What does risk control involve? (3)
What can risk control help an organisation do?
Strategic investments can help organisations to seize new opportunities. Name 2 types of strategic investments.
Risk control involves
(1) the application of tools to influence the probability and/or impact of a risk event
(2) the mitigation of follow-on effects that risk events may have on the continuity of an organisation’s operations or its reputation
(3) preventing the causes and reducing the effects of loss events
Help seize opportunities, allowing it to achieve and sometimes exceed its objectives by protecting its cash flows
- Flexible manufacturing systems or IT systems, can help organisations to seize new opportunities = allow organisations to adapt their production processes, modifying their products and services to exploit changes in customer needs and wants
- Market research as a risk control tool can be used to take advantage of potential opportunities for new product ideas and markets
MANAGING PROBABILITY AND IMPACT
What are the common causes of loss events? (4)
What are the common effects of loss events? (3)
The causes of loss events are typically due to one or more of the following:
1. people (human error, negligence and criminal acts);
2. processes (poor process design, excessive reliance on fallible human input or breakdown);
3. systems (systems failure);
4. external events (weather politics, terrorism and economic events).
Effects:
(1) loss of resources (asset damage or loss of cash);
(2) loss of human resources (injury, ill health or death);
(3) loss of reputation, including customer goodwill.
MANAGING PROBABILITY AND IMPACT
What are the 2 ways an organisation may reduce its exposure to loss events?
Can a risk-control tool do both?
What are loss prevention tools?
Name 3 examples.
By (1) lowering the probability that a given event will occur or (2) by mitigating the impact of any event that does occur
It is rare for any one risk-control tool to combine probability and impact reduction
Loss-prevention tools = tools that reduce the probability of a loss even occurring by targeting its causes
E.g., IT system firewall, segregation of duties, door locks
MANAGING PROBABILITY AND IMPACT
What are loss reduction tools?
What 5 things do they do?
Name 3 examples.
Loss-reduction tools = tools that reduce the impact/effects of loss events by:
1. limiting the physical damage that is caused; (financial)
- helping to fund the repair or replacement of loss assets as cost effectively as possible (financial)
- shortening the duration of a loss event or (non-financial loss events e.g., adverse media affect on reputation)
- helping an organisation to recover quickly from events (non-financial)
- Helping prevent death or injury (non-financial)
Examples:
(1) Data back-up arrangement
(2) Fire extinguishers / burglar alams
(3) whistleblowing arrangements
THE 5 Ts OF RISK CONTROL
Controlling risk to manipulate the probability or impact of loss events, or to exploit opportunities, is not a given. Usually some kind of risk-control strategy is required.
What are the 5 common risk-control strategies?
- Tolerate = take no formal action to control the risk
- Treat = Risk treatments = actions taken to manipulate an organisation’s exposure to one or more risks (either mitigate threats or exploit opportunities through loss prevention/reduction tools)
- Transfer = passes the impact of loss events to a third party
- Terminate = any action taken to stop an activity or leave a location that is creating a particular risk exposure or combination of exposures
- Take the opportunity = may still implement other types of controls (e.g. risk treatments and transfers), either to mitigate any associated threats or to increase the potential to exploit the opportunity
THE 5 Ts OF RISK CONTROL
When may risks be tolerated? (3)
Where risk exposures are tolerated, senior management should do what?
When risks are transferred, this may involve passing on what 2 things? How?
What is the only way to terminate exposure to risk?
When should the decision to terminate a risk only occur?
Where is the option to ‘take the opportunity’ present?
Risks may be tolerated where they are known and accepted by an organisation = may be where:
A. risk exposure is within the organisations risk appetite
B. controls are uneconomical/impractical
C. taking the risk is necessary to achieve the organisations objectives.
Approve and periodically review the decision = rare that a risk will be tolerated indefinitely
Transfer may involve passing on:
(1) the financial impacts of a loss event = via insurance or equivalent risk financing contracts
(2) the financial and non-financial impacts of a loss event = via a contract with a supplier or outsourced service provider
Terminate = to terminate the activity or location that is creating the exposure = could mean that an organisation passes up valuable opportunities and it may fail to achieve its objectives
- should only occur where no level of risk exposure is considered to be tolerable, or where the risk exposure is considered to be untreatable or non-transferrable
Present in activities such as corporate mergers, new product development and research and development = not taking an opportunity may sometimes be a bigger risk than taking one
RISK TREATMENT TECHNIQUES
Risk treatment helps organisations control their exposure to risk - includes loss prevention and loss reduction tools.
Why should an organisation categorise the prevention and reduction tools?
What is the PCDD Hazard Risk Typology?
What is it used for?
How else can risk control categories be categorised? Why?
