RM Extra Material RHX

Chapter 1
Environmental Risk Analysis
Stage 1: Identification of Hazards : This consists in establishing a conceptual model of the investigated site
defining contamination hot spots, types of chemical compounds present and its distribution within the ground,
transport mechanisms, routes of exposure and potential receptors.
Stage 2: Toxicological evaluation : The objective of the toxicological evaluation is to quantify the potential risk of
exposure from the toxic compounds detected
Stage 3: Exposure assessment :The objective is to establish the daily doses of exposure to the potential receptors
of chemical agents. This is based upon the concentration of each of the adverse chemical compounds identified
and the exposure routes contemplated for the analysis.
Stage 4: Risk characterization : This consists in combining the toxicological information with respect to the
chemical compounds identified and the exposure dosed to the potential receptors. The situation is integrated
into a program to determine the quantitative risk associated to the site in question. As the result of the risk is an
estimation, it is important to indicate the level of uncertainty.
Systematic risk v/s Unsystematic risk
Basis for Comparison Systematic Risk Unsystematic Risk

between Systematic
Risk vs. Unsystematic
Risk
Meaning Risk/Threat associated with the market Hazard associated with specific security,
or the segment as a whole firm, or industry
Impact A large number of securities in the market Restricted to the specific company or
industry
Controllability Cannot be controlled Controllable
Hedging Allocation of the assets Diversification of the Portfolio
Types Interest Risk and Market Risk Financial and Business risk
Responsible Factors External Internal
Avoidance Cannot be avoided It can be avoided or resolved at a quicker
pace.
Inherent & residual risk
Without any risk controls, the firm could lose $ 500 million. However, the firm prepares and follows risk
governance guidelines and takes necessary steps to calculate residual risk and mitigate some of the known risks.
After taking the internal controls, the firm has calculated the impact of risk controls as $ 400 million. This impact
can be said as the amount of risk loss reduced by taking control measures.
Now, inherent risk = $ 500 million
Impact of risk controls = $ 400 million
Thus, residual risk = inherent risk – impact of risk controls = 500 – 400 = $ 100 million
What is Risk Exposure?

Risk exposure in any business or an investment is the measurement of potential future loss due to a specific
event or business activity and is calculated as the probability of the even multiplied by the expected loss due to
the risk impact.
Risk Exposure formula = Probability of Event * Loss Due to Risk (Impact)
Impact of hazard risks

Hazard risks undermine objectives, and the level of impact of such risks is a measure of their significance. Risk
management has its longest history and earliest origins in the management of hazard risks. Hazard risk
management is closely related to the management of insurable risks. Remember that a hazard (or pure) risk can
only have a negative outcome.
Hazard risk management is concerned with issues such as health and safety at work, fire prevention, damage to
property and the consequences of defective products. Hazard risks can cause disruption to normal operations, as
well as resulting in increased costs and poor publicity associated with disruptive events.
Hazard risks are related to business dependencies, including IT and other supporting services. There is
increasing dependence on the IT infrastructure of most organizations and IT systems can be disrupted by
computer breakdown or fi re in server rooms, as well as virus infection and deliberate hacking or computer
attacks.
Theft and fraud can also be significant hazard risks for many organizations. This is especially true for
organizations handling cash or managing a significant number of financial transactions. Techniques relevant to
the avoidance of theft and fraud include adequate security procedures, segregation of financial duties, and
authorization and delegation procedures, as well as the vetting of staff prior to employment.
Risk Management is about

1. Achieving organisational objectives
2. Addressing both “upside” and “downside” risk
3. Identification and treatment of risk
4. Reducing both uncertainties and the probability of failure
Examples of technical risk

• Design incomplete
• Right of Way analysis in error
• Environmental analysis incomplete or in error
• Unexpected geotechnical issues
• Change requests because of errors
• Inaccurate assumptions on technical issues in planning stage
• Surveys late and/or surveys in error
• Materials/geotechnical/foundation in error
• Structural designs incomplete or in error
• Hazardous waste site analysis incomplete or in error
• Need for design exceptions
• Consultant design not up to Department standards
• Context sensitive solutions
• Fact sheet requirements (exceptions to standards)
Examples of external risks

• Landowners unwilling to sell
• Priorities change on existing program
• Inconsistent cost, time, scope, and quality objectives
• Local communities pose objections
• Funding changes for fiscal year
• Political factors change
• Stakeholders request late changes
• New stakeholders emerge and demand new work
• Influential stakeholders request additional needs to serve their own commercial purposes
• Threat of lawsuits
• Stakeholders choose time and/or cost over quality
Examples of environmental risks

• Permits or agency actions delayed or take longer than expected
• New information required for permits
• Environmental regulations change
• Water quality regulation changes
• Reviewing agency requires higher-level review than assumed
• Lack of specialized staff (biology, anthropology, archeology, etc.)
• Historic site, endangered species, wetlands present
• Controversy on environmental grounds expected
• Environmental analysis on new alignments is required
• Project in the Coastal Zone
• Project on a Scenic Highway
• Project near a Wild and Scenic River
• Project in a floodplain or a regulatory floodway
Examples of organisational risks

• Inexperienced staff assigned
• Losing critical staff at crucial point of the project
• Insufficient time to plan
• Unanticipated project manger workload
• Internal “red tape” causes delay getting approvals, decisions
• Functional units not available, overloaded
• Lack of understanding of complex internal funding procedures
• Not enough time to plan
• Priorities change on existing program
• New priority project inserted into program
• Inconsistent cost, time, scope and quality objectives
Examples of regulatory risks

• Water quality regulations change
• New permits or new information required
• Reviewing agency requires higher-level review than assumed
Examples of project management risks

• Project purpose and need is poorly defined
• Project scope definition is poor or incomplete
• Project scope, schedule, objectives, cost, and deliverables are not
• clearly defined or understood
• No control over staff priorities
• Too many projects
• Consultant or contractor delays
• Estimating and/or scheduling errors
• Unplanned work that must be accommodated
• Communication breakdown with project team
• Pressure to deliver project on an accelerated schedule
International Risk
1. Transaction – the exchange rate risk associated with the time delay between entering a contract and
settling it. Thus a company is subject to transaction risk whenever it imports goods from or exports
goods abroad to be paid at a later date or borrows or invests in a foreign currency.
2. Translation – currency exchange rate risk that affects the valuation of the balance sheet assets and
liabilities between financial reporting dates.
3. Economic – the risk that a company’s value may decline as a result of currency movements causing a loss
in competitive strength.
4. Political – the risk of politically motivated interference by a foreign government that adversely affects its
cash flows.
Legal Risk v/s Regulatory risk

Legal risk is the potential for litigation to create uncertainty for a firm. In the context of a two-way financial
transaction, an example of legal risk is one party suing the other party in an attempt to terminate the transaction.
Regulatory risk refers to uncertainty surrounding actions by a governmental entity. An example of regulatory
risk could be a change in tax law or margin requirements that alter the payoff for a given trade.
Business risk v/s Financial Risk
Basis for Business Risk Financial Risk
Comparison
Meaning Business risk is the risk of not being able Financial risk is the risk of not being able to
to make the operations profitable so that pay off the debt that the company has taken to
the company can meet its expenses get financial leverage.
easily.
What it’s all Business risk is purely operational. Financial risk is related to the payment of a
about? debt.
Avoidable? No. Yes. If the firm doesn’t take debt, there would
be no financial risk.
Duration The business risk will be there as long as The financial risk would be there until the
the company operates. equity financing is increased drastically.
Why? Every business wants to perpetuate and To generate better returns and to tap into the
expand, and with continuation comes lure of financial leverage, the company gets
the risk of not being able to do it. into debt and takes the financial risk.
How to handle it? By systemizing the process of By reducing debt financing and by increasing
production and operation and by equity financing;
minimizing the cost of
production/operation.
Measurement When there’s variability in EBIT; We can look at the debt-asset ratio and
financial leverage multiplier.
Advantages of risk classification

