ARM 401
debt to equity ratio
- long term debt/shareholders' equity -commonly used to compare to other orgs in the same industry
Customer and Trading Partner liability
-3rd party is often customer of first party but also might be a trading partner (supplier or service vendor) infected by a computer virus bc of the first party's failure to manage cyber liability loss exposure -communication protocols are critical -first party can be sued for invasion of privacy or breach of contract if customers' private info is compromised
Fishbone diagram
-5 whys analysis is the most prevalent method for generating the specific caused in a fishbone diagram -causes are diagonal lines connected to a horizontal arrow that indicates the problem being addressed -most frequently depict industry-specific and process-specific causes -ex: 6 Ms used for manufacturing
linear regression analysis
-A form of regression analysis that assumes that the change in the dependent variable is constant for each unit of change in the independent variable -dependent variable is plotted on y axis; independent is plotted on x axis -first steps are to plot the data points, find slope, x, y, and sketch the line -y intercept is the point at which the line crosses the y axis -two things to consider: 1. a line tends to become less accurate the farther away it gets from the actual data values used 2. for any past year, the dependent variable's value calculated by the linear regression line isn't likely to exactly equal the historical value for that past year
probability distribution
-A presentation of probability estimates of a particular set of circumstances and of the probability of each possible outcome -properly constructed if outcomes are both mutually exclusive and collectively exhausted (only one can occur at a time and at least one of them will occur) -collectively exhausted: sum of outcomes probability is 1 -infinite number of outcomes (investment gains or losses): categories (bins) must be designed so that all outcomes can be included
Acid-Test (Quick) Ratio
-Acid-Test = (cash + marketable securities + accounts receivable) / current liabilities -more conservative than the current ratio
Current ratio
-Current Ratio = Current Assets / Current Liabilities -will the company's working capital adequately meet their upcoming obligations -be aware of different inventory valuation methods because they will produce different values
D&O Liability
-D&O can be held liable for losses that result when they fail to fulfill their responsibilities and duties as required under the law -breach of fiduciary duty is a common source of risk -typical risk is that investors will file a lawsuit if the stock price drops significantly -D&O lawsuits can create significant defense and settlement costs -D&O insurance can transfer financial risk but can't restore an org's reputation
Market Risk
-Uncertainty about an investment's future value because of potential changes in the market for that type of investment -interest rate risk, exchange rate risk, liquidity risk
HAZOP
-a comprehensive review of a process or system -a team of subject matter experts and stakeholders identifies the risks associated with a given process and recommends a solution -primarily used to design complex, scientific systems -used when virtually all risks must be eliminated
Risk-adjusted Return on Capital (RAROC)
-a financial ratio of income adjusted for risk to the amount of capital required to maintain solvency at a given risk tolerance level -orgs use this to provide an objective means to select strategic course of action and subsequently evaluate the relative success of actions taken -orgs calculate this to ensure that the level of downside risks involved with selected strategic actions does not exceed their economic capital -can be done at org or business unit level -measures rewards or returns against the risk associated with achieving those rewards - based on ROC -goes one step further than ROC by measuring the risk inherent in the specified business unit or activity -way to measure risk is subtract from revenue the expected loss amount associated with a risky activity (adjustment assumes the risk associated with the activity is pure risk) RAROC = (Rev - Expense - Expected loss + income from capital) / Economic Capital
Neural networks
-a form of AI that enable a computer to learn as it accumulates more data (Deep learning) -3 layers: input (collects the data to be analyzed), hidden (where all the work takes place), output (offers the results of the analysis) -org reviews results and compares them with the outcomes it had anticipated; org can determine how accurate the model is based on that -network can learn from any inaccuracies in its calculations by reversing the process; doing this multiple times will teach it how to get to the desired result itself -use in risk management is to compare the risks of proposed and current projects with historical results -drawbacks: can be overtrained; processes in the hidden stage may be too incomprehensible to be evaluated thoroughly enough
reputation as a key asset
-a good reputation is an intangible asset -risks include legal and regulatory noncompliance, unethical behavior by employees, or the filing of a major lawsuit against an org -different stakeholders have different opinions on what factors help or hurt an org's reputation, so identify the key stakeholders and prioritize them in terms of importance -the priority each stakeholder should be given can be calculated using a matrix in which the stakeholder's power and interest are correlated to the amount of effort that should be expended to keep them satisfied
risk-based capital
-a method developed by the NAIC that establishes a minimum amount of capital that an insurer needs to support its overall ongoing business operations based on the risk-based capital formula -uses factors to calculate a risk margin for the underlying risks
Predictive Approach
-a method that can be used repeatedly to provide info for data-driven decision making -ex: predicting responses to a coupon offer
exposure indicators
-a metric used to identify risk inherent to an org's operations -also referred to as inherent indicators
Cluster Analysis
-a model that determines previously unknown groupings of data -used when risk managers don't know the precise nature of info -a collection of algorithms that put data into groups or clusters according to well-defined similarity rules -used when a risk manager has a general problem to solve but does not know the variables a predictive model must analyze to do so
Predictive modeling
-a model used to predict an unknown outcome by means of a defined target variable -selection of the appropriate attributes determines the model's success and the selection must often be fine-tuned several times -model must use enough suitable attributes to be accurate -if too many are used, a model can overfit the training data, making the model too complex and therefor ineffective for other data -holdout data: existing data with a known target variable that is not used as part of the training data -applying a predictive model to the holdout data helps ensure that the model is not too specific to the training and is therefore sufficiently predictive across all the data
facilitated workshops
-a neutral party, who has no stake in the outcome, administers the risk workshop and propels the group to achieve its goal -wise to include people from diverse groups -can be used for a specific project or process, as well as to identify those risks that affect overall org objectives -if using to identify all org risks: facilitator must be skilled in risk ID and management as well as group communication and be prepared for a long-term project
Robotic Process Automation
-a paradox because it can solve problems but also create problems so all angles should be considered before putting one in place -doesn't always involve robots, it's more focused on creating a process to complete one task -should be used as a part of business process management to reach its full potential
normal distribution
-a probability distribution that helps forecast volatility around a central, or expected value -when data is distributed evenly and forms a bell curve, it is considered normal -68% of the values are within 2 SDs of the mean (1 above, 1 below) -95% are within 4 SDs -99% are within 6 SDs
empirical probability
-a probability measure that is based on actual experience through historical data or from the observation of facts -ex: probability that a male will die at age 68 -may change as new data is discovered -only estimates; to be accurate, the samples under study must be sufficiently large and representative -often used for risk management applications -particularly effective for projecting the likelihood and consequences of losses or gains in orgs that have both a substantial volume of historical data and fairly stable operations so that loss and gain patterns will presumable continue unchanged
Root Cause Analysis
-a process that enables the risk management professional to dig past the obvious causes of an accident to find other factors that played a role -harmful events are generally associated with one of three basic causes of loss: physical, human, or organizational
fault tree analysis
-a process that originates with an assumption about what caused an event or failure -work downward from assumption then used a diagram to connector the factors that caused the failure and determine how to devise methods to prevent similar failures in the future
Reputational Risk
-a single negative item of info can reverse an org's positive image and severely damage its reputation in a matter of minutes -orgs are also exposed to reputational risk through the social networking activities of their employees
Monte Carlo Simulation
-a statistical computer model that simulates the effects that uncertainty is likely to have on risk outcomes -used to quantify the probability of hundreds or even thousands of different outcomes that can't easily be predicted because they are subject to lots of random variables -core idea is to use random samples or inputs to explore the behavior of complex system or process -results are assembled into probability distributions representing the possible outcomes -can also be used to predict outcomes regarding hazard losses -quickly explores thousands of what if scenarios, giving a risk manager a breakdown of not only what couple happen but also what is most likely to happen
regression analysis
-a statistical technique that is used to estimate relationships between variables -can increase the accuracy of forecasting by examining relationships between the variables that affect trends -dependent variable: variable being forecast -independent variable: the variable that determines the value of the dependent variable -goal is to find the equation for the line that best fits these four data points and to project this line forward to forecast the number of future losses
classification tree
-a supervised learning technique that uses a structure similar to a tree to segment data according to known attributes to determine the value of a categorical target variable -tree has nodes, arrows, and leaf nodes -the leaf nodes on the tree indicate the values of the target variable -helpful because they show what you're thinking graphically and also requires a systematic, documented thought process
