FA 13 - Risk Management
____________ barriers to risk management relate to managers' tendencies to rely on older perceptions of the risks they face and the most effective ways of managing them
Cognitive
COSO Enterprise Risk Management - Integrated Framework (ERM Framework)
considers risk to be an integrated issue that must be managed across functions and divisions in an enterprise.
In order to ensure that it is able to respond to risks, it is crucial that the organization:
constantly evaluates how effective its risk management policies are.
HR should always work to assess programs and processes, and look for opportunities for:
continuous improvement.
The goal for the identification phase of risk management is represented in the acronym MECE, which stands for:
"Mutually exclusive and comprehensively exhaustive" aka - the org wants to be confident that it has identified all plausible risks for all strategic and operational aspects of its business, but it wants to avoid duplication or overlapping in the identification.
International Organization for Standardization (ISO) released Standard 31000, which are
"Risk Management: Principles and Guidelines".
Risk management
"coordinated activities to direct and control an organization with regard to risk".
The ISO process for risk management includes which two ongoing activities?
- "Communication and consultation" - "Monitor and review"
What are the classic terms an organization may use to describe its risk treatments?
- Avoidance. The decision not to become involved in or action to withdraw from a risk situation - Reduction. The actions taken to lessen the probability, negative consequence, or both associated with a risk - Sharing. Sharing with another party the burden of loss or benefit of gain for a risk. Risk sharing can be done through insurance or other agreements. Can create new risks or modify existing risks. Relocating the source of risk is not risk sharing. - Retention. The acceptance of the burden of loss or benefit of gain for a risk.
ISO 31000 Principles that an effective risk management program should have:
- Create and protect value - Be an integral part of all organizational processes - Be part of decision making - Explicitly address uncertainty - Be systematic, structured, and timely - Be based on the best available information - Fit an org's risk and control environment - Take into account human and cultural factors - Be transparent and inclusive - Be dynamic, iterative, and responsive to change - Facilitate continual improvement of the organization
The risk management tactics of enhancing and mitigating seek to change the amount of risk through certain "levers".
- Enhancing involves increasing the probability that an opportunity will materialize - Mitigating aims at reducing the probability that a risk will occur or decreasing the negative impact it will have - Prevention is a form of mitigation
ISO also has described an organizational framework that supports the creation of a risk-aware and risk-intelligent culture. The framework includes:
- management commitment - design of a framework for managing risk - implementing risk management - periodic monitoring and review of the framework - continual improvement of the framework
Evaluation aims at:
- Increasing transparency and accountability by measuring and reporting risk management results - Making sure of compliance with requirements - Assessing the effectiveness of individual risk management strategies - Assessing the effectiveness of the organization's risk management framework - its values, policies and processes, and culture - Continually improving risk management by investigating incidents and identifying opportunities for improving both strategies and framework.
Five steps on handling communicable diseases in the workplace that should be taken when there is a potential communicable disease risk in the workplace:
- Notification and verification of disease risk - Understanding the disease and resources - Identifying the scope of the risk - Determining employer risk - Handling internal and HR compliance matters.
risk prioritization matrix called PAPA model:
- Prepare (events not likely to happen but will materialize quickly is they do occur; need contingency plans in place and early indicators defined) - Act (events are highly probable and fast-moving; require immediate responses) - Park (events are slow-moving and unlikely; just monitor for changes) - Adapt (events materialize slowly but may have big impact on org) vertical axis considers the speed of change, and the horizontal axis assesses the degree of likelihood
Risk registers generally include the which categories of information:
- Risk category - Risk event - Risk classification - KRIs - Risk management controls - Risk owner(s) - Reporting requirements.
Organizations must carefully examine:
- Whether the cost exceeds the tangible and intangible benefits of the opportunity or the cost of the avoided or diminished threat - The degree of success for the enhancement/mitigation plan - If the plan creates another layer of opportunity or risk, termed "secondary risk" that must be managed as well.