• A formal process forces management to be pro-active in their approach
• Once risks have been identified it allows the organisation to consider the tools that may be used to control
the risks.
• Can use similar controls to manage a common group of risks
• May be useful for assigning responsibility
• Help recognise which risks are inter-related
• Allows for feedback which can be used for continuous improvement
Property & Causality insurance

P&C insurance companies usually provide annual and renewable coverage against loss events property
insurance covers property losses such as fire and theft. However, property insurers may be subject to
catastrophe risks arising from many large claims
due to natural disasters, or they may benefit if there are no natural disasters, hence, the all-or-nothing nature of
catastrophe risks.
Casualty (liability) insurance covers third-party liability for injuries sustained while on a policyholder’s premises
or caused by the policyholder’s use of a vehicle, for example. In general, for P&C insurance companies, property
damage claims from natural
disasters, and liability insurance claims are subject to fluctuating payouts and are very challenging to predict.
Importance of risk categorisation

• Risk categories help identify risks and enable them to become robust and practical at the same time.
• It ensures that the users can track the origin of the underlying and potential risks faced by an
organization.
• These categories help determine the efficiency of the control systems implemented in all the departments
of an organization.
• It ensures that risk identification is made comprehensively, covering all the probable aspects of the
underlying and upcoming risk conditions.
• With these categories, users can determine the areas that are highly prone to risks, and it even allows in
the identification of standard and probable causes.
• With risk categories, users can even develop appropriate risk dealing mechanisms.
Gross risk & Net Risk

Gross Risk – the assessment of risk before the application of any controls, transfer or management responses
Net Risk – the assessment of risk, taking into account the application of any controls, transfer or management
response to the risk under consideration.
Chapter 2
How does the Risk context impact on managing organisational risk?
Establishing context is a very important part of managing organisational risk, because it allows an organisation
to consider each risk in its own unique circumstances. Establishing context also helps an organisation to decide
on an action plan of how best to address the risks.
Performing delphi technique

Step 1: Choose a Facilitator
The first step is to choose your facilitator. You may wish to take on this role yourself, or find a neutral person
within your organisation. It is useful to have someone that is familiar with research and data collection.
Step 2: Identify Your Experts

The Delphi technique relies on a panel of experts. This panel may be your project team, including the customer,
or other experts from within your organisation or industry. An expert is, any individual with relevant knowledge
and experience of a particular topic.
Step 3: Define the Problem

What is the problem or issue you are seeking to understand? The experts need to know what problem they are
commenting on, so ensure you provide a precise and comprehensive definition.
Step 4: Round One Questions

Ask general questions to gain a broad understanding of the experts view on future events. The questions may go
out in the form of a questionnaire or survey. Collate and summarise the responses, removing any irrelevant
material and looking for common viewpoints.
Step 5: Round Two Questions

Based on the answers to the first questions, the next questions should delve deeper into the topic to clarify
specific issues. These questions may also go out in the form of a questionnaire or survey. Again, collate and
summarise the results, removing any irrelevant material and look for the common ground. Remember, we are
seeking to build consensus.
Step 6: Round Three Questions

The final questionnaire aims to focus on supporting decision making. Hone in on the areas of agreement. What is
it the experts are all agreed upon?
You may wish to have more than three rounds of questioning to reach a closer consensus.
Step 7: Act on Your Findings

After this round of questions, your experts will have, we hope, reached a consensus and you will have a view of
future events. Analyse the findings and put plans in place to deal with future risks and opportunities to your
project.
Conclusion
Use the Delphi Technique for creating Work Breakdown Structures, identifying risks and opportunities,
compiling lessons learned and anytime you would usually conduct a brainstorming session.
Predicting the future is not an exact science, but the Delphi Technique can help you understand the likelihood of
future events and what impact they may have on your project.
Strengths of the Delphi technique:

• A rapid consensus can be achieved
• Participants do not have to be in the same room together to reach agreement
• Individuals are able to express their own opinions as opposed to “Group think”
• Can include a wide range of expertise
• Relatively low cost to administer and analyse
• There is the potential to gain large quantities of data
• Offers a method which can be used where data are lacking
Weaknesses of Delphi technique:

• Does not cope well with widely differing opinions or large changes in opinions (paradigm shifts)
• The facilitator’s view may dominate in the analysis
• Differing opinions may not be sufficiently investigated
• Can be time-consuming
• Needs high participant motivation
• Success of the method depends on the quality of the participants
• The written response format may be less suitable for some potential respondents
What does effective risk communication look like?

• explaining the chance of a risk playing out a certain way and what the business impact will be in the
scenario
• outlining the difference between risk (which is dependent on certain scenarios) and hazard (found within
a specific area)
• helping to deal with fears and uncertainties around certain risk elements
• managing expectations around long-term and short-term risk impact
• improving the overall comprehension of risk-based terminology and concepts to ensure better
understanding
• educating managers about risk management decisions impacting every level of business
• creating a culture of transparency that enables concerns to be addressed and questions answered
• growing risk-management credibility through training, continued education and consistent, relevant
communication
• dealing with potentially conflicting interests of various stakeholders and all affected parties
Risk Analysis is to identify the existing and possible threats
1. Human – Illness, death, injury, or other loss of a key individual.

2. Operational – Disruption to supplies and operations, loss of access to essential assets, or failures in
distribution.
3. Reputational – Loss of customer or employee confidence, or damage to market reputation.
4. Procedural – Failures of accountability, internal systems, or controls, or from fraud.
5. Project – Going over budget, taking too long on key tasks, or experiencing issues with product or service
quality.
6. Financial – Business failure, stock market fluctuations, interest rate changes, or non-availability of
funding.
7. Technical – Advances in technology, or from technical failure.
8. Natural – Weather, natural disasters, or disease.
9. Political – Changes in tax, public opinion, government policy, or foreign influence.
10. Structural – Dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or
technology can be harmed.
What is the purpose of Risk identification?
Risk identification is very important, because if you want to avoid or reduce a risk, you have to be able to identify
that risk first. By identifying the source of a problem, or the series of events which may lead to a problem, an
organisation can take steps to prevent these risks from impacting adversely on the organisation.
What is Risk analysis?

Risk analysis is the name given to a technique which is used to identify and assess any factors which may
jeopardise the success of a business. The method also assesses the chances of a risk occurring and the likely
outcome of the risk if it did indeed occur. This analysis should be taken into account when an organisation is
deciding how to prevent these risks from occurring or whether these risks are acceptable.
What is the purpose of Risk analysis?

The purpose of risk analysis is to attempt to quantify and classify the risks that an organisation faces. Looking at
a variety of risks which have already been identified can help a company to consider which risks are most likely
to occur, and which risks would have the most serious consequences. Analysis may show that some risks require
a lot action to prevent them from occurring or to lessen their impact, whereas other risks may be deemed to be
acceptable, or the probability of them occurring may be decided to be too low to be worth spending money on
preventing.
What are the different types of Risk analysis?