Earnings at risk (EaR)
-a technique to assess earnings volatility by measuring the likelihood that earnings will be below a specific dollar amount over a specific period of time -mainly used by financial institutions to determine the amount by which the net income of an investment may shift as a result of changes in market conditions, such as interest rates going up or down -entails modeling the influence of factors such as changes in interest rates -developed using a monte carlo simulation and the results are presented as a probability distribution curve or a histogram of individual probabilities -helpful in comparing the likely effects of different risk management strategies on earnings -drawback: calculations can be complex
Value at Risk (VaR)
-a technique to quantify financial risk by measuring the likelihood of losing more than a specific dollar amount over a specific period of time -typically used to determine the probability of loss on an investment portfolio over a certain, usually short, time period -ex: a one-day, 5 percent VaR of $300,000 means there is a 5 percent probability of losing $300,000 or more over the next day
Conditional value at risk
-a technique to quantify the likelihood of losing a specific dollar amount that exceeds the VaR threshold -same benefits of VaR but has added benefit of helping to analyze the extremely large losses that may occur, usually with very low probabilities, in the tail of a probability distribution -particularly important in fat-tailed distributions, for which the extremely large losses have higher probabilities than with most other probability distributions
risk maps
-a template depicting the likelihood and potential impact/consequences of risks -used to bring the register's info to focus and make it easier to act on -can also be used to categorize risk in relation to an org's risk appetite for a specific risk, project, or process -goal is always to pinpoint where risk management efforts should be focused -variations include assessing certain segments of risk or risk at a given point in time -can be used to document inherent risk, residual risk, and optimum risk: important because they can determine the necessity and potential effectiveness of a risk treatment
risk registers
-a tool developed at the risk owner level that links specific activities, processes, projects, or plans to a list of identified risks and results or risk analysis and evaluation and that is ultimately consolidated at the enterprise level -use when you are dealing with a lot of risks -identify, describe, and prioritize risks -an effective register describes each risk, determines each risk's likelihood and potential consequences, offers controls that could mitigate the negative effects of each risk, and identifies the party responsible for executing those controls -can be used for one scenario or all of an org's risks -organizational risk registers can organize risks by scenario, risk quadrant, or affected business unit or risk owner
key risk indicator
-a tool used by an org to measure the uncertainty of meeting a strategic business objective -leading indicator -can be identified by three operations risk classes: people, processes, and systems
SAP
-accounting principles and practices that are prescribed or permitted by an insurer's domiciliary state and that insurers must follow -excludes furniture and equipment from its calculation of assets -bonds that will be held to maturity may be valued at amortized cost -an insurer's net worth is called policyholders' surplus
Fault Tree Analysis Assumptions
-all components exist in only one of two conditions - success or failure -any system component's failure is independent of any other component's failure -each failure has an unchanging probability of occurrence
Control Risk Self-Assessment
-all employees work together to identify and evaluate the org's risks and their controls -reviews the effectiveness of the business's internal procedures, systems, and personnel -conducted through workshops and questionnaires; both have advantages and disadvantages -doesn't replace internal audit, it supplements it
People (operational Risk)
-all the employees of an org as well as its contractors, vendors, clients, and any other group of people the org chooses to put in this category -E&O can cover some errors but rarely covers errors that don't affect a third party -important factor is the significance of the org's culture -strategies to mitigate people risk: recruitment, selection, training and development, performance management, incentives, succession planning
workshops
-allows attendees to brainstorm and assess risks in an open, collaborative forum -gives more perspectives -downside is the potential for senior management to influence the flow of ideas from stakeholders; some people conform
system safety advantages
-allows risk management to view an accident from the perspectives of many different systems -allows risk management to follow an orderly process for developing a range of loss control measures that improve the reliability of interrelated systems -can use system safety analysis to enlist the cooperation of many people insides and outside the org -can reduce accident frequency and severity by defining and preventing events that lead to a particular type of accident
Job Safety Analysis
-an analysis that dissects a repetitive task, whether performed by a person or machine, to determine potential hazards if each action is not performed -one of the most universally applicable and versatile techniques for analyzing the cause of accidents -best apples to repetitive human tasks performed in an environment sufficiently stable to allow most hazards to be foreseen
Trend Analysis
-an analysis that identifies patterns in past data and then projects these patterns into the future -regression analysis is a trend analysis -commonly used to adjust forecasted future dollar amounts of gains or losses using an anticipated inflation rate
Change Analysis
-an analysis that projects the effects a given system change is likely to have on an existing system -asks a series of what-if questions regarding a possible change in process that has yet to occur -it then projects the consequences for the changes and for all feasible combos of changes to reveal risks that could arise because of the changes that went into effect -can also apply to various combos of changes in systems
Fault Tree Analysis
-an analysis that takes a particular system failure and traces the events leading to the system failure backwards in time -no known causes -an examination of the conditions surrounding a risk event that moves from the general circumstances of the event to more specific ones -identifies possible ways to "break" the fault tree, or interrupt the sequence of events that led to the system failure -needs to be as complete and accurate as possible to encourage sound loss control decisions
Book Value
-an asset's historical cost minus accumulated depreciation -book value is generally lower than market value because depreciation decreases it while inflation increases market value -based on historical cost -ex: real estate's historical cost is building's original purchase price, including value of the land, real estate commissions, closing costs; also any capital improvements
business process management
-an enterprise-wide approach that looks to optimize business processes, making use of automatization when appropriate -looks at an org's operations from beginning to end -goal is to make the org more efficient and productive, which, as with RPA, involves limiting operational risks where possible
indenture levels
-an items relative complexity within an assembly, system, or function -level 1 - system itself -local effect: a failure mode that affects the level being analyzed produces this -next-higher-level effect: a failure mode that affects the next-higher level produces this -end effect: one that affects the highest indenture level produces this
coefficient of variation
-another way to measure the spread of results -used to compare results from two different sets of data to learn which has more variation
Fiduciary Duties Risk
-arise mainly out of the possibility that beneficiaries of an employee benefit plan may file a lawsuit against the plan officials for breach of their fiduciary duties -duties: loyalty, prudence, diversification, adherence -if a fiduciary breaches a duty and that causes loss to a benefit plan, the fiduciary is personally liable to the plan for the full amount of the loss
two tasks a risk professional needs to excel in when working with subject-matter experts
-asking the right questions of the right people -understanding the answers
external data
-belongs to an entity other than the org that would like to acquire and use it -one type is open data which anyone can freely use (wikipedia) -may become stored as internal data -regulatory info, info related to demographics, industry trends, survey results -economic data (interest rates, asset prices) is commonly used type of third-party data
holistic approach to managing risk
-broader in scope, managing all areas of the business, not just hazard risks -encompasses the analysis and predictability of business processes and organizational decisions -mandates the collaboration of internal and external stakeholders to identify, assess, and treat risks -involves looking at what might be gained from decisions or actions -can uncover inconsistencies in how a company managers loss retention -can help orgs better absorb losses
Buildings
-buildings are categorized by type of construction and how well that construction withstands different hazards, like fire, wind, vandalism -also critical is how a structure is used, its occupancy
Economic Capital for Insurers
-calculated using probability models of the various factors that affect results -probability models are used to estimate the effect of various stresses on the market value of an org's assets, liabs, and MVS -an org needs numerous models to simulate the potential risks across all aspects of its operation -the results of the various models are combined, taking into account any overlapping effects or correlation between risks -the output is a distribution of possible fair value profits and losses (gains and losses in MVS), which is unique to each org -economic capital is equal to the value of a loss in MVS that is expected to be exceeded at the selected level of probability (threshold); ex: only 1% of the time if the standard is to have sufficient capital 99% of the time -economic capital is defined using the concept of VaR, the maximum loss a selected probability, or threshold level -if an org's MVS is greater than its economic capital, then it has excess capital; deficiency if lower
fair value of insurers
-calculating insurers' fair value is complicated because there is no available market fro insurers' largest liabilities: loss reserves and unearned premium reserves -these liabilities are carried on the BS at the undiscounted estimate of future payments or earned amounts -these reserve amounts are uncertain so it's unlikely that an insurer could transfer these reserves to a re insurer or another party at their present value -assuming entity would require additional payment in case the reserves prove to inadequate