According to the COSO ERM Integrated Framework, how can risk management benefit an organization?
- a systematic approach to risk management aligns the process with org's strategy and strategic objectives - it leads to a more effective response to risk - it leads to a more consistent response to risk across the org - losses are reduced, and the org's resources are not wasted.
HR's risk management performance targets should:
- be strategically focused - combine activities and results (metrics related to activities show efficiency, metrics related to results show effectiveness) - combine lagging and leading metrics
How can organizations improve its understanding of duty of care's broad spectrum of risk?
- consult in experts and information sources - focus groups and individual interviews - surveys - process analysis - direct observation
Risk management process:
- establish the context of risk (define risk appetite and set risk management goals) - identify and analyze risks (gather info to accurately evaluate and prioritize risk) - manage risks (adopt and implement risk responses appropriate to each risk) - evaluate (audit risk controls, review effectiveness, and monitor for changes in risks) There is need to include internal and external stakeholders at all stages of the risk management process.
Kaplan and Mike's Three Categories of Risk illustrate some of the basic characteristics of risk:
- how is risk perceived (to be avoided as a negative or accepted as a potential positive) - the degree to which risk can be managed (can it be prevented or guaranteed or simply managed to increase or decrease its effect)
In order to properly analyze risk, it is important to know
- how likely a risk even is to occur - how it will affect the organization - how quickly the event is likely to emerge - if there are controls currently in place to manage the risk, and if they are effective - the probable root cause of the risk.
contingency plans must be developed with a specific goal in mind including:
- immediate security for employees, company assets, and all stakeholders - compliance with local laws and regulations - documentation and reporting as required - follow-up
What are Kaplan and Mike's Three Categories of Risk?
- internal and preventable (could include violations of ethics and failures in routine processes) - strategy (i.e. uncertainty whether loans can be repaid or employees will be fully productive) - external (sources of uncertainty outside the org and beyond org's control)
Risk appetite and tolerance are in turn affected by other factors, including:
- org's strategic goals - org's characteristic attitude toward risk - org's resources or risk capacity - externally imposed requirements - loss expectancy
Security Threats are a risk category that includes:
- physical security threats (i.e., workplace violence) - cyber threats (threats to IT systems and structures, and to sensitive organizational data)
Contingency plans generally address multiple areas in which HR may be involved:
- policies - evacuation and relocation - communication - training - continuity
Emergency preparedness and business continuity require:
- preparedness for foreseen and unforeseen events - response capability to secure employee health and safety and continue productivity
Ways of redefining ownership:
- sharing (upside tactic; another party brought in to help maximize upside potential of uncertain events) - transferring (downside tactic; third party, frequently an insurer, will bear financial losses, obligations, or possible liabilities in exchange for a fee)
Four categories of the ERM Framework:
- strategy (risks that affect the org's ability to achieve its objectives) - operations (risks that affect the myriad ways in which org creates values) - financial reporting (risks that affect accuracy and timeliness of information about org's financial performance and condition) - compliance (risks associated with meeting requirements of laws and regulations)
__________ are a good way to examine the effectiveness of a specific risk response strategy, presenting an opportunity for learning and improvement.
After-action debriefs
In the second phase of the risk management process
HR takes a closer look at each of the risk areas, what creates risk, what is currently being done to address risk, and what else could or should be done.
A _______ signals when risk exposure may be increasing. It can be used to identify emerging risks to the organization. Can monitor risk but do not prevent risks from occurring.
Key risk indicator (KRI)
_______ metrics look backward at what has been accomplished, while ____ metrics measure performance that will affect results in the future.
Lagging; leading
The following is an example of which type of misaligned risk? Unintended consequence by insurance when incentivizing people to act more recklessly than they would have had they not had insurance. Financial crises of 2008-2009 were caused in large part by individual high-risk behavior that exposed institutions to enormous losses
Moral hazard
The ________ analysis searches for environmental forces organized under specific categories (political, economic, social, technological, legal, environmental) to better understand the organizational threats and opportunities. - Necessary for global organization for developing a global organizational and functional strategy.