Quantitative risk analysis – this type of analysis is done using known data which is available from previous
internal or external sources. It is the best way to calculate accurate probability of risk.
Qualitative risk analysis – this type of analysis is carried out using personal judgement and previous experience
to act as a form of guidance. These analyses are more subjective.
Principles of Risk management
How to achieve risk aware culture

A risk aware culture is achieved by :
Advantages & disadvantages of risk assessment techniques
Contingent Risk Response Strategies

These strategies are implied only when certain events occur. The execution of these strategies happens only
under certain predefined conditions. The team waits for sufficient warning signals before implementing these
strategies. These signals could be missing the milestones work items or deadlines etc.
These strategies include using Financial reserves, Staffing reallocations, and implementing Workarounds to
minimize the loss, repair the damage to the extent possible and prevent a recurrence.
Successful risk management

It is suggested that a successful risk management initiative will be:
• Proportionate to the level of risk within the organization;
• Aligned with other business activities;
• Comprehensive, systematic and structured;
• Embedded within business processes;
• Dynamic, iterative and responsive to change.
What are the activities associated with risk management?

The activities associated with risk management are as follows:
• recognition of risks;
• ranking of risks;
• responding to significant risks;
• resourcing controls;
• reaction (and event) planning;
• reporting of risk performance;
• reviewing the risk management system.
Risk Mitigation methods

Category Action
Financial Credit control procedures
Hedging
Export insurance
Environmental Environmental Scanning
Contingency planning
Business/Operational Internal control
Risk procedures
Recruitment & selection
Testing
Training
IT controls
Reputation Risk Insurance
Stakeholder analysis
inform about any changes
Compliance checks
Training
Treatment for supplier risks

• Appoint supplier liaison managers
• Assess supplier’s technical expertise
• Determine supplier attitude to safety, quality, environmental aspects
• Determine supplier credit rating and business strength
• Ensure supplier takes out appropriate insurance
• Establish appropriate business structure
• Negotiate terms and conditions, including warranty periods and coverage
• Provide for compensation or liquidated damages in contract (enforceable in practice?)
• Provide for payment and delivery terms in contract
• Take suitable legal advice
• Third-party or bank guarantees, insurances, confirmed letters of credit
Treatment for project risks

• Check the regulatory terms and requirements
• Determine contract terms and general conditions of contract
• Determine creditworthiness and reliability of contractors and suppliers, and their technical expertise
• Draft business agreement to allocate risks and rewards explicitly, prior to commitment
• Engage specialist expertise to develop the project structure, including legal, taxation, accounting and
consulting skills
• Establish an agreed approval and governance structure, and an agreed internal management structure
• Establish back-to-back contracts with sub-contractors and suppliers
• Establish liaison and briefing processes to expedite approvals
• Identify responsibilities for liaison and negotiation with users, contractors, suppliers and partners
• Obtain guarantees from contractors and suppliers
• Review previous projects
Treatment for client quality risks

• Appoint client liaison managers
• Assess client’s technical expertise
• Determine client attitude to safety, quality, environmental aspects
• Determine client credit rating and payment history
• Establish appropriate business structure
• Negotiate terms and conditions, including warranty periods and coverage
• Provide for compensation or liquidated damages in contract (enforceable in practice?)
• Provide for pre-payments in contract
• Take suitable legal advice
Treatments for out-of-area location risks

• Assess sovereign risk, political and currency stability
• Build additional contingencies into budget
• Contract with tropical diseases centres to establish health guidelines
• Determine applicable tax regime and government regulations
• Engage local agents
• Engage local legal and commercial advisers
• Establish procedures for staff to work under non-standard safety conditions
• Evaluate cost implications of location on operating budgets and overheads
• Evaluate security situation in target markets
• Hedge foreign exchange exposures
• Nominate own currency as currency of contract where possible
• Obtain third-party or bank guarantees, confirmed letters of credit
• Pre-fabricate where possible
• Provide staff with medical and health supplies and facilities
• Provide training for local employees and contractors
• Reduce amount of on-site work
• Take out appropriate insurance (e.g. with trade facilitation agency)
• Train expatriate staff and their families prior to departure
• Train staff in first aid
• Train staff in relevant health and safety matters
• Use local contractors
Purpose of Risk Management
Risk management is the process of identifying risks facing an organisation, assessing the scale of the risk (in
terms of likelihood and impact).
A risk response strategy is determined for each risk that takes into account the organisation’s risk appetite, and a
system of controls are put in place for reporting and management of risks. There needs to be a risk treatment or
response strategy whereby risks are managed by alternative courses of action:
• stopping an activity,
• influencing either or both the likelihood or impact of the risk;
• sharing through techniques such as insurance; or
• the risk may be accepted.
One of the strategies for managing risk is internal control.
Threat agent | Threat | Vulnerability | Type of threat
Risk Factor | Threat | Threat agent | vulnerability | affects
Example of fault tree analysis

Quantitative v/s qualitative risk analysis
Quantitative and qualitative analysis are the two approaches to risk analysis. In the case of the Quantitative, the
effect of the potential project risk that can be there on the target of the project is evaluated numerically. So the
primary purpose of the Quantitative analysis is to quantify the risk exposure and determine the size of the cost
and the schedule contingencies.
Whereas, in the case of the qualitative risk analysis, the probability and impact of the potential project risk that
can be there on the target of the project is evaluated against a pre-defined scale. It is a subjective approach, and
the primary purpose of qualitative risk analysis is increasing the awareness of the severe risk and creating risk
responses to deal and reduce the effect of these risks on the overall project.
Risk Analysis v/s Risk Management

Risk Analysis can be referred to as identifying the different possible threats that can occur in the business or the
project and then estimating the likelihood of materializing these threats. On the other hand, risk management is
a broader concept that includes risk analysis, and it can be referred as the process of continuous identification,
analysis, evaluation, and monitoring of the risk and then systematically applying the policies, practice, and
resources of management to control and mitigate adverse effects of those potential losses.
Chapter 3
What terms are used in Risk context?
Risk – Something which may happen to an organisation.
Context – The circumstances which surround an organisation.
Internal – Parts of the context which comes from within the organization itself, such as the company’s aims and
objectives.
External – Factors from outside of the company which may provide part of the context.
Where does determining a Risk context fit into the risk management
process?
Determining the risk context is the very first step in the risk management process. It must be done before an
organisation begins to identify the risks which it faces. If risks were identified before a context was established
then they might not be evaluated using the correct context, and therefore the action plan which is devised may
not be suitable.
What are the different types of Risk context?

Operational Context – This involves looking at the ways in which an organisation goes about its business. Most
operational factors are internal factors, which are often changeable by the management structure.
Strategic Context – This involves looking at the environment (including legal frameworks) within which an
organisation operates. Most strategic factors are external factors, which can easily change, but these changes are
not usually controlled by the organisation itself.
What is the Risk context?

In order to develop a risk management strategy, an organisation must begin by establishing the risk context. The
risk context should take into account both the internal and external set of circumstances or rules within which
the organisation is operating. Creating a proper risk context can help an organisation to create an appropriate
risk action plan.
What is the purpose of developing a Risk management process?

Developing a comprehensive risk management process will help you to ensure that your risk is addressed in an
appropriate manner. Developing a process will also help you to deal with risk in a consistent manner. Following
the steps of the process may prevent you from missing risks or actions which you may not usually consider.
Being prepared in this way can help if the risk does present itself.
What is a Risk Management Plan?