cyber risk net income loss exposure
-can be measured by considering how an org might be affected if a cyber breach caused a reduction or cessation of business operations -consider any possible business interruption that would decrease revenues, increase expenses, or both -can result from interruptions of the org's own computer network and those of its key customers and suppliers -cyber-related contingent business income loss exposures involve income that is contingent (dependent) on a computer network that is not owned or operated by the insured org
Exploratory Data Analysis
-can be used before developing and testing a predictive model to produce a basic understanding of the data on which the model will be based -the better understood the data, the better the model -techniques include charts and graphs that show data patterns and correlations among data -scatter plot show relationship between two attributes -correlating matrix can show that certain combos of attribute can correlate with something
5 Whys Advantages
-can determine the root cause of a problem -when several root causes are found, it can determine the relationship among them -usually doesn't require statistical analysis or data collection
criticality analysis
-can follow FMEA -an analysis that identifies the critical components of a system and ranks the severity of losing each component -four categories of failure: 1. failure resulting in excessive unscheduled maintenance 2. failure resulting in delay or loss of operational availability 3. failure resulting in potential mission failure 4. failure resulting in potential loss of life -categories can bee used either subjectively to establish priorities among hazards and their controls or objectively to measure how a risk management profession can alter the expected criticality of a system failure -way to perform this is calculating a risk priority number for each identified failure
audits
-can identify both negative risks and opportunity risks
Assessing Risks through network analysis
-can provide insight into where attention and energy could be best focused to influence those opinions and hopefully minimize any negatives risks to the org's reputation -social network analysis needs a starting point, whether a single blog post, facebook group, etc. -to see how much of a threat an article poses to org's reputation, the risk manager will want to analyze the article's reach, then try to pin down how much further beyond that network the article could travel -can use a matrix where the presence of a social relationship is noted with a 1, and lack of relationship with a 0; or a sociogram can help risk managers understand how far a negative sentiment can spread -the sentiment's influence depends significantly on its posters' degree, closeness, betweenness -a risk manager's goal when using a social network is to reach as many end users as possible with the minimum amount of effort
Risk Based capital allocation model bottom-up
-capital is calculated at each individual activity level; they are aggregated, taking into account diversification, to arrive at the org's overall capital -may allow for more accuracy at the activity level -application is far more complex than top-down
Risk Based capital allocation model top-down
-capital is determine at the firm-wide level then a methodology is applied to allocate overall capital to each activity based on its inherent risks
Components
-care must be taken to describe the components of systems in ways that are broad enough to include all the system's aspects yet sufficiently specific to be meaningful -ex: physical elements
relating indicators and outcomes
-chart the data -do a regression analysis -benchmark
GAAP
-common set of account standards and procedures used in the preparation of financial statements to ensure consistency of presentation and report results -assets such as machinery and buildings are valued at depreciated cost -bonds that will be held to maturity may be valued at amortized cost -an org's net worth is called equity
Economic Capital Analysis disadvantages
-complex and sophisticated -replies on underlying assumptions and probability estimates of various outcomes -uses fair value to assess all assets and liabilities at market value, which may produce changes in MVS unrelated to the company's ability to operate on an ongoing basis
Systems (operational risk)
-concerns the function of technology, its intentional or accidental failure, and security -equipment failure -risk can be reduced by blockchain
Sources of Property Risk
-consider all sources that can affect exposures -natural risk sources: occur randomly in nature (natural disasters, etc) and also includes events that affect just one org (ex: building collapse caused by snow accumulation on roof); risk management can't really do anything about this except implement loss reduction measures to control consequences -human risk sources: deliberate acts of individuals or groups, as well as events that aren't deliberate but involved some element of human intervention; terrorism, vandalism, explosion; can be managed to some extent
system safety analysis
-consider an org as a whole when identifying potential sources of loss -subsystem concept is essential for effective loss control because the largest system can be jeopardized when a single, deeply layered subsystem fails -cornerstone of risk management's ability to protect the org from losses is understanding the org's systems and subsystems, how they interact, and how the failure of one subsystem can endanger entire org
Personal Property Replacement Cost
-create an inventory of all tangible property that the org owns or uses at each of its facilities -determine how to establish property replacement cost; it differs depending on the type of business -manufacturer: production cost -wholesaler: purchase price from manufacturer -retailer: purchase price from wholesaler -prices that are relevant are the current costs or prices that are required to replace the inventory -sometimes inventory will be replaced much later so you use the prices for whenever replaced
Network Security Liability
-cyberattack results in unauthorized access to corporate info -results in denial of service -results in spreading a virus -damage to a third party's network results from a data breach at the first-party org: first party is liable if it fails to prevent transmissions of malicious code from its own network to connected third party networks; 1st party doesn't need to be the sources just had the ability to prevent it with security measures but they didn't -org encounters e-media liability for libel, slander, infringement or trademark, and copyright: when a cyberattack succesfuly introduces offensive content into a first party's website; libel: written, slander: sound; data breach can result in trademarked or copyrighted content displayed on a breached party's website in a manner that falsely indicates the party owns the IP
internal data
-data captured and stored by orgs -data identifying customers, vendors, accounting records, HR records, email correspondence -includes files specific to the type of business -risk managers rely on internal data to monitor various risk factors -more reliable and carries greater risk around privacy issues
data-driven decision making
-describes the organizational process of gathering and analyzing relevant and verifiable data and then evaluating the results to guide business strategies -two basic approaches: descriptive and predictive approaches
process flow analysis
-dissects processes within the org from input to output for the purpose of improving them
5 Whys
-drills down to the originating caused of a risk event by asking why an accident occurred, why the circumstance occurred, and on and on -then create a fishbone diagram to map it out -used mainly for problem involving human factors
work-related violence
-duty of employer include protecting employees and visitors from both physical violence and mental harm caused by people they come in contract with during their working hours -some orgs face risk of kidnapping
fiduciary duty
-duty to act in the best interests of another -duty of care: act in good faith and best interest of org -duty of loyalty: can't take business opps away from org they work for -duty of disclosure: material facts must be disclosed to those who have a right to know them -duty of obedience: obedience to the law
checklists
-easy to use and communicate known risks to employees with little efforts -don't help identify unknown risks
evaluating the predictive model
-effective models generally are revisited on a predefined schedule -performance is evaluated using 3 metrics: 1. accuracy: a measure of how often the model predicts the correct outcome; number of correct predictions/total number of predictions 2. precision: measures only the positive results/number of positive predictions; a better measure of a model's success than accuracy 3. recall: measure of how well the model catches positive results; # of correct positive predictions/(correct positive predictions + incorrect negative predictions)
risk management monitoring and reporting
-effective risk reporting systems must provide a flow of info both up and down the lines of authority -risk reports should focus on KRIs and trends, comparative performance measures, and compliance with standards using internal and external info -org can become overwhelmed by the flow of data if not properly managed -should use qualitative and quantitative data -manner in which the reports are designed is also key to their effectiveness: siloed vs integrated
emerging risk assessment tolls and techniques
-emerging tech and smart devices provide real-time data -radio frequency identification, seniors, AI, computer vision -don't replace traditional methods but do overcome some of the shortcomings of the tradition methods
emerging technologies, data accuracy, and operational risk
-emerging tech related to operational risk has focused heavily on data accuracy and process efficiency, aiming to achieve as much as possible while also being as accurate as possible -data can be gathered quickly, through sensors, cameras, and similar hardware, and then stored and accessed through technologies such as blockchain and RPA -blockchain smart contracts -blockchain can alleviate operational risks caused by the inaccuracy and inefficiency of current record-keeping practices
Solvency II
-establishes a set of EU-wide capital requirements and risk management standards -economic capital is an underlying principle -applies to insurers in the EU, including European operations and subsidiaries of insurers based outside of the EU -3 pillars: 1. a solvency capital requirements akin to economic capital that ensures a 99.5% probability that the insurer will meet its obligations over the next year 2. sets requirements for insurers' internal risk management processes and the supervision of insurers 3. focuses on reporting, disclosure, and transparency, or the risk assessment to the public and regulators