PESTLE Analysis
Risk level =
Probability of occurrence x Magnitude of impact - an essential consideration for decision makers as they plan risk management budgets.
The ______ analysis often used to assess strategic capabilities in comparison to threats and opportunities.
SWOT Analysis
Quality assurance (QA)
The actions an org takes to be sure that it is performing work according to the standards it has set and that it is using specified processes correctly and completely.
Principal-agent problem (or agency dilemma)
The problem arises when an agent (such as an employee) makes decisions or takes actions on behalf of a principal (an employer or owner) but has personal incentives that may not align with those of the principal. -this may be dealt with by providing incentives that will help align principal and agent interests; i.e., commissions, bonuses, stock options
Whistleblowing
The reporting of an organization's violations of policies and processes by employees, applies directly to risk management. - can point to unidentified or inadequately managed risks - can reveal policies not being followed - can draw attention to fraudulent record keeping about implementation and testing of risk management strategies
How can an org mitigate the risk of drug use in the workplace?
Training and education on substance abuse are important to mitigating the risks it poses to the workplace
Tactics used to eliminate uncertainty:
Upside: optimize Downside: avoid
Three common examples of misaligned risks are
moral hazard, the principal-agent problem, and conflict of interest.
Risk equation
a basic tool in risk analysis that attempts to quantify the amount of uncertainty a risk represents. Can be quantified through risk scorecards or visualized in a risk matrix
Risk appetite
a high-level characterization of acceptable risk E.g., we will not risk having open managerial positions due to poor recruitment
Contingency plan
a protocol that an organization implements when an identified risk even occurs - there can be no rebuilding and recovery without contingency planning
Risk matrix
a simply grid in which the horizontal axis represents the probability that an even will occur, and the vertical axis relates to the severity of the impact on the organization or function if the even occurs. - The downside of a risk matrix is that it does not reflect the degree to which the organization or function is currently protected against the threat.
Risk scorecard
a tool used to gather individual assessments of various characteristics of risk (e.g., frequency of occurrence; degree of impact, loss, or gain for the organization; degree of efficacy of current controls). - Risks identified as relevant to the organization are listed in a template. Individual risks may be weighted more heavily according to their strategic importance. - When scores are aggregated, the result indicates how the organization perceives specific risks, which may lead directly to consideration of management tactics or to further analysis.
Threat ranking index
a way to determine the greatest risk. Found by multiplying ratings for each event/threat (risk A x risk B x risk C x risk D)
When should specific risk management programs be evaluated?
after every major incident and at regular agreed intervals - e.g., annually. - Results should be compared against objectives for managing risk and reported to management, who may choose to intervene to change investment in the strategy.
Ongoing monitoring and reviewing help make sure that risk management strategies are
aligned with overall strategy, are following defined policies and processes, and are effectively meeting the goals established for the management of each identified risk.
Risk control
an action taken to manage a risk: to enhance the potential of an upside risk or to decrease the potential negative effects of a downside risk.
Loss expectancy
an example of a quantitative assessment approach is about assigning monetary values to risk components. Can be described as single or annualized.
An enterprise risk management (ERM) system, such as COSO ERM, sees risk as
an integrated issue that must be managed across divisions and functions in an enterprise.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
an organization that works to define and categorize risk. COSO was created in the U.S., primarily for needs of the financial industry and to support financial auditing.
Risks have immediate, short-term, and long-term effects. The goal is to
anticipate, prioritize, and manage as many risks as is reasonably possible.
In its Standard 31000, ISO has articulated 11 principles for risk management that allow an organization to
assess its ability to manage risk and its level or risk management maturity.
How can orgs be proactive with regard to workplace violence?
by having a written workplace violence prevention policy outlining the organizational stance toward workplace violence and outlining response procedures designed to prevent possible threats from escalating. Conducting drills, including active shooter drills, can ensure that employees know how to react if an instance of workplace violence occurs.