A risk management plan is the plan which is created to help to manage potential risks which may affect an
organisation, business or event. The plan itself is a formal document which shows that organisations strategies
for dealing with uncertain events or outcomes, be they positive or negative. This plan can be referred to if the
event does occur.
What is the purpose of Risk Management Plan?
The purpose of a risk management plan is to provide documentation of the risk management processes and
treatments which an organisation is using to address potential risks. Most risk management plans include a risk
assessment matrix, which can be used to show potential risks and what effects those risks could have on an
organisation.
What is a Risk action plan?

A risk action plan is the course of action which an organisation agrees upon to help them to address potential
risks, reduce the likelihood of these risks occurring and to lessen the impact of these risks if they do occur. A plan
is created to ensure that the right actions are carried out in a timely manner. A plan also provides a go-to guide,
in case the “unexpected” happens.
What is the purpose of a Risk action plan?

A risk action plan helps to prepare you to face potential risks which may occur as part of a business scenario and
helps you to tackle any problems with may occur. A risk action plan will provide you with strategies which are
appropriate dependent on the levels of risk which your organisation faces.
What are the different types of Risk action plans?

Risk Avoidance Plans – These plans include measures which aim to completely avoid the risks in question by
preventing them from happening.
Risk Reduction Plans – These plans include measures which reduce the likelihood of a risk occurring or reduce
the effects of a risk if it does occur.
Risk Monitoring
Any monitoring and review process should also determine whether:
✓ the measures adopted resulted in what was intended

✓ the procedures adopted and information gathered for undertaking the assessment were appropriate
✓ improved knowledge would have helped to reach better decisions and identify what lessons could be
learned for future assessments and management of risks.
Key Challenges for implementing Risk appetite framework

Key challenges to implementing RAFs include:
✓ Properly transmitting the RAF within the firm together with incorporating the RAF into making day-to-
day operating decisions.
✓ Establishing a clear connection between RAFs and risk culture.
✓ Communicating risk appetite in a manner that captures all relevant risks.
✓ The common view that risk appetite is mainly about setting limits.
✓ The lack of connection between risk appetite and the strategic and business planning processes.
✓ The role of stress testing in the RAF.
✓ Aggregation of risks at the group level and then down to the individual business units.
Importance of risk management

The importance of risk management is quite simply to identify and manage problems that could prevent an
organization from achieving its objectives.
Risk management
• improves the ability to respond to and mitigate risks that occur

• it minimizes surprises
• enables advantage to be taken of opportunities
• maintains the organisation’s reputation and
• helps the organization to be socially responsible and be seen as a good corporate citizen.
Chapter 4
What is a Business contingency plan?
A contingency plan is developed within the broader risk management plan and details a pre-researched course
of action for management and staff to follow in an emergency or when an organization experiences an
unexpected event that has the potential to affect the financial position, business image or market share of an
enterprise. A contingency plan is also known as Plan B or the disaster recovery plan or the worst-case scenario
plan or simply as a backup plan.
What is the purpose of a Business contingency plan?

A contingency plan is developed to ensure the continuity of business operations, to help an organization recover
from disaster, manage organizational risks and to ensure that damage or injury to personnel and property is
effectively contained. The main goal of a contingency plan is to restore normal operations at a minimal cost and
with the least amount of disruption to normal business activities after an unexpected event has occurred.
What is the main goal of a Business contingency plan?

A contingency plan sets out to effect three main outcomes when an unexpected event takes place:
1. The continuance of the day to day operations of the business with the minimum amount of interruption or
interference from the unexpected event.
2. The actionable steps taken in the contingency/backup plan will maintain functional long enough for a
suitable restoration of the main plan to take place.
3. The contingency plan activated in the emergency will ensure that customers are still able to purchase
goods and services from the business in an systematic and timely way.
What are the components of a Business contingency plan?

The components of a contingency plan are:
Incident response plan – This component of the contingency plan primarily focuses on the immediate response
that is required when the incident first occurs. The plan outlines a complete series of processes that guides
others in anticipating, detecting, and mitigating the impact of the contingency on the business assets.
Disaster recovery plan – This component of the contingency plan primarily focuses on the preparation for and
then restoration of normal operations as soon as possible after the contingency has occurred.
Business continuity plan – This component of the contingency plan primarily focuses on ensuring that the critical
business functions can go on when the contingency occurs. This may involve facilitating business operations at a
substitute location, until the business can restore operations at the original location.
What are steps in developing a Business contingency plan?

The steps involved in developing a contingency plan include:
1. Development of a contingency planning policy statement – which is used to define the contingency
objectives and establish the framework and responsibilities for contingency planning.
2. Prepare a business impact analysis – which is used to determine the contingency requirements and
priorities.
3. Find preventive controls – that may deter, detect, and/or reduce impacts to the organization of
contingencies.
4. Develop the recovery strategies – designed to restore operations as quickly and effectively as possible
following a contingency disruption.
5. Develop a contingency plan – that detailed the roles, responsibilities, teams, and procedures associated
with restoring the operations to normal following a disruption brought about by a contingency.
6. Plan the testing and training – to identify and address plan deficiencies and to evaluate the capability of
the recovery team to implement the contingency plan rapidly and effectively.
7. Plan the maintenance – by reviewing and updating it regularly as part of the enterprise’s change
management process. New information like contact lists will need to be updated regularly while a review
of the accuracy and completeness of the contingency plan should be done annually.
What are the key risks to consider in a Business contingency plan?

Key risks that need to be considered when developing a contingency plan include a significant disaster that
prevents the business from trading normally or it may be a situation that gradually gets worst making it
increasingly difficult to conduct normal operations or it may be a range of smaller events but by happening at the
one time, it makes normal operations near impossible.
Typical risks that need to be considered when developing a contingency plan include:
• Failure of key equipment failure that is critical for your business operations. e.g. IT equipment, vehicles or
machinery.
• External to the business issues like strikes in key areas of supply or delivery.
• Litigation threats caused by business activities
• Physical damage to property in the form of extreme weather events or fire.
• Product failures that instigate the need to have them recalled.
• Negative public relations particularly on social media sites where negative feedback on the business can
‘go viral’ in a very short time.
• Significant changes to the business operating environment where a major competitor develops plans to
move into your market.
• Staffing problems brought about by the the death or serious illness of key employees.
• Supply issues that may impact on your key suppliers causing your business to suffer as well.
Factors that can be used to build a strong risk culture

1. Knowledge of the firm’s risk appetite: Do staff understand the firm’s risk appetite? Is it communicated?
Can they answer questions about its application in day-to-day business operations?
2. Risk literacy: Are there training programs (that are attended) regarding risk? Do staff know the language
used to describe risks and the consequences of risk-taking?
3. The flow of risk information: Does information about risk flow across the firm? Are there clear links
between the discussions of risk and the decisions made by firm managers?
4. Risk/reward decisions of managers: Are managers consistent when it comes to risks and rewards in the
context of the firm’s risk appetite?
5. Risk management stature: Does the CRO and other risk managers have stature in the firm? Who hires and
fires risk managers?
6. Whistleblowing and escalation: Do staff understand the firm’s escalation process if they want to report
enterprise risks? Is there a method in place for whistle blowers to “blow the whistle?”
7. Priorities of the board: Can board members name the top 10 enterprise risks? Can members name
industry disasters associated with these risks?
8. Actions against offenders: Are employees who violate risk standards disciplined?
9. Identification of risk culture concerns/incidents: Can the firm identify risk incidents and the actions that
were taken in response to violations?
Methods by which corporate culture & Risk Culture can be measured

Methods to measure corporate and risk culture include the following quantitative and qualitative approaches:
Quantitative approaches are generally more objective and offer better comparability of results. They include:
1. Employee satisfaction surveys