purpose
-every system has at least one purpose -ex: food product container protects food and gives nutrition info -to assess the adequacy of a system's components, risk management professionals must know the purpose of those components
environment
-every system operates in an environment that it both affects and is affected by; within this environment, a system fulfills its purpose; -different environment classifications: *the immediate physical environment includes temp, illumination, pressure, etc. *the org environment includes the policies and procedures that govern the interaction of the system's physical elements *the socioeconomic/legal environment includes social norms and conventions, laws and regs, and local, national, global economic considerations
event tree analysis
-examines all possible consequences of an accidental event, their probabilities, and existing measures to prevent or control them -may be used to examine the effectiveness of systems, risk treatment, or risk control measures and to identify, recommend, and justify expenditures of money, time, or resources for improvements -can also be used qualitatively and quantitatively in the same ways as decision tree -start with identifying the first accidental event related to a product or process that could result in unwanted consequences -barriers are listed along the top in the sequence in which they would be activated should the designated accidental event occur -for each pathway, the end probability is the likelihood that every event in the pathway will occur (multiply all probs together) -the sum of all probs at the end of the diagram should equal 1 -limitation: provides only two options, success or failure, and thereby fails to reflect the complexity of some processes or products
decision tree analysis
-examines the consequences, including costs and gains, of decisions -to compare different decisions and select the most likely to help the org obtain a strategic goal -used to select best course of action from multiple actions or to manage risks associated with a project -qualitative analysis: help generate scenarios, progressions, and consequences that could potentially result from a decision -quantitative: can estimate probabilities and frequencies of various scenarios resulting from a decision -begins with identifying the decision under consideration; various pathways are charted for each potential decision; each pathway leads to a new outcome -for quantitative analysis, probabilities are assigned to each pathway and expected values of each pathway can be estimated for the outcome
blockchain technology
-facilitates secure transactions without the need for a third party -protects against cyber threats -eliminates the need to verify the accuracy of risk management data -lets risk managers spend more time on forward-looking functions
Fair value accounting
-fair value market price incorporates several factors; most important factors are future cash flows and the risk attached to those cash flows -differs from GAAP and SAP -refers to net worth as market value surplus (MVS) = the fair value of assets minus the fair value of liabilities
Life Safety
-fire loss control requires a great deal of advance planning -factors such as the health and mobility of a building's occupants may affect their safety in a fire or other risk event -also based on building occupancy
assessing social media risks through text mining
-first step is collecting a group of related documents (corpus) such as a selection of product reviews or social media posts -this corpus can then be mined for specific words or phrases a risk manager may be interested in monitoring -objective of the initial text mining project is to perform a sentiment analysis of those mentions -to successfully analyze the text, it first must be cleaned up by eliminating spaces, punctuation, and words that provide little info and by reducing words to their stems by removing prefixes and suffixes -an analysis of the term frequency and the inverse document frequency of certain terms can provide additional insights -as more info is discovered, new corpuses can be formed to analyze TFs and IDFs in relation to more refined target demographics or media sources -can help risk manager decide where to focus
Economic Capital Analysis advantages
-focuses attention on the risks attached to an org's activities and can define an org's risk tolerance -puts a value on an org's overall level of risk -helps orgs establish the amount of capital they need or the risks they can take with a given amount of capital -reveals capital requirements for different operations and improves capital allocation -helps orgs understand their economic capital position in order to deal with investors, rating agencies, etc -provides an overall quantitative measure for a company's enterprise risk management program
Technique of Operations Review (TOR) Approach
-focuses on preventing accidents caused by ineffective management -five basic principles of risk control: 1. an unsafe act, condition, accident are all symptoms of something wrong in the management system 2. certain circumstances, unless controlled, may produce severe injuries 3. safe should be managed like any other organizational function (with goals, planning, controlling, etc.) 4. management must specify procedures for accountability if safety efforts are to be effective 5. the function of safety is to locate and define the operational errors that allow accidents to occur -tries to identify particular faults of an org's management and groups these faults into categories -helps identify accident causes and suggests corrective actions
three keys to effective collaboration
-gain a holistic perspective -motivate workers -contributing to a common goal
Steps in the FMEA Process
-generally used in the design stage to avoid future failures and for process control 1. determine scope and objective 2. assemble team 3. define system components and their functions 4. for each component, identify potential causes and effects of failure 5. develop responses to prevent or mitigate failure
Windstorms
-greatest threat is building damage -pre-loss actions: design buildings and structures to withstand wind, use storm shutters and blinds rated to handle high winds, keep roof and walls in good repair and provide adequate support, secure materials and equipment located outside the facility -after: risk manager should be ready to use spare construction materials to temporarily repair buildings and have security on the grounds to prevent vandalism and looting
Fault Tree Analysis Steps
-harmful event is placed at the top of the chart and the events that are necessary to produce it appear as branches connected by and and or gates -"and": indicates that event A can occur only if all four events in the rectangles connected by solid lines occur first -"or": any one of the events leading to the gate is sufficient to cause that event -to break a fault tree at an "or" gate, none of the events below the gate can be allowed to occur -you can add probabilities -"and" probability: multiply all the probabilities in the and sequence -"or" probability: p(H)+p(I) - p(H x I)
discrete probability distributions
-have a finite number of possible outcomes -displayed in a table that lists all possible outcomes and the prob of each -used to analyze how often something will occur and shown as frequency distributions -ex: the number of hurricanes making landfall in Florida
continuous probability distributions
-have an infinite number of possible outcomes -possible outcomes are on the horizontal axis and likelihood of those outcomes are on the vertical axes -the outcomes are called probability density functions -typically used for the consequence of an event -show the value of the loss or gain rather than the number of outcomes
D&O cyber exposures
-have fulfilled their duty of care if they act in good faith and in a manner they reasonably believe to be in the corporation's best interests; ex: shifting board's attention to cyber exposures -have general duty to disclose material facts to all persons who have a right to know such facts and would not otherwise be able to obtain them; ex: telling stockholders, bondholders, and potential investors about a data breach
scenario analysis
-identifies risks and predicts the potential consequences of those specific risks -can help identify a range of potential consequences and prioritize risks -benefit is it brings all the concerns of different parts of the org together so they can be addressed as a whole -should assemble an internal cross-functional team to get a multidimensional view -disadvantage: may be limited by the imagination and brainstorming capabilities of the team selected
risk analysis
-identify risk -note range of consequences and determine probability of each -can focus on a specific event or a process
tasks a risk register should accomplish
-identify the org's risks appropriately -prioritizes risks according to their potential effects on the org -allows for collaboration and instant updating by risk managers and stakeholders -tracks improvement actions to take, when they're taken, and when a follow-up or review will occur
Fault Tree Analysis Limitations
-if a high degree of certainty doesn't exist concerning the probabilities of the underlying or base events, the prob of the top event may also be uncertain -important pathways to the top event might not be explored if all casual events are not included in the fault tree -static so may need to be reconstructed if anything changes -human error is difficult to represent in a fault tree -domino effects are not easily included in a fault tree
E&O cyber exposures
-if any unreasonable conduct or breach of contract results in financial loss to any other party, the producer is responsible to that party for the full extent of the loss sustained -an error could occur and a loss be sustained when placing cyber risk liability coverage because traditional insurance typically does not apply to cyber risk exposures
Risk-based capital allocation model
-important tool for evaluating both the risk inherent in an org's current and potential future activities and the returns to be gained from participating in these activities -must be possible to assign capital at a business-unit or activity level -goal is to maintain a consistent cost of capital across activities -helps management determine how much risk an activity adds to org's overall risk profile, examines returns associated with activity, makes decisions to invest or not in activities -various types of economic capital can be used -can be top-down or bottom up
tangible personal property
-includes all the stuff (furnishings, equipment, supplies, inventories) we encounter at home, work, in school, and elsewhere -physical items that represent or store value: money, securities, records of accounts receivable, and valuable paper and records
Process (operational risk)
-includes the procedures and practices orgs use to conduct their business activities -risk stems from the possibility that a practice will depart from procedure -best managed through a framework of procedures and a mechanism to identify nonconforming practices
Invasion of Privacy and Breach of Contract
