Fundamentals of Risk
What are the main steps of a risk management process?
8Rs Recognition of risks - Identify Rating of risks - Measure Ranking against risk criteria - Prioritize Responding to significant risk - Addressing Resourcing controls - Finding/Purchasing Necessary Resources Reaction planning - Contingency (Business Continuity/Disaster Recovery Plan) Reporting of risk performance - Communicate Reviewing the risk management system - Audit
What is the difference between a risk management standard and a risk management framework?
A standard is the document the produces information on both the risk management process plus the framework. Risk management framework is a piece of the risk management standard.
What are examples of risk management documents/records?
Administration records, risk response & improvement plans, event reports & recommendations, risk performance and monitoring reports
What is intended with Aligned risk management activity?
Aligned with other business activities - Needs to implement right controls for the right business goals. Ex. bike lock is a control but has nothing to do with home security.
What is meant by Assurance aspect of an effective risk management program?
Assurance: Regarding the management of significant risks. It is aligned with PACED model. It is the "right" thing to do
What is the difference between risk attitude and risk appetite?
Attitude is closely related to the risk appetite of the organization, BUT they are NOT the same. Risk attitude indicates the long-term view of the organization towards risk and risk appetite indicates the short-term willingness to take risk. An attitude is a general perception to risk ie. risk averse or risk aggresive. Risk appetite is a particular threshold of risk that an organization will not want to cross
What is an example of compliance risk?
Banks can lose their banking license if they do not meet minimum risk management guidelines, incl. minimum capital reserves
What are the ways in which an org can Respond to significant risk?
4Ts Tolerate - Accept Treat - Mitigate/Reduce Transfer - Insure Terminate - Eliminate Completely
What are the most used risk management frameworks in the US
COSO ERM: Created in 2004: Enterprise Risk Management is considered to multi-directional in which almost any component can and does influence all other components. (the 3D Cube) COSO Internal Control: Created in 1992 - For NYSE organizations and recognized by the Sarbanes Oxley Act - This is the most widely used framework in the United States IRM Standard: Created in 2002 - The IRM standard is a high level approach aimed at non-risk management specialists. ISO 31000: created in 2009 - Places particular importance on context. "When undertaking risk management activities, consideration should be given to the internal context, external context, and risk management context."
What are the most common risk assessment techniques?
Checklists & questionnaires - Advantage: Consistent. Greater involvement from all risk practitioners. No gray area in terms of work to done. Structured. Disadvantage: Can be too rigid. Things might be missed because it looks for things you already know. Historical. Workshops & brainstorming, - Advantage: Great way to get opinions from all parts of the organization to see different perspectives. Consolidated opinions from all participants. The more interaction, the more ideas produced. Disadvantage: The loudest/most senior person will be heard - people default to this. You also have to make sure you have the correct people in the room. inspections & audits. Advantage: Physical evidence forms the basis of opinion. Audit approach results in good structure. Disadvantage: Inspections are most suitable for hazard risks. Audit approach tends to focus on historical experience flowcharts & dependency analysis Advantage: Useful output that may be used elsewhere, so it is versatile. Analysis produces better understanding of processes. Disadvantage: Difficult to use for strategic risk. May be very detailed and time-consuming.
What is intended with Comprehensive risk management activity?
Comprehensive, systematic, structured - Ex. having a great lock for the front door, but not having a lock on the back door or bars on windows = Not Comprehensive
Give an example of a medium term impact
Control/Uncertain Risks - Ex. Maintenance costs for car breakdowns, cost of gas may go up or down
What is an example of a cyber related hazard risk scenario?
Cyber criminals hack into RiskLens servers and breaches the confidentiality of company/client data and compromises RiskLens' reputation
What is meant by Decisions aspect of an effective risk management program?
Decisions: Pay full regard to risk considerations in the decision making process - Activities should ensure information is available to support decision making - ex. A water depth sign on the road of an area that is susceptible to flooding. With this information, I can make a decision on whether or not to drive through or find a different way. I will pay full regard to risk considerations with the available information
What Is enterprise risk management?
Discipline focused on addressing the full spectrum of a business' risks and managing the combined impact in an interrelated risk portfolio. Different from traditional risk management as it is more integrated and takes a more holistic approach. ERM is when an organization considers all of the risks that it faces and how these risks could impact the strategy, projects, and operations. The head of ERM is generally the Chief Risk Officer.
What is a risk register? How should it be used?