Can help an organisation to develop optimal risk control strategies that address the range of causes and effects associated with different loss events
PCDD = Preventive, corrective, directive, and detective controls
Used to help classify the range of controls than can be used to control health-and-safety or environmental hazards
Formal and informal controls
Can help an organisation ensure a good balance between the formal and informal aspects of its approach to treating risk exposures
RISK TREATMENT TECHNIQUES - PCDD HAZARD RISK TYPOLOGY
What are preventative controls?
Name 4 examples.
What are corrective controls?
What do they usually include?
Name 3 examples.
Preventative = focus on addressing the causes of loss events and are a type of loss prevention tool
Examples = staff training, PPE, asset maintenance (such as servicing), security arrangements (locks, passwords, shredding documents)
Corrective = a type of loss reduction tool correcting the adverse consequences of a hazard or similar loss (fire, pollution etc.)
Normally include mechanisms to learn from loss events that have occurred (e.g., post-event investigations into what went wrong and why)
Examples = fire extinguishers, disciplinary procedures, business continuity and recovery plans
RISK TREATMENT TECHNIQUES - PCDD HAZARD RISK TYPOLOGY
What are directive controls?
Name 3 examples.
What are detective controls?
Are they a loss prevention or loss reduction tool?
When do they function best?
Name 4 examples.
Directive = controls that are used to enforce desirable outcomes and are a type of loss prevention tool
Examples = (1) organisation’s policies and procedures that are related to RM, governance or compliance, (2) code of conduct, (3) roles and responsibilities assigned to employees in their job descriptions
Detective controls = help to indicate the onset of a hazard or subsequent loss event
and are used to highlight deficiencies in preventive or directive controls
A form of loss prevention tool where it helps to detect the causes of potential loss events
AND
a loss reduction tool where it helps to detect the occurrence of an actual loss event
Function best when combined with corrective, preventative or directive controls = provide an indication that something is wrong
Examples = (1) fire and burglar alarms; (2) internal audits and compliance reviews; (3) H&S inspections. (4) bank reconciliations to detect loss events such as fraud
RISK TREATMENT TECHNIQUES - FORMAL CONTROLS
What are formal controls? (3 characteristics)
What do they provide? (Mechanism)
Which controls do they include?
Formal controls have one or more of the following characteristics:
1. they have a physical presence, for example door locks or a sprinkler system;
2. they are documented within a policy or procedure; or
3. they involve tangible sanctions, such as disciplinary arrangements.
Provide a clear and tangible mechanism for risk control
Include a wide range of preventive, corrective, directive and detective controls
RISK TREATMENT TECHNIQUES - INFORMAL CONTROLS
What are informal controls?
What are the 3 characteristics?
What do informal controls relate to? (2)
What do informal controls complement?
When can informal controls act as a substitute for formal controls?
Informal controls are social mechanisms of control and tend to be human-oriented and social in nature E.g., culture and risk culture of an organisation
(1) These controls are almost never documented
(2) they do not have a physical presence
(3) sanctions tend to be intangible e.g. individuals who do not comply with informal controls may find that their peers are unfriendly or unhelpful
They relate to :
(1) the social norms, beliefs, values and perceptions that staff members and other stakeholders have concerning the control of risk
(2) how people communicate, exert power and influence over each other, and work together.
Informal controls complement formal controls and help to ensure compliance and correct implementation of formal controls.
Informal controls can act as a substitute for formal controls where there are weaknesses in the formal control environment
Name 5 common risk-treatment controls.
Categorise them by PCDD and formality.
- Action plans = Plans that are put in place to address weaknesses in the identification, assessment, monitoring or control of risk
FORMAL
DIRECTIVE - Tone and action from the top
INFORMAL
PREVENTIVE and DIRECTIVE - Emergency shut down = Mechanisms that ensure the rapid shutdown of systems that are failing or which are unsafe
FORMAL
CORRECTIVE - Audits and reviews = Internal audits and reviews designed to assess the effectiveness of an organisation’s internal controls and its exposure to compliance risk
FORMAL
DETECTIVE - Communication = Mechanisms that help people communicate with each other
FORMAL and INFORMAL
ALL
RISK FINANCING
Why do organisations use risk financing mechanisms?
How does risk financing fit into an organisation’s risk-control strategy? (4)
To help fund the financial consequences of loss events
- Treat = RF may be employed to protect an organisation’s cash flows from the financial impact of a loss event e.g., cash funds can be used to replace lost assets quickly, minimising any business disruption effects
- Tolerate = An organisation may be able to tolerate loss events more easily where finance is available pre-loss (or can be obtained post-loss) to help restore lost assets
- Transfer = An organisation that has transferred risks through insurance may decide to put financing mechanisms in place to help mitigate the risk of the insurer’s refusal to pay a claim
- Terminate = The decision to terminate may carry with it associated risks that need to be financed e.g., the decision to stop producing a high-risk product may expose an organisation to business risk, including the risk of losing market share to rivals
RETAINED RISK FINANCING
What is retained risk financing?
