embed - change risk attitude, behaviour, culture
Dynamic - process does not finish with risk register, inc decision making & value
93
What is Agency Theory?
The concept used to explain relationship between principles (someone who relies heavily) & their relative agent
94
What is Risk Architecture?
Committe structure & terms of reference; roles & responsibilities; internal reporting requirements
95
How does Hopkins advise you implement ERM?
PIML - Planning, Implementing, Measuring, Learning
96
What does PIML stand for and represent?
Planning, Implementing, Measuring, Learning. How Hopkins advises you implement ERM.
97
What must you consider in time it takes to implement ERM?
Start position, commitment from TOP, size & complexity, resources available, org as global actor
98
What does risk status show?
Risk lifecycle
99
What are the 8 risk status'?
Draft, Activity, Ongoing, Rejected, Escalated, Deleted, Expired, Closed/Managed, Closed/Occured
100
What does 'draft' risk status mean?
Risk only just raised, needs to be assessed to ensure real risk
101
What does 'activity' risk status mean?
Actively dealing with risk, further actions required to manage.
102
What does 'ongoing' risk status mean?
Managed risk to acceptable level, not closed & may change. KRIs developed.
103
What does 'rejected' risk status mean?
Problems & issues, not risks
104
What does 'escalated' risk status mean?
Do not effect objectives of activity but effect other areas of business
105
What does 'deleted' risk status mean?
No longer occurring due to external changes
106
What does 'expired' risk status mean?
Passed in time and can no longer occur
107
What does 'closed/managed' risk status mean?
Successfully managed
108
What does 'closed/occured' risk status mean?
Has occured
109
What is a consultation?
A process which impacts on a decision through influence rather than power. Input into decision making, not joint decision.
110
What is some useful input shared in risk reports?
Level of confidence that objectives can be met; important changes - risks, controls, context objectives; emerging risks; new risks; themes/trends; actions
111
What are 4 types of risk reporting according to The Orange Book?
The principal risk report; deep dive report; risk radar; risk moderation
112
How many decision making steps does Druker have?
6
113
Culture definition?
Ideas, customs, beliefs, behaviours, showed by groups of people
114
Risk culture definition?
How people perceived, understand & manage risks
115
How to take a positive stance on risk culture?
Good comms of org's expectations of all staff; convincing employees they will benefit; involvement in risk identification process; training programs
116
How does Hillson define risk attitude?
Chosen responses to uncertain situations, driven by whether uncertainty is perceived as favourable/neutral/hostile.
117
What is anchoring bias?
Influenced by info we already know
118
What are 5 types of bias?
Confirmation, conformity, authority, bandwagon, anchoring
119
What 3 factors influence risk perception?
Conscious, subconscious, affective
120
What does LILAC stand for and show?
Risk Culture Model. Leadership, Involvement, Learning, Accountability, Communication
121
What is the ABC model?
Risk culture model. risk Attitude, risk Behaviour, risk Culture.
122
What are 5 indicators of a positive safety culture?
Leadership - promoting positive safety culture; Involement of staff; Existence of learning culture; Existence of just culture
123
Can you have a 'risk-aware' culture?
No, these are attitudes, so you can a have a 'risk-aware ATTITUDE'
124
Is 'the way we do things around here' risk behaviour or risk attitude?
Risk behaviour
125
Hopkins definition of risk attitude?
The long term view of the organisation to risk determined by 4 C's - comfort, cautious, concerned, critical
126
What is Hopkins 4 C's related to risk attitude?
Comfort, cautious, concerned, critical
127
What is the Double S Model?
Culture having 2 dimensions.
Sociability - people focus
Solidarity - task focus
128
What are some benefits of Sociability in the Double S Model?
Encourages cohesive & common purpose. People go beyond what is expected
129
What is a negative of Sociability in the Double S Model?
Friendships may lead to poor performance
130
What are some benefits of Solidarity in the Double S Model?
Risk controls & actions implemented. Relationships formed on mutual interest. Swiftly mobilise a team.
131
What is a negative of Solidarity in the Double S Model?
They may ask 'what's in it for me'?
132
How can you measure risk culture?
Surveys
133
What are the elements of the risk culture aspects model?
Tone from the top; Governance; Competency; Decisions
134
How to change risk culture according to IRM?
Plan & implement cultural change
Monitor & adapt to change
Evaluate current risk culture
Assess impact of current risk culture
Identify areas of improvement
135
What are Hopkins risk appetite principles?
Acknowledging interconnectness; Measurability; Variability
136
Define risk capacity
A measure of how much risk should/can take
137
Define risk tolerance
The boundaries outside of which organisation will not venture
138
What are the benefits of adopting a risk appetite?
Reducing uncertainty; Improve consistency; Focus on priority areas; Improve resource prioritisation
139
How does the IRM define risk appetite?
Amount of risk org is willing to seek/accept in pursuit of long term objectives
140
What is the optimal risk position?
Level of risk the organisation aims to operate
141
What is the tolerable risk position?
Level of risk the organisation is willing to operate
142
Who is responsible for the determining the nature & extent of risks willing to take?
The Board
143
What are Hopkins' stages in developing risk appetite statements?
Identify stakeholders & expectations
Define org wide risk exposure
Establish desired risk exposure
Define acceptable volatility
Formulate statement & communicate
144
What are the 5 levels of risk appetite?
Opposed/adverse
Minimalist
Cautious
Mindful/open
Enterprise/eager
145
What are IRMs key principles when designing risk appetite?
RA can be complex; needs to be measurable; not single, fixed concept; develop in line with org capability & maturity; strategic, tactical & operational level;
146
What is maturity?
Context, culture, systems, processes
147
What is capability?
Financial, reputational, people, infrastructure
148
What does TARP stand for and what is it?
H&S Triggers. Triggered Action Response Plans
149
What questions does the IRM ask to test RA statement?
Does it provide guidance for decision making? Do execs understand aggregated/interlinked level of risk to determine what is acceptable? Understand RA not constant? Decision make consideration of reward?
150
What are Deloitte's indicators that RA statements good?
People taking risks knowing what objectives they are supporting; principal risks are understood; RA language permeates org
151
What are the 4 levels of risk appetite?
High level; directional; specific; detailed
152
What are Hazard risks?
risks that can only inhibit achievement of corporate mission
153
What are opportunity risks?
the risks that are deliberately sought or embraced by the organisation
154
What are Control risks?
associated with uncertainty and cause doubt about the ability to achieve the organisations mission.
155
What are compliance risks?
the threat to an organization's finances, organization, and reputation due to violations of rules, regulations, and laws governing its activity