Document that identifies risks and outlines their importance in meeting particular objectives. The register is used to start risk mitigation and is otherwise known as the risk management action plan. Log for recording risk threats, the event the threat takes, the assets, and the outcome. Risk Registers should be used as a dynamic document by the organization because risks can change days, weeks, months, years, etc. Organizations need to be careful of using a Risk Register that is static and is only reviewed sparingly and mitigation efforts are not being acted on.
What is intended with Dynamic risk management activity?
Dynamic, iterative and responsive to change - Ex. Many parts of DC used to be very rough in the 70's/80's but after decades of gentrification, homes no longer need to be as secured.
What is intended with Embedded risk management activity?
Embedded within business procedures and protocols - Ex. There needs to be procedures and policies in place to ensure controls are working effectively. Ex. Nick's daughter accidentally leaves house key inside the lock of the front door
What are examples of opportunity risks?
Entering a new market, launching new product, open a new office, etc.
What are examples of quantitative assessment techniques?
Hazard & operability studies (HAZOP) and failure mode effects analysis (FMEA). Not true quantification
What are the four main types of risk?
Hazard (pure/negative), Control (project/uncertainty), Opportunity (speculative/positive), Compliance
Give an example of a short term impact
Hazard risk: Getting into car accident, paying too much for the car, car may get stolen
What is meant by Effective & Efficient aspect of a risk management program?
It's all about cost effective decision making
What is inherent risk?
Level of risk before any actions (controls) have been taken to change the likelihood or magnitude of the risk. Often used as a starting point to identify the importance of control measures and is otherwise known as absolute or gross risk.
What are the three lines of defense? Specifically in IT?
Line 1 - Security Operations The first line are the "Doers". They report to the CISO and are in charge of security operations. Their job is to defend the organization. Line 2 - IT Risk Management The second line are the strategists. These people define where the top risks are. They are designed to specifically deal with risk and go through training to achieve that end. Line 3 - Audit Audit's role is to ensure that the first and second line of defense are adhering to policies and sufficiently defending the organization against risks. Audit is responsible for reporting to the board on risk management practices.
What should risk management deliver?
MADE2 Mandatory Assurance Decisions Effective and Efficient
What is meant by Mandatory aspect of an effective risk management program?
Mandatory: Obligations placed on the organizations - Ensure conformity with rules,laws, and regulations - example: Buying car insurance, installing seat belts are both legally required activities
Provide examples of specialty areas of risk management
Market & Credit risk management, IT Risk management, Financial risk management, Health & Safety Risk Management, Project Risk management, Clinical/Medical Risk Management
Give an example of a long term impact
Opportunity Risks - Ex. Increased job opportunities from freedom of travel
How do orgs treat hazard risks?
Organizations seek to *control* or *mitigate* hazard risks, e.g. through insurance. These risks are managed within a level of tolerance of the organization (also called Risk Appetite).
How do orgs treat control risks?
Organizations seek to *manage* this type of risk by reducing the variance between expected outcome and the actual results, often with effective resource management or effective implementation of protocols & processes. E.g. building in contingency funds if a project goes over budget. Notoriously difficult to quantify.
How do orgs treat opportunity risks?
Organizations seek to embrace opportunity risks. This type of risk is associated both with taking a chance or doing nothing. There can both positive and negative outcomes from behavior, but this is about managing relationship between risk and return (ROI). Risk attitude dictates willingness to invest in opportunities. Cost benefit analysis can be useful here.
What is a risk management standard?
Outlines the overall approach to the successful management of risk, including the description of the risk management process, together with the suggested framework that supports the process
What are the main principles of risk management?
PACED Proportionate Aligned Comprehensive Embedded Dynamic
What is intended with Proportionate risk management activity?
Proportionate to the level of risk within the organization - Not too much and not too little. Risk management must be proportionate to threats faced by the organization. Ex. A simple front door lock may be good enough for homes in a nice neighborhood, but not enough for homes in Detroit.
What is RASP?
RASP describes elements of a risk management process. Risk Architecture: Define roles and responsibilities. Governance. Who does what? Assign duties for audits, reporting, etc. Strategy: How we go about risk at the highest level? Risk appetite, tolerance, attitudes, etc. Protocols: Risk guidelines for the organization and includes rules and procedures as well as methodologies. Ex. Risk manuals for a company, Risk registers - things that capture and describe how we follow risk management processes.
What is the difference between a risk management framework and a risk management process?
Risk Management Process = 8 R's, 4 T's, or the process for identifying, analyzing, evaluating, treating, monitoring, and reviewing risk Risk Management Framework = Implements and supports risk management process (above). It is setting the policies, procedures, and practices, as well as communicating, consulting, and establishing context.