-invasion of privacy includes an org's failure to prevent unauthorized disclosure, deletion, or alteration of personal and corporate info -orgs are required by laws to let customers know if their info is leaked - good communication can help retain customers and mitigate damage -Gramm-Leach-Bliley Act has standards for customer records maintained by financial services companies -invasion of privacy is broad enough to include documents that contain non financial info, like photos -third parties commonly pursue breach of contract when 1st party fails to fend off cyber attack -1st party doesn't have to act negligently or breach a standard of care to be found liable under a breach of contract cause of action; failure to fulfill its contractual promise is the key issue
Land
-land that's considered unimproved today may been improved in the past for some purpose or cleared for farming -most important factor in valuation of unimproved land is its location; can also have features of value such as timber, fish, game -improved land has man-made alterations; not improved if it just has fencing -land and its natural features have not traditionally been insured for loss, because land usually can't be destroyed
Regression Analysis (Data)
-linear regression is used to predict the numerical value of a target variable based on the values of explanatory variables -generalize linear model: a statistical technique that increases the flexibility of a linear model by linking it with a nonlinear function; used for more complex data classification
Earthquake
-location is a key factor; selecting an appropriate geographic region and a specific site within that region are crucial to earthquake risk control -design of building is a pre-loss action -box action design: used in buildings under 3 stories tall that integrates roof and floor diaphragms that can flex to transmit and distribute the forces an earthquake exerts on a structure -frame action design: relies on the resilience of steel or specially designed reinforced concrete to absorb energy while undergoing considerable distortion and return to their original shapes -post-loss: caring for injured, protecting uninjured, safeguarding endangered property -reinforce weakened buildings but then wait for after shocks to be finished
cause and effect analysis
-looks backward through a defective process and identifies the possible reasons, direct and contributory, that caused a negative event or problem -impossible to solve or prevent a problem without finding the root cause -combines brainstorming, communications, and mapping to find the caused of a problem and the solution
retirement and resignation
-loss is the future value that the individual would have provided to the organization -not all reasons are within an org's control -need to determine which are controllable and which aren't
External Events (operational risk)
-loss of property and business interruption -loss of key supplier or customer -a local utility's failure or inadequacy could cause operational risk
Work-related injury and illness
-major categories of work-related injuries: machinery and equipment use, materials handling, vehicle fleet operations, physical condition of premises -personal inspections identify workplace hazards that may lead to the death or disability of employees who were not identified by the other methods of assessing personnel loss -sources of illness: long term chemical exposure, radiation, noise levels, temperature extremes, ergonomic stress, poor air quality
Employment Practices Risk
-major types of risks: discrimination, wrongful termination, sexual harassment, retaliation -above risks are not mutually exclusive -to manage risk, orgs can establish hiring practices that comply with federal and local standards and laws -document policies and procedures in handbook, provide employees with formal policies and document its receipt, annual performance reviews, follow a documented termination procedure, exit interviews, investigate allegations immediately
liquidity ratios
-measure a company's ability to convert assets to cash -working capital, current, acid-test (quick) ratios -the higher the value, the larger the margin of safety the company possesses to cover short-term debts
Leverage ratios
-measure the degree to which a company has borrowed money -a lot of debt = high leverage ratios -interest payments on debt must be paid before any profits can be returned to shareholders in the form of dividends -debt to equity, debt to assets
qualitative risk analysis
-measures a risk by the significance of consequences; may use ratings such as high, medium, low -a clear, written explanation of the agreed-upon bases for each determination should included in the assessment -don't provide exactly what costs the threats entail; what one person considers a high-level threat might be a low -level threat to someone else
SCRAM model
-measures supply chain resiliency by systematically analyzing relationships between a supply chain's "vulnerabilities" and its "capabilities" -vulnerabilities: can make an org susceptible to disruption; threats, limited resources, connectivity -capabilities: enable an org to anticipate and overcome disruptions; capacity, efficiency, recovery -objective is to identify a zone where specific resilience measures are economically capable of preserving and creating value -outside that zone, orgs would limit resilience efforts on areas they already have strong capabilities and little vulnerability; also limit where an org is overwhelmed by vulnerability (general economic collapse) because no point
mitigating supply chain risks
-multiple sources of supply, pooling of inventory -use of common components, such as standard hard drives and microprocessors in computerized equipment -can add new export markets as a way to hedge against fluctuations in currency exchange rates -"visibility": the ability of an org to see all the connections and resulting vulnerabilities in the extended processes for selling its products
unstructured data
-not organized into defined fields and is not consistent in format -include info from the internet, such as social media -need data analytics for this -internal: adjust notes, customer voice records, surveillance videos -external: social media, news reports, internet videos
Tornado
-nothing can prevent tornado damage but bodily injury can be reduced by taking shelter -installing underground shelters is effective -if devastation is not total, post-tornado procedures can include search and rescue, temporary repairs, salvaging procedures
5 Whys disadvantages
-often stopped after the first determination rather than ask additional questions to discover a problem's root cause -tend to focus on only one answer to each question -orgs sometimes don't help the investigator ask the right why questions -an uninformed investigator can't ask the right questions -different investigators will discover different causes for the same problem
operational risk categories
-orgs can benefits when they categorize their specific operational risks and develop a framework for managing them -divided into 4 categories according to Basel II: people, process, systems, external events
Supply Chains
-orgs have opted for streamlined, nimble operations focused on specific segments of a product value chain and have outsourced other types of work to business partners that specialize in them -provides more flexibility and a greater ROC, but adds its own costs and risks by relying on partners and conditions outside of an org's control -ISO 28000: a series of supply chain secuity management requirements developed for use worldwide -org has to consider a risk's impact on itself and anyone in their supply chain
natural Disaster loss control
-orgs need to have plans in place to deal with the possible losses before a catastrophe actually happens -need specific pre and post-loss plan for windstorms, tornadoes, earthquakes, and floods
Failure mode and Effects Analysis (FMEA)
-orgs use this to try to pinpoint and thwart potential problems before they arise -an analysis that reverses the direction of reasoning in fault tree analysis by starting with causes and branching out to consequences -org must first identify where the effect occurs in the system being analyzed so FMEA identifies a system's indenture levels -ex: concept, design, process, equipment
shareholders' equity
-owners' equity, net worth, book value -include capital contributed by owners and accumulated earnings retained by the org (retained earnings) since inception -called surplus for not for profits
conceptual phase
-phase in life of a system when the basic purpose and preliminary design of the system are formulated -provides an opportunity to manage or design hazards of a system, reducing the reliance on protective equipment and special procedures to lower the chances of human error in later phases
production phase
-phase when the actual system is created -no new safety elements are added at this point
Flood
-pre-loss actions for flooding: evaluate location of operations, analyze existing structures & ability to withstand normally expected events, use temporary levees and shutters and barriers, stock disaster supplies, place main electrical service equipment on upper floors of buildings -pre-loss for floor-related fires: no open flames or nonwaterproof wiring, protect flammable gas piping, prevent floor water from entering buildings -post-loss: assessing damage, temporary repairs, starting salvage operations, clearing clogged drains, cleaning and inspecting all equipment before restarting them
market value
-price at which a particular piece of property could be sold on the open market by an unrelated buyer and seller -best used on commodities -risk management should use product's market value on the date of loss to determine the most appropriate valuation standard for such property
theoretical probability
-probability that is based on theoretical principles rather than on actual experience -unchanging -ex: flipping a coin -constant as long as the physical conditions that generate them (how many sides a die has) remain unchanged -may be preferable but are usually not applicable or available
sequence of events (domino theory)
-proposes that five accident factors can form a chain of events that, like dominos, lead in succession to the resulting accident and injury: 1. ancestry and social environment - inherited psychological disorders 2. fault of person - impulsiveness, temper, nervous 3. an unsafe act and/or a mechanical or physical hazard 4. the accident itself 5. the resulting injury -removing any of the four factors before the injury should prevent the resulting injury from occurring -removal of the third domino is the best way to break the accident sequence -most applicable to situations within human control
Evaluating reputational risk
-protecting an org's reputation among its stakeholders requires planning and clear communication and ability to react quickly -managing these risks requires an understanding of these concepts: 1. reputation as a key asset 2. systemic approach to managing reputational risk 3. reputational risk management implementation
why is it important to take a team-oriented approach to identifying risks?