What does it involve?
What does this mean? (3)
What are the 2 types of retained risk financing?
= treating, tolerating or terminating the effects of loss events with the aid of risk financing tools
Involves retaining rather than transferring the financial effects of a loss event
This means that these financial effects will affect one or more of the following:
1. organisational cash flows;
2. profit or surplus; and
3. the balance sheet, reducing assets or increasing liabilities.
Funded or unfunded
RETAINED RISK FINANCING - FUNDED
What is funded risk financing?
Why may funded risk financing be chosen?
How can funded risk financing be implemented?
Funded risk-financing tools may be combined with what?
Funded means allocating a pot of funds before a loss has to be financed
May be chosen because risk transfer (in the form of insurance or similar) is not needed, not available or too expensive.
Can be implemented before (pre-event) or after (post-event) the occurrence of a loss event
* Funding may be implemented post-event where a loss event has occurred but the full effects of the loss event are not yet known or have not been fully realized
Funded risk-financing tools may be combined to form layers of finance for losses of varying sizes = Unfunded risk financing and risk transfer provide further layers of finance
RETAINED RISK FINANCING - UNFUNDED
What is unfunded risk financing?what does it rely on?)
Why might unfunded risk financing occur? (4)
Unfunded means not putting funding in place and relying on current cash flows or unallocated capital to pay for any financial effects
Unfunded risk financing may occur because:
(1) the potential for a given loss event has not been identified (a failure in risk identification);
(2) the full effects of a loss event are not understood (a failure in risk assessment);
(3) there is a failure in risk transfer, such as where an insurer disputes a claim or refuses to pay out in full; or
(4) an organisation decides that the financial effects of a loss event are small enough to not require funding.
RETAINED RISK FINANCING MECHANISMS
Name 4 retained risk-financing mechanisms.
Categorise them into funded or unfunded and pre or post loss.
- Allocated reserves = Profit or surplus that is allocated to help fund a specific project or loss event
FUNDED
PRE and POST LOSS - Cash flows = Cash may be generated by sales, donations, grants and loans or similar
UNFUNDED
PRE and POST LOSS - Contingent capital = a form of debt that is converted into equity when certain triggers are met, such as at the onset of a loss event that may bankrupt an organisation if left unfunded
FUNDED
PRE-LOSS - Unallocated reserves = Profit or surplus that is generated and which is not allocated to a specific project or fund.
UNFUNDED
PRE and POST LOSS
INSURANCE RISK TRANSFER
When will an organisation wish to transfer risk?
What is insurance risk transfer?
Insurance companies provide insurance against a range of potential loss events, including what 4 things?
Who can help with insurance?
What is the the limit of indemnity or indemnity limit?
What are deductibles?
Why are they common?
= When the likelihood of a risk materialising is low but the impact is high
Insurance risk transfer means purchasing insurance from an insurance company to transfer the financial consequences of losses arising from hazard risks
- motor accidents, fire and theft;
- property damage and theft;
- building defects, like subsidence;
- employer’s liability – legal liability payments to staff suffering health and safety problems;
An insurance broker can help design an insurance program, purchase insurance and to process claims
Limit of indemnity or indemnity limit = To help reduce premium costs and to ensure that insurance is available, cover is limited to a maximum loss amount
Deductibles require an organisation to pay the initial amount for a loss that is incurred
Insurance premiums should be cheaper if the deductible is larger and the maximum level of cover is lower, as the level of risk transfer is lower
NON-CONVENTIONAL RISK TRANSFER FOR THE FINANCIAL EFFECTS OF RISK
What are non-conventional risk-transfer tools?
Name 5 examples of non-conventional risk-transfer tools.
An organisation that chooses to use non-conventional risk transfer tools should ensure what?
= The alternatives that exist to insurance are termed non-conventional risk-transfer tools.
Non-conventional risk-transfer tools for the financial effects of risk include:
- financial markets, particularly in relation to derivatives and their use for hedging financial risks;
- finite risk insurance, which provides a multi-year mechanism for sharing the financial effects of loss events with an external counterparty;
- protected cell captive insurance companies, which operate like finite risk insurance;
- catastrophe bonds, which are risk-linked securities that transfer risks to financial counterparties who profit if the pre-specified catastrophic event fails to occur; and
- credit default swaps, which provide a form of insurance against creditors defaulting on their obligations
Ensure that it has the right expertise in place
= Non-conventional risk transfer arrangements can be very complicated to set up and it is easy to make mistakes.