What is the most typical representation of risk likelihood and magnitude?
Risk Matrix/Risk Map/Risk Heat Map - illustration demonstrating the likelihood and magnitude of a risk or risk landscape (many risks).
Who is responsible for what aspect of risk management? (architecture/governance)
Risk management - responsible for risk assessment and identification of existing and additional controls Audit - evaluation of existing controls and testing their efficiency and effectiveness (Audit ensures that the organization is adhering to and following risk procedures/protocols set out in the company's risk manual.)
What is an opportunity risk?
Risk taken by organization to take advantage of business opportunities
What is a hazard risk?
Risk that only results in negative outcomes. This is the most common type of risk and motivates long-lasting risk management programs. RiskLens exists to quantify this type of risk and enable our clients to prioritize hazard risks.
What is a control risk?
Risks that give rise to uncertainty about the outcome of a situation
What are the four main areas (activities) of improvement that risk management can bring to organizations
STOC: strategy, tactics, operations, compliance
What are examples of qualitative risk assessment techniques?
SWOT (Strength, Weakness, Opportunity, Threat), PESTLE (Political, Educational, Social, Technological, Legal, Economic)
What is risk management?
Set of activities within an organization undertaken to deliver the most favorable outcome and reduce the volatility or variability of that outcome - Set of activities to manage levels of risk within risk appetite
What are the typical timescales used in classifying risks?
Short Term - impact immediately after event occurs Medium Term - typically impacts about a year following event occurrence Long Term - impact will not be known for several years after event occurs
In what ways can organizations have different attitudes to risk?
Specific circumstances can allow organizations to have different attitudes towards risk. For example, an organization's location, industry, maturity, and the attitude of key stakeholders (board members) can all influence an organization in being risk averse or risk aggressive.
Give examples of how orgs can have different risk attitudes
Startups have a risk aggressive attitude because they are entering a new product and may be spending a lot of resources with minimal reward/returns. A mature oil company that wants to start drilling in a new geographic and knows there will be plenty of oil within. They are taking a low risk, high reward stance on risk attitude.
Can you explain how the 'bow-tie' describes the risk scenario?
The bow-tie illustration allows for a risk scenario to be depicted and analyzed based on the source, controls, and impact . This allows companies to look at causes that lead up to an event and the effects of an event to the company. Vertical lines in between points display controls in place.
What is residual risk?
The level of risk after all controls have been applied. This is otherwise known as current level risk.
What is risk appetite?
The level of risk an organization is willing to accept
What are the main flaws with heat maps?
Typically, the measures of likelihood and impact are expressed in qualitative terms such as unlikely-possible-likely and H-M-L, which is problematic because they lead to subjectivity and inaccurate results
What are examples of control risks?
Uncertainties with Project outcomes such as project benefits, resources, timelines, budget, etc.
What is Risk?
Various bodies (IRM, ISO, IIA) all have different definitions but a common theme is: risk is the probability of an event and its consequences. An event must occur for risk to materialize. In a corporate setting a risk is seen as anything that can impact the fulfillment of a corporate objective
What method is commonly used to rate/represent risk?
heat map
In what way does risk management improve an org's operational activities?
risk management helps an org identify actions taken to reduce the likelihood of these events, limit the damage caused, and contain costs - How do we ensure controls are used properly? Ex. Education on use fire extinguisher use, replacing batteries on smoke detectors, what to do when fire alarms go off
In what way does risk management improve an org's tactical activities?
risk management helps an org think through tactics and an understanding of other available options - What do we need to do to fulfill a given strategy? What controls are we going to put in place to reduce risk? Ex. Fire extinguishers, installing smoke detectors, fire alarms
In what way does risk management improve an org's compliance activities?
risk management helps an org understand the risks associated with failure to achieve compliance with statutory and customer obligations. How do we ensure what we put in place continues to have reduced risk? Ex. Fire drills, fire marshal inspection
In what way does risk management improve an org's strategic activities?
risk management helps an org understand the risks associated with strategic corporate decisions - Why do we want to do this? Why do we care? Ex. Preventing catastrophic damage caused by fire
What is compliance risk?
risk related to not meeting rules and regulations. Organizations are subject to certain rules and regulations in certain industry. Ex. HIPAA to protect privacy in healthcare, food safety laws, etc...
What are examples of hazard risks?
theft, DDOS attacks, hurricanes, vandalism, drunk drivers