-provide diverse perspectives on risks -can reveal how risks are connected across an org, reducing the likelihood for risks to be overlooked
control indicators
-provide info about management
SCOR model
-provides common terminology and an analytical framework designed to allow companies and units to collaboratively identify, assess, and improve supply chain performance -supply chain partners analyze six stages of supply chain process (plan, source, make, deliver, return, and enable) according to five performance attributes (reliability, responsiveness, agility, cost, and asset management)
Value at Risk Benefits
-quantifies the potential loss associated with an investment decision -articulates complex positions as a single figure -expresses losses in easy to understand monetary terms -one limitation: it doesn't accurately measure the extent to which a loss may exceed the VaR threshold (can be addressed with conditional value at risk)
SCOR and SCRAM
-require matrixed consideration of numerous variables across different orgs, depts, functions, and individuals, generating tons of points of analysis -however all this info helps risk managers systematically assess risks at a granular level and quantify them for the purpose of measuring the resiliency of a supply chain over time and compared with other chains -also allow risk managers to see the relative impact that risks to different points on a chain have on its resilience, then establish priorities for action -develop numerical scores reflecting their assessments of resilience along the various stages of a supply chain; these scores are then incorporated into a supply chain's overall resilience score
Interest Rate Risk
-risk that a security's future value will decline because of changes in interest rates
liquidity risk
-risk that an asset cannot be sold on short notice without incurring a loss
management liability risk
-risks that result from a person's or org's legal responsibility for the consequences of an action they have taken or that was taken on their behalf -D&O, employment practices, fiduciary duties
supply chain resiliency
-shares many of the same practices as traditional risk management, but with greater emphasis on responding to disruptions than on avoiding them -creating a competitive advantage by enabling them to outperform competitors through adverse conditions -focusing on this will embrace risks that traditional risk management would avoid, providing that plans and resources are in place to respond to those risks
Social network analysis
-social network: a group of individuals who share relationships and the flow of info -measures and charts the relationship between the nodes in a network, along with the flow of communication between them -efficiency of the flow between social network connections can be determined through these centrality measures: 1. degree: a measure of the connections each node has 2. closeness: measure of the avg distance, or path length, between a particular node and the other nodes in a network 3. betweenness: measure of how many times a particular node is part of the shortest path between two other nodes in a network -another function of social network analysis is to determine trends and make predictions
systemic approach to managing reputational risk
-stakeholders will have expectations regarding how an org's resources should be managed, and the org must work to gain the stakeholders' trust and assure them that all resources are being optimized; orgs use transparent business practices and good governance to do this -the mechanism of reputation can be expressed by grouping the key drivers of reputation around 3 ethical dimensions: goals and missions, rules (laws and regulations), and values (internal forces)
Fire Safety Standards
-standard created that are codified in the life Safety Code -Risk managers must ensure that the buildings owned or occupied by their org comply with the provisions of the Life Safety Code
life cycle
-system safety divides a system's life cycle into five phases, with the approach to safety applying differently to each -conceptual, engineering, production, operational, disposal -a system-oriented approach designs each product or process so that its waste disposal or obsolescence creates the minimum amount of hazardous waste or environmental harm
cyber risk property loss exposures
-tangible or intangible -commercial property forms have a little cyber coverage but it's insufficient for most insures -tangible: all types of computer equipment -intangible: data, trade secrets, and intellectual property
SWOT Analysis
-team approach that's useful in analyzing a new project or product -strengths and weaknesses are internal environmental factors -opportunities and threats are external environmental factors -a goal is necessary to keep the SOT analysis from becoming too general or failing to provide actionable info -concludes with a "go" or "no go" recommendation
Modern Data Analysis
-text mining, neural networks, social network analysis
Marginal economic capital
-the additional capital required to undertake an activity, over an org's current capital -calculated by measuring the org's overall economic capital, both including and excluding the activity in question
casual factors
-the agents that directly result in one event causing another -each casual factor is inserted into a root cause map to determine its root cause -ex: brakes did not "catch", other car enter intersection, truck hit car
economic capital
-the amount of capital required by an org to ensure solvency at a given probability level, such as 99%, based on the fair value of its assets minus the fair value of its liabilities -a form of regulatory capital -to measure this, one examines the potential variability in the market value of the firm's assets and liabilities, taking into consideration the firm's risks -firm then uses these risks to estimate the probability that the market value of its liabilities will exceed that of its assets by specific amounts over a one-year period -based on Solvency II (European regulatory standards for insurers)
market value margin
-the amount of compensation in excess of the market value needed to induce an investor to accept the risk -called risk premium or risk margin -to calculate the fair value of an insurer's reserves, estimated future amounts are discounted to present value and a market value margin is added MVS of insurer = fair value of assets - fair value of liabs = fair value of assets - (PV of liabs + market value margin)
energy transfer theory
-the basic cause of accidents is energy out of control -focuses on controlling released energy and/or reducing the harm caused by that energy -ex: maintaining safe distances between objects that may move at great speed -10 basic strategies
stand-alone economic capital
-the capital needed for an activity independent of all other activities -doesn't contemplate any diversification benefits
Building replacement cost
-the cost of constructing a new building to replace an existing building that has been damaged or destroyed -high degree of accuracy -some have little economic value but high replacement costs
Functional Replacement Cost
-the cost of replacing damaged property with similar property that performs the same function but might not be identical to the damaged property -used when valuing property that is easily affected by technological changes
Replacement Cost
-the cost to repair or replace property using new materials of like kind and quality with no deduction for depreciation -can be used to value buildings and personal property
law of large numbers
-the larger that sample of past losses an org can use in the analysis, the more accurate the projections will be -only relevant and accurate when forecasting future events that meet all these criteria: 1. they occurred in the past under substantially identical conditions and resulted from unchanging forces 2. they can be expected to occur in the future under the same unchanging conditions 3. they have been and will continue to be both independent of one another and sufficiently numerous
Risk Assurance
-the level of confidence in the effectiveness of and org's risk management culture, practices, and procedures -internal auditing, internal controls, prep and review of financial reports -external: third-party audits, positive press reports, supplier/lender confidence, reports and rankings from legal and regulatory authorities, customer surveys
covariance
-the measure of how two random risk variables will change in relation to each other -calculates correlation between the variables
diversified economic capital
-the portion of an org's overall economic capital that is allocated to a particular activity -takes into account the degree of correlation among the risks of various activities -bc diversification provides a benefit, an org's overall capital should be less than the sum of the individual activities' capital -the diversified capital allocated to an individual activity should always be less than its stand-alone capital
price risk
-the potential for a change in revenue or cost because of an increase or a decrease in the price of a product or input -input price risk: the uncertainty of the price of the resources used to produce an org's product -output price risk: the uncertainty regarding the price an org can charge for its product
Risk Priority Number
-the product of rankings for consequence, occurrence, and detection used to identify critical failure modes when assessing risk within a design or process -consequence rankings (C): rate the severity of the effect of the failure -occurrence rankings (O): rate the likelihood that the failure will occur -detection rankings (D): rate the likelihood that the failure will not be detected before it reaches the customer -rankings are multiplied; failure with highest RPN is addressed first, although it may not always be the most critical -general rule: any RPN with a high C-value should be given top priority; any CxO combo that results in a high number is given next priority
variance
-the spread of the data set, or how far apart the numbers are in relation to the mean
Financial Risk
-the uncertainty arising from the effect of market forces on a financial asset or liability -an org owning or using a financial instrument is exposed to financial risk
Expected Value
-the weighted average of values -the mean
intangible personal property