• Done annually and may be extended to include questions pertaining to culture
2. Customer satisfaction surveys

• Done periodically or after key interactions/transactions (e.g., rankings from 1 to 10 or extremely
dissatisfied to extremely satisfied)
3. Indicator dashboards
• Combine a variety of indicators such as employee (e.g., number of sick days, number of resignations),
customer (e.g., number of complaints), and risk management (e.g., number of internal control breaches)
4. Validation
• Using benchmarks to compare changes or performance
Qualitative approaches are generally less objective and offer questionable comparability of results. They include:
1. Ethnographic analysis (holistic cultural analysis) and case study

• Provides a more detailed account through direct observation
Features of an effective control environment

An effective control environment must include the following five components:
1. A control environment.
2. Risk assessment.
3. Control activities.
4. Information and communication.
5. Monitoring activities.
Specific controls that should be in place in the organization to address operational risk include:
1. Clearly established lines of authority and approval processes for everything from new products to risk
limits.
2. Careful monitoring of risk thresholds and limits.
3. Safeguards to limit access to and protect bank assets and records.
4. An appropriately sized staff to manage risks.
5. An appropriately trained staff to manage risks.
6. A system to monitor returns and identify returns that are out of line with expectations (e.g., a product that
is generating high returns but is supposed to be low risk may indicate that the performance is a result of a
breach of internal controls).
7. Confirmation and reconciliation of bank transactions and accounts.
8. A vacation policy that requires officers and employees to be absent for a period not less than two
consecutive weeks.
Risk Reporting ( Internal risk reporting )

Different levels within an organisation need different information from the risk management process
The Board of Directors should:
1. know about the most significant risks facing the organisation

2. know the possible effects on shareholder value of deviations to expected performance ranges
3. ensure appropriate levels of awareness throughout the organisation
4. know how the organisation will manage a crisis
5. know the importance of stakeholder confidence in the organisation
6. know how to manage communications with the investment community where applicable
7. be assured that the risk management process is working effectively
8. publish a clear risk management policy covering risk management philosophy and responsibilitiy
Business Units should:
1. be aware of risks which fall into their area of responsibility, the possible impacts these may have on other
areas and the consequences other areas may have on them.
2. have performance indicators which allow them to monitor the key business and financial activities,
progress towards objectives and identify developments which require intervention (e.g. forecasts and
budgets) .
3. have systems which communicate variances in budgets and forecasts at appropriate frequency to allow
action to be taken.
4. report systematically and promptly to senior management any perceived new risks or failures of existing
control measures.
Individuals should:
1. understand their accountability for individual risks

2. understand how they can enable continuous improvement of risk management response
3. understand that risk management and risk awareness are a key part of the organisation’s culture
4. report systematically and promptly to senior management any perceived new risks or failures of existing
control measures
Attitudes towards risk

Different organizations will have different attitudes to risk. Some organizations may be considered to be risk
averse, whilst other organizations will be risk aggressive. To some extent, the attitude of the organization to risk
will depend on the sector and the nature and maturity of the marketplace within which it operates, as well as the
attitude of the individual board members.
Risks cannot be considered outside the context that gave rise to the risks. It may appear that an organization is
being risk aggressive, when in fact, the board has decided that there is an opportunity that should not be missed.
However, the fact that the opportunity is high risk may not have been fully considered.
One of the major contributions from successful risk management is to ensure that strategic decisions that appear
to be high risk are actually taken with all of the information available. Improvement in the robustness of
decision-making processes is one of the key benefits of risk management.
Costs & benefits of internal controls

Internal controls provide a safeguard but not an absolute guarantee
Benefits
• Avoidance of losses
• Legal requirement (health & safety, information required for HMRC)
• Well being of employees – motivation, succession planning – important resource
• Preferred employer – better calibre staff – important resource
Costs
• Establishment of policies & procedures
• Administrative support
• Opportunity cost of not spending time on the delivery of organisational objectives
Purpose and Importance of Internal Control

Internal controls are the policies and procedures used by directors and managers to help ensure the effective
and efficient conduct of the business;
• The safeguard of assets

• Regulatory compliance
• The prevention and detection of fraud and error
• The accuracy and completeness of accounting records
• The time preparation of reliable financial information
The importance of internal control is quite simply to manage problems that could prevent an organization from
achieving its objectives.
Chapter 5
Performing scenario analysis
Scenario Analysis can help you to make better decisions, or to plan your business strategy, by challenging your
assumptions about the future.
Exploring a range of alternative scenarios allows you to identify potential risks and plan how you will counteract
or mitigate their impact.
To use the tool, follow these five steps:
• Define the issue.

• Gather data.
• Separate certainties from uncertainties.
• Develop scenarios.
• Use the scenarios in your planning.
Explain how ES is more appropriate measure than VAR

✓ ES satisfies all of the properties of coherent risk measurements including subadditivity. VaR only satisfies
these properties for normal distributions.
✓ The portfolio risk surface for ES is convex because the property of subadditivity is met. Thus, ES is more
appropriate for solving portfolio optimization problems than the VaR method.
✓ ES gives an estimate of the magnitude of a loss for unfavorable events. VaR provides no estimate of how
large a loss may be.
✓ ES has less restrictive assumptions regarding risk/return decision rules.
11 fundamental principles of operational risk by Basel committee

1. The maintenance of a strong risk management culture led by the bank’s board of directors and senior
managers. This means that both individual and corporate values and attitudes should support the bank’s
commitment to managing operational risks.
2. The operational risk framework (referred to as the “Framework” in this reading) must be developed and
fully integrated into the overall risk management processes of the bank.
3. The board should approve and periodically review the Framework. The board should also oversee senior
management to ensure that appropriate risk management decisions are implemented at all levels of the
firm.
4. The board must identify the types and levels of operational risks the bank is willing to assume as well as
approve risk appetite and risk tolerance statements.
5. Consistent with the bank’s risk appetite and risk tolerance, senior management must develop a well-
defined governance structure within the bank. The structure must be implemented and maintained
throughout the bank’s various lines of business, its processes, and its systems. The board of directors
should approve this governance structure.
6. Senior management must understand the risks, and the incentives related to those risks, inherent in the
bank’s business lines and processes. These operational risks must be identified and assessed by
managers.
7. New lines of business, products, processes, and systems should require an approval process that assesses
the potential operational risks. Senior management must make certain this approval process is in place.
8. A process for monitoring operational risks and material exposures to losses should be put in place by
senior management and supported by senior management, the board of directors and business line
employees.
9. Banks must put strong internal controls, risk mitigation, and risk transfer strategies in place to manage
operational risks.
10. Banks must have plans in place to survive in the event of a major business disruption. Business
operations must be resilient.
11. Banks should make disclosures that are clear enough that outside stakeholders can assess the bank’s
approach to operational risk management.
Guidelines for the above