Risk management strategies are designed to
change the probability of a risk event occurring and/or the degree of its impact on the organization's objectives
A simulated crisis in which the plan is tested will alert the company to:
changes that need to be made and is the best way to see how the plan performs.
Employees playing a specific role in a contingency plan should be
coached to observe how the event unfolds when a crisis occurs and the plan is invoked. - Can report on how EEs and technology or infrastructure performed and common areas of stress and confusion.
The following are sources of risks in which ERM Framework category? workplace requirements, reporting requirements.
compliance
An audit can only capture evidence of:
compliance or noncompliance.
The following are all examples of which type of misaligned risk? - An employee selects a vendor company owned by a personal friend. - An employee is directly supervised by his or her spouse. - An outside consulting company is simultaneously retained by two competing organizations. - A politician receives a valuable gift before a government contract is awarded to a company in her district. - An owner/executive of a publicly traded company seeks to take his company private, in the process increasing the value of his personal holdings.
conflict of interest
Risk
describes a broad set of factors, originating from both internal and external sources, that may impact business operations.
Avoid, transfer, mitigate, and accept are all forms of what?
downside risk management tactics (used for threats)
Crisis management includes both:
emergency preparedness and business continuity
An ____________ describes the actions to be taken in the event of a natural disaster, emergency evacuation, terrorist attack, or any other incident that disrupts the normal work pattern. Tells employees what to do
emergency response plan
After-action reports, compliance evaluation, and continuous improvement strategies are all crucial tools that will
enable the organization to correctly plan for risk as risk evolves.
A business continuity plan will guide steps to
engage backup systems and notify employees of the issues and any changes to their duties as systems are restored.
Implementing plans to respond to risk, including emergency situations, is key to
ensuring that an organization will be able to adequately handle any risk event.
Known knowns
events that are to be expected and so involves little uncertainty
Moral hazard
exists when one party engages in risky behavior knowing that it is protected against the risk because another party will incur any resulting loss.
The following are sources of risks in which ERM Framework category? growth of assets, misappropriation of assets
financial reporting
A safety self-audit is conducted by an employer to assure the organization that employees are:
following safety-related policies and procedures
The risk identification and analysis stage begins with
gathering information from a variety of sources to make sure that the organization is considering all aspects and perspectives of its strategy and operations. - Information is then analyzed to understand each risk more fully.
By eliminating uncertainty, the organization or function takes steps to
guarantee that positive risk events will happen and negative ones will not happen.
An organization wants to be confident that all plausible risks for strategic and operational aspects of the business avoid duplication or overlapping in the ________ step.
identification
In order for an organization to know what threats to protect itself from, and what opportunities to risk resources to capture, they must first:
identify all the internal and external risks that affect its strategies and operations, in all of its locations and in all segments of its operations.
surveys, interviews, and focus groups are methods used to
identify risks
Conflict of interests
in which a person or organization has the potential to be influenced by two opposing sets of incentives, is exemplified in both moral hazard and the principal-agent dilemma.
An organization's structure, willingness to change, and values will impact
its willingness to engage in risk management
All events - including ones that do not involve compliance or may be false alarms - present an opportunity for:
learning and improving the risk management strategy.
Risk register
lists information about and responsibility for managing specific risks. This information increases the transparency and accountability in an organization's risk management process.
HR's role in crisis management is to:
make sure that plans address the vulnerabilities of employees at different locations and the unique vulnerabilities of short- and long-term assignees.
Cognitive barriers to risk:
managing risk effectively also requires imagination and openness to change
Audits
may be conducted internally or externally to check that policies for risk management are adequate, in place, being followed, and producing the anticipated results. - Require having the right person - an unbiased third party- equipped with the right tools, which include risk management expertise, understanding of the org's business and processes, and awareness of best practices.