-things that are not physical in nature but hold value that can be identified, priced, sold, or damaged -IP: patents and copyrights -computer data and business processes located in the cloud -growing attention on reputation
control assessment
-to accurately determine its level of risk, an org must examine the effectiveness of its current risk control measures -identify every current technique and verify its effectiveness -can be quantitative, qualitative, or both
debt to assets ratios
-total liabilities/total assets -shows how the assets of the company are financed -less than .5: company is financing most of its assets through the equity contributions of its shareholders -greater than .5: most of the company's assets are financed through debt -varies by industry -high ratio, company is highly leveraged and could be at risk if it's not able to keep up with debt repayments
structured data
-traditional internal master and transnational data -organized into specific fields in databases which allows for easily linking files to each other -internal: policy info, claims history, customer data -external: telematics, financial data, labor stats
Text Mining
-turns text into numbers that are then used in mathematical equations or models -first step is to retrieve and prepare the text; this data is unstructured -second step: unstructured data needs to be converted to structured data before a modeling algorithm can analyze it -third step: different techniques are used to create a data mining model to help the org achieve its goals; involve identifying previously undetected groups of data, finding the most similar instances of data, and predefining cert attributes as target variables -fourth step: evaluate effectiveness in multiple areas
strategic risk
-uncertainties associated with the organization's long-term goals and management decisions -may carry a greater risk dynamic, positive or negative, that the other categories
Exchange rate risk
-uncertainty about an investment's value because of potential changes in the exchange rate between currencies -can hedge against this with a forward contract
assessing risks of an organization
-unique qualities of org -industry it's in -internal/external factors -upstream and downstream external factors (upstream: suppliers and manufacturers; downstream: distribution channels and consumer demands)
standard deviation
-used to determine the possible spread of potential results -the greater the SD between values in the distribution, the more volatile they are
risk registers and risk maps
-used to sort and rank a large number of risks -risk register: a ledger of identified risks that're recorded in a table in a document; data in this is specific to the org -risk map: a graphic diagram showing the components of a the register; identify, prioritize, and quantify risks in a two dimensional pictorial that illustrates frequency and severity on vertical and horizontal axes
Failure Model and Effects Analysis (FMEA)
-uses a team of individuals to examine a process and identify potential failures at each step in the process, as well as the consequences of each failure
delphi technique
-uses the opinions of a select group of experts to identify risks -typically they don't meet but respond to a survey or inquiry instead -question-and-response cycle: answer question anonymously, see results, answer same question until reach consensus -benefits: cost-effective, eliminates group bias and encourages honesty by anonymity -disadvantages: experts' opinions may be limited to their current thinking on a subject
Descriptive approach
-usually a one-time solution that a risk manager uses to solve a specific problem -once, solved, model is no longer needed but could be used as a template for a similar problem -ex: a specialty food manufacturer's sales to a supermarket chain are declining
risk thresholds
-when an org must decide what it's willing to sacrifice or accept in exchange for achieving its goals
operational phase
-when the system is implemented -safety features built into the system during the earlier phase must be maintained -much harder to add safety options
disposal phase
-when the system reaches the end of its useful life and is disposed of -importance is largely driven by environmental concerns
FMEA Disadvantages
-when used top-down, may only identify major failure modes in a system -can be difficult and tedious to analyze complex multilayered systems -might be better used to complement another type of analysis
FMEA Advantages
-widely applicable -can reduce costly equipment modifications -can improve the quality, reliability, and safety of a product or process and improve an org's image and competitiveness -emphasizes problem prevention by identifying problems early in the process and eliminating potential failure modes
Controlling Social Media Risk
-work with attorneys to manage legal risk -authorize specific people to communicate online on behalf of org -monitor social networks and websites -have a designated response team
Cyber Risk Control Measures
1. Physical Controls: guards, locked doors, security alarms, controlled access, security badges 2. Procedural Controls: passwords, antivirus software, data encryption for stored data and data in transit, firewalls 3. Personnel Controls: preemployment screening, training, policies on acceptable and unacceptable cyber behavior, and termination procedures that include revoking access and passwords 4. Managerial Controls: centralizing responsibility with a CIO or someone; also ensure that systems and procedures are adopted and monitored; creating backup files and segregating responsibilities 5. Investigation and Prosecution of Cyber crimes 6. Post-cyber-incident rapid recovery program: focuses on the org's ability to preserve and sustain its net income after a cyber loss -maintaining backups at an alternate location -secure all vital legal and technical documents -contingency measures -plans for effects on suppliers and customers -PR for company's public image
Blockchain for Supply Chain Risk
1. Smart Contracts -can be used to protect parties from the persistent problem of payment risk (someone paying for something that is never delivered or someone not getting paid for something that is delivered) -funds can be presented for transfer and released automatically upon execution of the contract trigger 2. Supply Chain Specific initiatives -Dole, Kroger, Walmart use blockchain to trace all food products from the farm to the fork
Root Causes four basic characteristics
1. a root cause is expressed as a specific underlying cause, not a generalization; something specific 2. a root cause can be reasonably identified 3. a root cause must be expressed as something that can be modified; weather conditions can't be root causes 4. a root cause is something that can be prevented through effective recommendations
Human characteristics for fire loss control
1. age 2. mobility 3. awareness of fire 4. knowledge of building 5. density 6. crowd control
Treating Human Resource Risk
1. avoidance: risk control technique that involves ceasing or never undertaking an activity so that the possibility of a future loss occurring from the activity is eliminated 2. loss prevention: reduces the frequency of a particular loss 3. loss reduction: reduces the severity of a particular loss 4. separation and duplication: -separation: arranging an org's activities and resources so that no single event can cause simultaneous losses to all of them -duplication: involves creating backup facilities or assets to be used only if the primary activity or asset suffers a loss
Cyber risk liability loss exposure
1. bodily injury and property damage liability: injuries or property damage that result from software programs etc. 2. personal and advertising injury liability: there are exclusions on the GL form that apply to cyber exposures: a. personal & advertising injury committed by an insured in the business of advertising, broadcasting, publishing, or telecasting designing or determining content of websites for others; or providing online search, access, content, or other services; b. personal and advertising injury arising out of an online discussion forum the insured owns, hosts, or controls 3. IP liability: copyrights, trademarks, patents, trade secrets 4. E&O liability: a failure to act or negligent acts; entails the possibility of considerable damage to the org, not only financially but also to its reputation, market standing, and goodwill with the public
Steps in root causes analysis process
1. collect data 2. chart casual factors: provides the structure to organize and analyze the data gathered during the investigation; helps identify gaps and deficiencies in knowledge as the investigation progresses 3. identify the root cause: mapping or flowcharting can help determine the underlying reasons for each casual factor identified in the previous step 4. determine and implement recommendations -typically used after an event has occurred, but can be used before to predict
Third-Part Cyber Liability Exposures
1. customer and trading partner liability 2. liability for customer data resulting from invasion of privacy and breach of contract 3. network security liability 4. D&O exposures 5. E&O exposures
Risk Based capital allocation model top-down steps
1. define the risks to be captured and collect internal and external loss data on those risks 2. apply simulations to develop the frequency and severity probability distributions used to determine economic capital 3. aggregate or allocate capital as appropriate -a process for allocation at step 2 involves ranking the activities based on their risk characteristics and historical loss exposure: 1. risks inherent to the nature of the activity 2. risks that exist because of potential weakness in controls 3. actual loss frequency and severity over a predetermined experience period -scores may be weighted to the extent that certain risks or losses are more important than others -the overall capital is then allocated based on the weighted-average scores
Process for data-driven decisions
1. defining the risk management problem 2. gathering quality data 3. analyzing and modeling (descriptive or predictive) 4. determining insights: trends, relationships, behavior, events 5. making decisions
team approaches to risk identification
1. facilitated workshops 2. Delphi technique 3. scenario analysis 4. HAZOP 5. SWOT
Risk Financing Measures for Cyber Risk