CONTROLLING MAJOR LOSS EVENTS
Major loss events can have significant financial and non-financial implications for organisations.
What initial consequences may there be? (3)
What post-event consequences may there be? (3)
What is crisis management and business continuity planning important? (If do not have one?)
How does business continuity planning fit with crisis management? (2) (what should rapid recovery ensure?)
Initially = serious asset damage, injury or death, and often attract media attention
Post-event = business activities of the organisation may be disrupted for some time, and large regulatory fines and liability claims can follow
An organisation that does not have effective crisis-management arrangements and business continuity plans may not survive the aftermath of a major loss event
- Crisis management addresses all stages of a crisis from the emergence of the causes of the crisis through to the crisis event and its aftermath.
- Business continuity plans help with containment and damage control, and support business recovery
= Rapid recovery should ensure that the continuity of organisational activities is maintained with the minimum disruption
= Business continuity planning is an important control in the crisis management process
CONTROLLING MAJOR LOSS EVENTS - CRISIS MANAGEMENT
What is crisis management?
Name 4 examples of crisis events.
What is the process and tools for crisis management? (4)
What are the 2 ways to help identify and assess crisis events?
= process by which organisation deals with a disruptive and potentially unexpected event that threatens to harm the organisation, its stakeholders or the general public
Examples = major fires, death or injury of people, terrorist attacks, data breaches
The process of crisis management is the same as for RM (identification, assessment, monitoring and control of crisis risks.)
BUT tools used are different
To help identify and assess crisis events:
1. Can use information on crisis that have been experienced by other organisations.
2. Use scenario analysis (reliant on expert judgement)
CONTROLLING MAJOR LOSS EVENTS - CRISIS MANAGEMENT
The control of crisis events is structured around what 5 areas, each of which represents a different stage in the development of a crisis?
- Signal detection: = Looking for early warning signs that a crisis could occur.
E.g., investigating near misses, IA findings, risk monitoring reports - Preparation and prevention = Steps are taken to prepare for the occurrence of potential crisis events and to prevent these events by looking to control their causes.
- Containment and damage control: = When a loss event occurs that may evolve into a crisis, steps must be taken to limit the adverse effects of this event.
* E.g. Implement business continuity plans, communicating with key staff and stakeholders, working with the emergency services - Business recovery: = it can take a long time to recover from a crisis but this duration can be reduced with effective recovery arrangements = quickly replacing lost assets and ensuring that funds are available to support the recovery
- Learning from the crisis: = After recovery from crisis, lessons are learned from the experience are implemented to help prevent or reduce the effect of future crises
CONTROLLING MAJOR LOSS EVENTS - BUSINESS CONTINUITY PLANNING
What does business continuity planning help with?
How may it be produced?
It is common to have business continuity plans that support the recovery of what?
What does a business continuity plan do? (3)
How often should a business continuity plan be updated?
BCP help with containment, damage control and support business recovery.
may be produced for a whole organisation or for specific functions, systems or premises.
Support the recovery of disrupted IT systems or for essential operational processes, such as manufacturing and supply chains
- outlines the actions that should be taken to minimise business disruption and to help recover from a major loss event as quickly as possible
- shows the order in which functions, systems, services, or premises need to be recovered first and how quickly they must be recovered
- explain the roles and responsibilities that people have to support recovery efforts – staff need to be ready and know what to do
Important that BCP is tested annually and updated as appropriate
CONTROLLING 3RD PARTY RISKS
When does 3rd party risk exist?
What are the 3 key risks?
What can be the impact of these risks on organisations? (2)
How are the controlled?
Wherever service contracts are entered into, there will be third party risk.
The key risks are:
1. Failure of the service provider to provide an acceptable quality of service.
2. Disruptions to the continuity of service.
3. Failure of the service provider (such as bankruptcy), meaning that the service can no longer be provided.
Each of these risks can have a significant impact on organisations, increasing costs, and disrupting operational continuity
Controlling these risks can be done using a variety of risk treatment tools.
-
The global risk environment20
-
Regulatory frameworks16
-
Sector regulators21
-
Risk-management frameworks and standards25
-
Key risk-management concepts28
-
Risk-management as a foundation of organisation success14
-
Risk-management processes, perspectives, and responsibilities24
-
Framework for governance, risk, and compliance28
-
Evaluating and reporting risk38
-
Risk culture, appetite, and tolerance24
-
Compliance management18
-
Risk-control strategies25
-
Risk-management in practice20
-
Trends and future developments for risk-management27
-
More trends and future developments for risk-management30