With respect to Principle 1, the board of directors and/or senior management should:
• Provide a sound foundation for a strong risk management culture within the bank. A strong risk
management culture will generally mitigate the likelihood of damaging operational risk events.
• Establish a code of conduct (or ethics policy) for all employees that outlines expectations for ethical
behavior. The board of directors should support senior managers in producing a code of conduct. Risk
management activities should reinforce the code of conduct. The code should be reflected in training and
compensation as well as risk management. There should be a balance between risks and rewards.
Compensation should be aligned not just with performance, but also with the bank’s risk appetite,
strategic direction, financial goals, and overall soundness.
• Provide risk training throughout all levels of the bank. Senior management should ensure training reflects
the responsibilities of the person being trained.
• Thoroughly understand both the nature and complexity of the risks inherent in the products, lines of
business, processes, and systems in the bank. Operational risks are inherent in all aspects of the bank.
• Ensure that the Framework is fully integrated in the bank’s overall risk management plan across all levels
of the firm (i.e., business lines, new business lines, products, processes, and/or systems). Risk assessment
should be a part of the business strategy of the bank.
• Establish a culture and processes that help bank managers and employees understand and manage
operational risks. The board must develop comprehensive and dynamic oversight and control
mechanisms that are integrated into risk management processes across the bank.
• Regularly review the Framework.
• Provide senior management with guidance regarding operational risk management and approve policies
developed by senior management aimed at managing operational risk.
• Ensure that the Framework is subject to independent review.
• Ensure that management is following best practices in the field with respect to operational risk
identification and management.
• Establish clear lines of management responsibility and establish strong internal controls.
• Consider all relevant risks when approving the bank’s risk appetite and tolerance statements. The board
must also consider the bank’s strategic direction. The board should approve risk limits and thresholds.
• Periodically review the risk appetite and tolerance statements. The review should specifically focus on:
a) Changes in the market and external environment.
b) Changes in business or activity volume.
c) Effectiveness of risk management strategies.
d) The quality of the control environment.
e) The nature of, frequency of, and volume of breaches to risk limits.
• Establish systems to report and track operational risks and maintain an effective mechanism for resolving
problems. Banks should demonstrate the effective use of the three lines of defense to manage operational
risk, as outlined by the Basel Committee.
• Translate the Framework approved by the board into specific policies and procedures used to manage
risk. Senior managers should clearly assign areas of responsibility and should ensure a proper
management oversight system to monitor risks inherent in the business unit.
• Ensure that operational risk managers communicate clearly with personnel responsible for market,
credit, liquidity, interest rate, and other risks and with those procuring outside services, such as insurance
or outsourcing.
• Ensure that CORF managers should have sufficient stature in the bank, commensurate with market,
credit, liquidity, interest rate, and other risk managers.
• Ensure that the staff is well trained in operational risk management. Risk managers should have
independent authority relative to the operations they oversee.
• Consider both internal and external factors to identify and assess operational risk.
• Maintain a rigorous approval process for new products and processes. The bank should make sure that
risk management operations are in place from the inception of new activities because operational risks
typically increase when a bank engages in new activities, new product lines, enters unfamiliar markets,
implements new business processes, puts into operation new technology, and/or engages in activities
that are geographically distant from the main office.
• Thoroughly review new activities and product lines, reviewing inherent risks, potential changes in the
bank’s risk appetite or risk limits, necessary controls required to mitigate risks, residual risks, and the
procedures used to monitor and manage operational risks.
• Continuously improve the operational risk reporting. Reports should be manageable in scope but
comprehensive and accurate in nature.
• Ensure that operational risk reports are timely. Banks should have sufficient resources to produce reports
during both stressed and normal market conditions. Reports should be provided to the board and senior
management.
• Ensure that operational risk reports include:
a) Breaches of the bank’s risk appetite and tolerance statement.

b) Breaches of the bank’s thresholds and risk limits.
c) Details of recent operational risk events and/or losses.
d) External events that may impact the bank’s operational risk capital.
e) Both internal and external factors that may affect operational risk.
With respect to Principle 9, the board of directors and/or senior management should have a sound internal
control system as described in (an effective control environment) and (managing technology and outsourcing
risks). Banks may need to transfer risk (e.g., via insurance contracts) if it cannot be adequately managed within
the bank. However, sound risk management controls must be in place and thus risk transfer should be seen as a
complement to, rather than a replacement for, risk management controls. New risks, such as counterparty risks,
may be introduced when the bank transfers risk. These additional risks must also be identified and managed.
• Establish continuity plans to handle unforeseen disruptive events (e.g., disruptions in technology,
damaged facilities, pandemic illnesses that affect personnel, and so on). Plans should include impact
analysis and plans for recovery. Continuity plans should identify key facilities, people, and processes
necessary for the business to operate. The plan must also identify external dependencies such as utilities,
vendors, and other third-party providers.
• Periodically review continuity plans. Personnel must be trained to handle emergencies and, where
possible, the bank should perform disaster recovery and continuity tests.
• Write public disclosures such that stakeholders can assess the bank’s operational risk management
strategies.
• Write public disclosures that are consistent with risk management procedures.
• The disclosure policy should be established by the board of directors and senior management and
approved by the board of directors. The bank should also be able to verify disclosures.
Key sources of country risk

Key sources of country risk include:
1. the level of a country’s economic growth,

2. political risk,
3. legal risk, including risks that arise from both the structure and the efficiency of legal systems, and
4. economic structure including the level of diversification.
Risk limits
Chapter 6
Comparison Between Counterparty Risk and Credit Risk
Particulars Counterparty Risk Credit Risk
Meaning This also originates from inability or Credit risk is the possibility of loss on
failure to make a payment; however, account of default due to the inability or
the amount of exposure is not unwillingness of a borrower to meet its
predetermined. liability. In this case, the amount of loss is
predetermined.
Scope It is most relevant in derivatives Credit risk finds its relevance in loans and
markets and especially OTC trades. advances given by banks and financial
institutions.
Subset This is a subset of credit risk. It includes counterparty risk as well.
Exposure Risk Exposure on account varies based Credit risk exposure is mostly
on the MTM position on the date of predetermined and doesn’t vary.
default.
Advantages of CDS
1. Spur innovation: Conceptually, CDS buyers are protected from credit risk. This enables them to fund
riskier opportunities than they otherwise might comfortably support. This access to capital could spur
innovation and boost economic growth.
2. Cash-flow potential: CDS sellers create a stream of payments that could be a significant source of cash
flow. Theoretically, they can diversify the CDS contracts across industries and geographies such that
defaults in one area should be offset by fees from CDSs that have not been triggered through default.
3. Risk price discovery: The use of a CDS enables price discovery of a specific credit risk. Bonds also provide
credit risk price discovery, but this service is blurred because their prices also include other risks, such as
interest rate risk. A CDS is a pure play on pricing a given borrower’s credit risk.
Disadvantages of CDS
1. Historically weak regulation: CDS contracts were unregulated until after the financial crisis of 2007–2009.
Lack of regulation meant that counterparty risk existed because CDS buyers were not guaranteed that the
CDS seller could make good on the promise of credit risk mitigation.
2. False sense of security: The presence of a CDS contract creates a false sense of security for fixed income
buyers, who could support an issuer that is far riskier than they would support without the presence of
credit risk transfer. This can be both an advantage (access to capital) and a disadvantage (excessive risk-
taking behavior), depending upon one’s vantage point.
Advantages of CDO
1. Increased profit potential: Banks have the ability to source loans, repackage them into a structured
product, and then use the proceeds from selling the repackaged loans to source new loans. This cycle
enables banks to increase loan turnover and therefore increase profit potential.
2. Direct risk transfer: Through the securitization process, banks will effectively transfer credit risk to
investors.
3. Loan access: Since the bank is repackaging and selling the loans, individuals who otherwise might not be
able to access a loan may now have access.
Disadvantages of CDO
1. Encourages increased risk taking: Since banks have the ability to transfer credit risk, they may source
loans that are riskier than they otherwise would accept. This behaviour could result in unexpected risk
for investors.
2. Risk concentration potential: These structured products could unknowingly (on the part of investors)
concentrate exposure to high-risk borrowers, who may default and cause investors to experience
unexpected losses.
3. High complexity: Structured products are very complex. They may be difficult for an investor, a rating
agency, or a regulator to fully understand.
Important considerations w.r.t credit risk identification