Key Risk Indicators (KRIs)
metrics that "provide an early signal of increasing risk exposures in the various areas of an enterprise". - These signals could call for a change in the way risks are prioritized for management or in the management actions themselves. - Strategically aligned with key initiatives or strategic objectives, and are developed by considering the root causes of risks and intermediate events that may signal changes. - Must monitor the alerts if you want them to be effective and help manage risks.
The following are all examples of which type of misaligned risk? - A manager under-reports workplace accidents to earn an incentive. - Employees overuse an organization's health benefits, causing an increase in the plan's premiums the following year. - A CEO receives a no-fault golden parachute when forced to resign due to poor company performance. - A retail manager overestimates an inventory count to understate the cost of goods sold, increasing the book value of income for that period. - A member country of an economic union borrows beyond its ability to repay the loan, knowing it will receive support from the larger organization.
moral hazard
___________ exists when someone takes risks because he or she will not be affected by losses or damages that occur as a result.
moral hazard
The following are sources of risks in which ERM Framework category? sustainability, supply chain, health and safety, data privacy, process efficiency and effectiveness
operations
Based on the analysis stage, an org can:
optimize its risk management plans by focusing its resources on significant risks and tracking risks in a risk register. Can also develop key risk indicators
Once the risk management strategy has been chosen, implementation is handled as in any project or change. Ownership of the implementation of the strategy must be designated to someone with the
organizational expertise, communication skills, and credibility, and managerial support to execute the plan.
Risk-averse
orgs that will avoid choices in which the gains are too low or the costs too high.
Types of environmental health hazards:
physical, chemical, biological
ISO 31000
present definitions related to risk, principles for organizations to follow in making themselves more resilient and capable of managing risk, and a risk management process.
In the evaluation step of the risk management process, organizations
prioritize the risks they have identified, based on the results of the analysis.
the best role regarding risk for HR is one that is
proactive, not reactive, and that considers risk from an integrated enterprise perspective
Mitigation planning occurs after analysis of:
probability, risk, and speed of onset.
a response plan may include
procedures for interviews of employees involved in breaches as well as actionable steps to behind the process of containing a threat, understanding any legal responsibilities arising from a breach, and the best way to address the breach publicly if necessary
A common form of transferring risk for HR is through a
professional liability or errors and omissions (E&O) insurance.
The last phase of the risk management process involves:
providing oversight. Evaluation.
"the effect of uncertainty on objectives"
risk
An action taken to manage a risk is referred to as a ________
risk control important to revise these
In the ________, the level of risk equals the probability of occurrence multiplied by the magnitude of the impact of the risk event.
risk equation
To be effective, __________ must have a broad focus, including risks that affect strategic goals and those that affect daily operations.
risk management
Risks categorized from the perspective of the amount and kinds of knowledge in hand when evaluating it
risks can be categorized into "known knowns", "known unknowns", and "unknown unknowns".
Crisis management seeks to identify
risks that can result in sudden and extensive harm to facilities and/or the workforce and therefore in significant interruption and risk to the business.
unknown unknowns
risks that we don't know exists. They are the events that "blindside" an organization (or individuals or entire cultures).
___________ refers to risks that are created by the risk management strategy itself. Before they are implemented, strategies must be analyzed to determine if they present these.
secondary risk
Risk tolerance
sets a more defined range above and below a target risk position. E.g., we will take necessary steps to make sure that management positions are filled within 30 to 45 days.
Integrated enterprise effort
should involve individuals and groups throughout the organization.
unknown knowns
some people suggests that these are risks we mistakenly think we understand. - This can be monitored through educational campaigns, reserve funds, insurance, or contingency plans that accept unknown possibilities
The following are sources of risks in which ERM Framework category? investment, innovation, competitive behavior, consumer behavior, partners, employee engagement and diversity
strategy
The barriers to risk management are primarily:
structural, cognitive, and cultural.
focus groups
structured group interviews in which the participants are guided through brainstorming, sorting, and consensus in building about the types of risks they encounter.