1. insurance 2. noninsurance risk transfer: -hold harmless agreement: orgs can use to receive reimbursement for cyber risk loss or to transfer their cyber risk exposures -disclaimers: used by software companies to limit the scope of liability (don't transfer risk) 3. Retention: advantageous because it encourages risk control because they pay their own losses; disadvantage is that when an org retains its cyber loss exposures, the associated uncertainty can negatively affect its financial position
traditional risk assessment tools and techniques
1. risk thresholds 2. checklists 3. workshops 4. risk registers and risk maps 5. process flow analysis 6. audits 7. cause and effect analysis 8. fault tree analysis 9. failure mode and effects analysis
five theories to understanding accident causation
1. sequences of events (domino theory) 2. energy transfer theory 3. technique of operations review (TOR) approach 4. change analysis 5. job safety analysis
steps in HAZOP process
1. subdivides the project or system design into small components 2. reviews each component to identify risks 3. identifies the cause and potential outcomes for each risk 4. develops a solution for each risk 5. ensures that solutions work and reevaluates as necessary
steps in fishbone diagram
1. team agrees on problem statement 2. facilitator writes it on the far right hand side of diagram and draws arrow that points to it 3. team brainstorms the major categories of causes of the problem 4. facilitator depicts the categories of causes as branches emanating from the main arrow 5. team members brainstorm possible specific causes of the problem, using technique such as 5 whys 6. facilitator writes each cause as a branch from the appropriate category 7. facilitator writes subcauses as branches from the causes 8. focus on areas of diagram with fewest ideas before moving to final step 9. once team determines root cause, remedies are developed and implemented to prevent recurrence of the problem described in the original statement
Risk-based capital allocation model using RAROC main 2 functions
1. to determine, ahead of time, the amount of risk associated with a business activity (risk management tool) 2. to assess, afterward, business results (performance management tool)
Ways supply chain data is collected
1. track and trace technologies: -allow users to identify where a product or its components are and have been -help identify breakdowns and bottlenecks in transit as well as where products are in relation to things such as hurricanes -can look backward and forward: can help identify source of product defects -difficult for a complex supply chain with multiple, changing participants 2. the internet of things -managers learn in real time of conditions that need to be addressed -devices can communicate with each other or also automatically initiate action to a condition detected by a sensor (actuator) -make it easier to enforce requirements for quality control and risk management 3. analysis of data -once collected, data is analyzed to identify relationships that correlate to supply chain functionality or disruption -allows managers to run computer simulations of the potential impact of different types of disruptions, and to develop advance plans for addressing them
Five characteristics that make data big
1. volume 2. variety 3. velocity: speed at which it grows and becomes available 4. veracity: completeness and accuracy of the data 5. value
assessing supply chain risks
1.correlation and covariance 2.network analysis -single node mapped and then map its immediate connections, called alters -networked nodes are measured for their centrality, their relative number of alters, and the degree to which they are a part of numerous networks -the more nodes to bring a product to market, the more opporunity for an interruption of the supply chain -could show a node in a chain connected to other nodes in a network, could show competitors making org more vulnerable; also could show availability of redundant capacity, which could make a supply chain more resilient -network analysis considers the attributes of each actor and how each actor relates to the others and is affected in turn
Market Value Surplus
MVS of insurer = fair value of assets - fair value of liabs = fair value of assets - (PV of liabs + market value margin) -can be considered a risk-adjusted form of policyholders' surplus for two reasons: fair value takes into account the risk inherent in cash flows arising from assets and liabilities, and a market value margin is added to the present value of liabilities
Working capital ratio
Working Capital = Current Assets - Current Liabilities
risk control
a conscious act or decision not to act that reduces the frequency and/or severity of losses or makes losses more predictable
system safety
a safety engineering technique also used as an approach to accident causation that considers the mutual effects of the interrelated elements of a system on one another throughout the system's life cycle
current liabilities
accounts payable, short-term debt, or the current position of a long-term debt
quantitative risk analysis
assigns specific values to consequences and their probabilities to reach a numeric indication of the level of risk
predictive modeling
can empower decision making by uncovering previously imperceptible risk factors
current assets
cash, marketable securities, accounts and notes receivables, inventories, prepaid expenses
System parts
components, purpose, environment, life cycle
cloud computing
enables orgs to store and share data through wireless internet and networking services
today's conception of risk
incorporates the idea that taking risks is fundamentally necessary for growth
Real Property
land and any type of structure permanently attached to it: buildings, driveways, sidewalks, underground piping, bridges, transmission towers
Legal Risk (social media)
legal risks associated with social media can arise from an org's employment practices, computer-security practices, privacy policy, or use of IP 1. employment risk: employers can look at social media of prospects and use that to make judgments; orgs something discipline or fire employees because of their social media comments 2. security risk: employees using social media may reveal confidential info that can threaten an org's security or personal security 3. IP Risk: copyright infringement and disclosure of trade secrets 4. defamation risk: disparaging remarks on social media may lead to charges of defamation; positive statements can cause problems too; FTC truth-in advertising rule says endorser must disclose any connection they have with the market of a product that would affect how people evaluate endorsement 5. Privacy Risk: orgs that have their own social media sites have a responsibility to protect the privacy of their visitors; healthcare and financial orgs may be particularly vulnerable to this
Internet of Things
network of devices that sense their environment, process data, and share it instantly
ROC
org level formula- ROC = (Rev - Expense) /Capital Business-unit/activity level formula- ROC = (Rev - Expense + income from capital) / Capital charge capital charge is the amount of capital allocated to the level, while income from capital represents the risk-free return on the capital charge
three basic causes of accidents
poor management, safety policy, and personal or environmental factors
marginal benefit of accidents
providing an opportunity to examine why they happened and the ability to learn how to avoid a repeat occurrence in the future
Reputational risk management implementation
riks can be managed by adhering to these risk management principles: 1. identify, evaluate, and prioritize reputational risk 2. develop and implement risk responses 3. monitor and report: so that management can take immediate corrective action when required -barriers to successfully managing risk to reputation are rooted in a lack of clarity, resources, or awareness
credit risk
risk that customers or other creditors will fail to make promised payments as they come due (counterparty risk)
probability analysis
technique for forecasting events such as accidental and business losses, on the assumption that they are governed by an unchanging probability distribution
coordination
the act of improving efficiency and reducing redundancy by some combo of arranging, assigning, organizing, or scheduling activities
collaboration
the act of working together to achieve a shared objective
cooperation
the act of working together to achieve individual objectives instead of a shared objective
Economic Value
the amount that property is worth based on the ability of the property to produce income
what fuels the future of holistic risk management?
the capture, storage, and analysis of data
volatility
the degree of variation a subject, such as risk, may have; risk managers can use probability distributions to reveal and asses the volatility of risks
residual risk
the level of risk remaining after actions are taken to alter the level of risk
optimum risk
the level of risk that is within an org's risk appetite
inherent risk
the level of risk that would be faced if it were to remind untreated or no action were to be taken to alter the level of risk
failure mode
the manner in which a perceived or actual defect in an item, process, or design occurs
fair value
the market value, either actual or estimated, of an asset or liability
data mining
the process of extracting hidden patterns from data that is used in a wide range of applications for research and fraud detection
inverse document frequency
the significance of a term within a document of text in a corpus based on how many documents within which it appears in that corpus
effect analysis
the study of a failure's consequences to determine a risk event's root cause
traditional data analysis
typically used to determine one of these types of outcomes: -a nonnumerical category to which data belongs: product categories -a numerical answer -a probability score based on historical data -a prediction of future results based on current and past data -common techniques: exploratory data analysis, classification trees, regression analysis, cluster analysis
financial risk
uncertainties associated with the organization's financial activities
operational risk
uncertainties associated with the organization's procedures, systems, and policies
social media operational risk
users of social networks can be vulnerable to malware
engineering phase
when the system's design is constructed and prototypes are tested
human resource risk main sources
work-related injury and illness, retirement and resignation, work-related violence