1. Is the interest rate charged on the instrument commensurate with the risk taken?
2. Is a portfolio of instruments diversified both geographically and by industry?
3. Have correlations between instruments and other known risk factors been properly considered?
4. Are any firm-specific or industry-specific financial ratios indicating a cause for concern?
5. Is a lender exposed to a large number of small loans or a small number of large loans? Concentration risk
can be a real concern.
6. What is the PD for the various instruments owned?
7. Are the probabilities of default correlated in any way?
Practical application for RAROC

1. Business comparison. This metric permits comparison of business units even when different levels of
economic capital exist for each segment.
2. Investment analysis. This approach could be used to evaluate potential new product offerings. For
example, a bank could use this technique to decide whether to branch out into a new credit product.
3. Pricing strategy. Firms could use RAROC to determine if their current pricing strategy provides sufficient
return relative to the estimated risk taken.
4. Risk management. In the most basic sense, this metric can be used to highlight areas where risk is not
being properly covered with expected rewards.
Computation of RAROC
Assume the following information for a commercial loan portfolio:
1. $1.5 billion principal amount
2. 7% pre-tax expected return on loan portfolio
3. Direct annual operating costs of $10 million
4. Loan portfolio is funded by $1.5 billion of retail deposits; interest rate = 5%
5. Expected loss on the portfolio is 0.5% of principal per annum
6. Unexpected loss of 8% of the principal amount, or $120 million of economic capital required
7. Risk-free rate on government securities is 1% (based on the economic capital required)
8. 25% effective tax rate
Assume no transfer pricing issues

Compute the RAROC for this loan portfolio.
Answer:
First, calculate the following RAROC components:
Expected revenue = 0.07 × $1.5 billion = $105 million
Interest expense = 0.05 × $1.5 billion = $75 million
Expected loss = 0.005 × $1.5 billion = $7.5 million
Return on economic capital = 0.01 × $120 million = $1.2 million
Then, apply the RAROC equation:
(105 − 10 − 75 − 7.5 + 1.2 + 0) × (1 − 0.25)

____________________________________
120
= 8.56%
Therefore, maintenance of the commercial loan portfolio requires an

after-tax expected rate of return on equity of at least 8.56%.
Adjusted RAROC
RAROC should be adjusted to consider systematic risk and a consistent hurdle rate. Adjusted RAROC = RAROC −
βE (RM − RF)
where:
RF= risk-free rate = hurdle rate
RM= expected return on market portfolio
βE= firm’s equity beta
(RM − RF) = excess return over risk-free rate to account for the nondiversifiable
systematic risk of the project

Therefore, the revised business decision rules are as follows:
If adjusted RAROC > RF, then accept the project
If adjusted RAROC < RF, then reject the project
EXAMPLE: Adjusted RAROC

Suppose RAROC is 12%, the risk-free rate is 5%, the market return is 11%, and the firm’s equity beta is 1.5. Use
ARAROC to determine whether the project should be accepted or rejected.
Answer:
Adjusted RAROC = RAROC − βE (RM − RF)
= 0.12 − 1.5(0.11 − 0.05) = 0.12 − 0.09 = 0.03
The project should be rejected because the ARAROC of 3% is less than the risk-free rate of 5%.
Funding liquidity risk

Funding liquidity risk refers to the ability of an institution to settle its obligations quickly when they become due,
which results from the funding needs established in a CSA. For various reasons, collateral agreements are not in
place for many OTC derivatives transactions. When a counterparty does not have the operational capacity or
liquidity to handle frequent collateral calls (required under a CSA), the counterparty will be vulnerable to
funding implications. This risk is relatively small when markets are liquid and funding costs are low. However,
when markets are illiquid, the risks become higher because funding costs can increase considerably.
Economic capital v/s Regulatory capital
To mitigate the risk of bank failures caused by losses on loans or trading assets, banks must be funded by
adequate sources of capital. Equity capital is needed to shield against possible losses and to maintain solvency.
Banks may also issue long-term debt (debt capital) to bolster their capital.
Banks and their regulators may have different views about how much capital is sufficient in light of the risks a
bank faces. Regulatory capital refers to the minimum amount required and is determined by bank regulators.
Economic capital refers to the amount of capital that a bank believes is adequate based on its own risk models.
Both regulatory and economic capital refer to funds that are set aside to be used to cover unexpected losses. The
amount of required capital will correspond to the amount of potential losses.
Identify the major risks faced by a bank and explain ways in which these
risks can arise
The main risks faced by a bank include credit risk, market risk, and operational risk.
1. Credit Risk: Credit risk refers to the risk that borrowers do not repay their loans or that counterparties
to contracts such as derivatives may default on their obligations when the contract has negative value to
the counterparty (and positive value to the bank). The bank’s trading of derivatives also introduces
market risk since the derivatives contract is dependent on the price of the underlying asset. Regarding
loans, the interest rate charged by banks on loans takes into account the expected losses; for example,
assuming a 2% differential in average interest rate charged and cost of funds, expected losses of 0.6%
would leave 1.4% remaining for operating costs and profit.
2. Market risk: Market risk refers to the risk of losses from a bank’s trading activities, such as declines in
the value of securities the bank owns. Specific examples of market risk factors include changes in interest
rates, exchange rates, and stock prices. Banks allow their larger investors to trade in a variety of financial
contracts where the bank acts as a market maker. In those instances, the bank has controlled (but not
zero) exposures to market risk factors.
3. Operational risk: Operational risk refers to the possibility of losses arising from external events (e.g.,
cyber attacks or physical asset damage) or failures of a bank’s internal controls (e.g., employee
defalcation, business interruption, IT failures, and human error). Operationally, banks are most exposed
to legal, compliance, and cyber risks.
Chapter 7
Audit Committees Assessment of Internal Control
Risk Assessment
• Does the company have clear objectives with measurable targets and indicators that have been
communicated so as to provide effective direction to employees on risk assessment and control issues?
• Are the significant internal and external operational, financial, compliance and other risks identified and
assessed on an ongoing basis?
• Is there a clear understanding by management and others within the company of what risks are
acceptable to the board?
Control Environment and Control Activities
• Does the Board have clear strategies for dealing with the significant risks that have been identified? Is
there a policy on how to manage these risks?
• Does the company’s culture, code of conduct, human resources policy and performance reward systems
support the business objectives and risk management and internal control systems?
• Does senior management demonstrate, through actions and policies, the necessary commitment to
competence, integrity and fostering a climate of trust within the company?
• Are authority, responsibility and accountability defined clearly such that decisions are made and actions
taken by the appropriate people? Are the decisions and actions of different parts of the company
appropriately co-ordinated?
• Does the company communicate to employees what is expected of them and the scope of their freedom to
act?
• Do people in the company (and its outsourced service providers) have the knowledge skills and tools to
support the achievement of the company‟s objectives and to manage effectively risks to their
achievement?
• How are processes/controls adjusted to reflect new or changing risks, or operational deficiencies?
Risk Management Responsibilities

1. Main risk management responsibilities for the CEO:
✓ Determine strategic approach to risk

✓ Establish the structure for risk management
✓ Understand the most significant risks
✓ Consider the risk implications of poor decisions
✓ Manage the organization in a crisis
2. Main RM responsibilities for the location manager:
✓ Build risk-aware culture within the location

✓ Agree risk management performance targets for the location
✓ Evaluate reports from employees on risk management matters
✓ Ensure implementation of risk improvement recommendations
✓ Identify and report changed circumstances/risks
3. Main RM responsibilities for individual employees:
✓ Understand, accept and implement RM processes

✓ Report inefficient, unnecessary or unworkable controls
✓ Report loss events and near-miss incidents
✓ Co-operate with management on incident investigations
✓ Ensure that visitors and contractors comply with procedures
4. Main RM responsibilities for specialist risk management functions:
✓ Assist the company in establishing specialist risk policies

✓ Develop specialist contingency and recovery plans
✓ Keep up to date with developments in the specialist area
✓ Support investigations of incidents and near misses
✓ Prepare detailed reports on specialist risks
6. Main risk management responsibilities for internal audit manager:
✓ Develop a risk-based internal audit programme

✓ Audit the risk processes across the organization
✓ Provide assurance on the management of risk
✓ Support and help develop the risk management processes
✓ Report on the efficiency and effectiveness of internal controls
Board’s duties with or without the assistance of a risk advisory director.