Duty of care means that organizations should
take all steps that are reasonably possible to ensure the health, safety, and well-being of employees and protect them from foreseeable injury. - Spans an entire employment relationship and beyond (e.g., retirement). Can extend to family in some cultures and assignee situations.
In the crisis management and readiness process, there is an emphasis on the need to:
test plans and to learn from tests and actual crises.
Key risk indicators signal what?
that a threat or an opportunity may be materializing.
"anti-fragility"
the ability to not just withstand high-impact events or shocks but to improve and benefit from them.
Tolerance is
the amount of risk the organization can handle if an event occurs
Residual risk
the amount of uncertainty that remains after all risk management efforts have been exhausted
Risk Appetite / Risk Tolerance
the amount of uncertainty the organization is willing to pursue or to accept to attain its risk management goals.
Vulnerability refers to
the degree of probability that a loss will occur
Single loss expectancy (SLE)
the expected monetary loss every time a risk occurs. It involves the asset value (AV) and an exposure factor (EF) SLE = AV x EF
Annualized loss expectancy (ALE)
the expected monetary loss for an asset due to a risk over a one-year period. Involves SLE and an annualized rate of occurrence (ARO) ALE = SLE x ARO
During the first phase of the risk management process:
the organization tries to gain a sense of how prominent a role risk plays in the organization, where most of the risk resides, and what are the typical sources of this risk. can use tools to assess market and surrounding environment to prevent risks (SWOT analysis, PESTLE analysis)
Risk position
the organization's desired gain or acceptable loss in value. - The risk position the org chooses will be influenced by its risk appetite or risk tolerance.
By taking no action, an organization decides to ignore or pass up possible opportunities or to accept the occurrence of a threat. This is used when
the possibility of increased opportunity or threat is unlikely, when the gains and losses do not merit the investment of mitigation efforts, or when no further action can be seen as having any effect
Impact is
the possible effect on the organization
a hazard is defined as
the potential for harm, often associated with a condition or activity that, if left uncontrolled, can result in injury or illness. Have the potential for immediate and sometimes serious harm to employees
After discussing and analyzing stakeholder needs and perspectives, the risk management team will have a better idea of
the requirements for the solution and its constraints.
When evaluating risk, understanding the organization's current standing is key to understand what changes, if any, need to be made. This includes understanding
the willingness to face risk, how well the organization is positioned to handle risk, and how effective the organization's current policies are at dealing with risk.
Why should identified risks be regularly reassessed?
to see if the risk still exists or has dissipated, or whether the level or characteristics of the risk have changed.
Cultural barriers to risk
ultimately involve what types of mindset are sought, instilled, and rewarded
Known unknowns
uncertainties that we know exist but we don't know much about their probability or impact.
Effective implementation also involves communicating what is essentially a request that employees change their behavior or perceptions. Implementing a risk management plan requires that employees:
understand the need for new practices. - May require manuals, training workshops or presentations, or signage.
Nassim Taleb's "black swans" theory about unknown unknowns
unforeseen "outlier" events that are extremely rare, have a major impact, and, when viewed in hindsight, are reasonably predictable.
HR should ensure that whistleblowing complaints reach _____________ and should protect whistleblowers from retaliation by coworkers or managers
upper-level management
An _______ risk is an opportunity that arises out of uncertainty about outcomes.
upside (an uncertainty that has a positive outcome)
Optimize, share, enhance, and ignore are all forms of what?
upside risk management tactics (used for opportunities)
"After-action debrief"
usually applied to meetings to examine the effectiveness of a risk response strategy, such as workplace evacuations, in-place lockdowns for security reasons, a workplace injury or act of violence, or temporary relocation of operations. - Incident investigations are generally seen as more limited in scope.
Before engaging in any drug testing, it is important to:
verify that organizational policies and procedures comply with all applicable federal laws and regulations and state laws.