✓ The firm’s risk management policies
✓ The firm’s periodic risk management reports
✓ The firm’s risk appetite and its impact on business strategy
✓ The firm’s internal controls
✓ The firm’s financial statements and disclosures
✓ The firm’s related parties and related party transactions
✓ Any audit reports from internal or external audits
✓ Corporate governance best practices for the industry
✓ Risk management practices of competitors and the industry
Different types of risks in auditing

1. inherent risk – follow from the nature of the business and its environment
2. failure of controls – i.e. failure to implement adequate accesscontrols to information
3. residual risk – remaining after controls have been implemented (controls are not a guarantee)
4. audit risk – the inability of audit to detect control failures
Chapter 8
Risk Maturity
Implementation of ERM
The implementation steps of ERM are as follows:.
Step 1: Identify the risks of the firm. For many banks, risks are classified as falling into one of three categories:
market, credit, or operational. Other financial institutions broaden the list to include asset, liability, liquidity, and
strategic risks. Identification of risks should be performed both top-down (by senior management) and bottom-
up (by individual managers of business units or
other functional areas).
Step 2: Develop a consistent method to evaluate the firm’s exposure to the risks identified above. If the
methodology is not consistent, the ERM system will fail because capital will be misallocated across business
units. Implementation of an ERM system is challenging, and it is important that the entire organization supports
the system. Thus, it is critical for all levels of the organization to understand how the system is designed and how
it can create value. Monitoring the ERM system may be neglected due to its time-consuming nature. However, the
inability to identify relevant risks on a regular basis could lead to corporate failures.
ERM Macro & Micro Benefit

Enterprise risk management (ERM) is the process of managing all a corporation’s risks within an integrated
framework.
The macro benefit of ERM is that hedging corporate diversifiable risk improves management’s ability to invest in
value-creating projects in a timely manner and improves the firm’s ability to carry out the strategic plan.
The micro benefit of ERM requires decentralizing risk management to ensure that each project’s total risk is
adequately assessed by project planners during the initial evaluation of the project.
The two main components of decentralizing the risk-return trade off are consideration of the marginal impact of
each project
on the firm’s total risk and a performance evaluation system that considers unit contributions to total risk.
Conceptual Framework of ERM
The conceptual framework of ERM is a four-step process:
1. Determine the firm’s risk appetite.

2. Estimate the amount of capital needed to support the desired level of risk.
3. Determine the optimal combination of capital and risk that achieves the target credit rating.
4. Decentralize the management of risk.
Guidelines for risk communication

• Know the stakeholders, by identifying both external and internal stakeholders and finding out their
interests and concerns
• Simplify the language and presentation, although not the content if complex issues need to be
communicated
• Be objective in the information provided and differentiate between opinions and facts
• Communicate clearly and honestly, taking account of the level of understanding of the audience
• Deal with uncertainty and discuss situations where not all information is available and indicate what can
be done to overcome these problems
• Be cautious when putting risks in perspective, although comparing an unfamiliar risk with a familiar one
can be helpful
• Develop key messages that are clear, concise and to the point, with no more than three messages
communicated at any one time
• Be prepared to answer questions and agree to provide further information if it is not currently available
Chapter 9
Risk Description
In order to fully understand a risk, a detailed description is necessary so that a common understanding of the
risk can be identified and ownership/responsibilities may be clearly understood.
• Name or title of risk

• Statement of risk, including scope of risk and details of possible events and dependencies
• Nature of risk, including details of the risk classification and timescale of potential impact
• Stakeholders in the risk, both internal and external
• Risk attitude, appetite, tolerance or limits for the risk
• Likelihood and magnitude of event and consequences should the risk materialize at current/residual level
• Control standard required or target level of risk
• Incident and loss experience
• Existing control mechanisms and activities
• Responsibility for developing risk strategy and policy
• Potential for risk improvement and level of confidence in existing controls
• Risk improvement recommendations and deadlines for implementation
• Responsibility for implementing improvements
• Responsibility for auditing risk compliance
Strategic approach for mitigating cybercrime

1. defining risk management strategies
2. estimating the financial impact of different type of cybersecurity breaches. This enables businesses to
plan how to respond
3. establishing priorities for valuable digital resources to implement a layered approach to security
4. remaining up-to-date with legislation and the work of regulators to ensure adequate disclosure and
prompt investigation of breaches
5. maintaining client confidence: A key risk for accountancy practices is the lateral movement approach
where breaching one system is a stepping stone for subsequent attacks on the victim’s clients.
Four v’s of big data

The main characteristics of Big Data are volume, velocity, variety, and veracity.
1. Volume: The scale of information which can now be created and stored is staggering. Advancing
technology has allowed embedded sensors to be placed in every day items such as cars, video games and
refrigerators. Mobile devices have led to an increasingly networked world where peoples’ consumer
preferences, spending habits, and even their movements can be recorded. Advances in data storage
technology as well as a fall in price of this storage has allowed for the captured data to be stored for
further analysis.
2. Velocity: Timeliness is a key factor in the usefulness of financial information to decision makers, and it is
no different for the users of Big Data. One source of high-velocity data is Twitter, users of which are
estimated to generate nearly 100,000 tweets every 60 seconds.
3. Variety: Big Data consists of both structured and unstructured data. While the sources of data have
grown, the software tools for interpreting the data have not kept pace with this change. Structured data
consists of traditional data sets, such as financial transactions, while unstructured refers to the majority of
information created by social media sites. The challenge is bringing together both structured and
unstructured information to reveal new insights.
4. Veracity: Another challenge to users of Big Data is keeping the information 'clean' and free from so-called
noise, or bias. Due in part to the other three factors, it is not possible to 'cleanse' the data. While even
unstructured data such as tweets can give an accurate view as to how an event or product is perceived, it
may not be useful in predicting sales of a product. The age profile and location of the average twitter user
may act as a bias, therefore distorting the data collected.
Threats of emerging technologies in cybersecurity landscape

• The ubiquity of mobile devices means IT departments cannot contain valuable data and hardware with a
rigid perimeter that is easy to monitor and protect.
• Mobile and contactless payments systems are attractive to criminals. One such system Apple Pay is likely
to be actively targeted.
• Cloud data breaches will remain a concern. To mitigate the risks the following are being developed:
1. advisory and regulatory frameworks

2. methodologies for due diligence checks and
3. testing of performance and resilience.
• Big data - risks include ‘salami slicing’ techniques bringing together seemingly disparate data to from a
pattern for use in identity fraud.
• The Internet of Things (IoT) could provide detailed data of those living in a smart home, especially if
poorly conceived hardware and software provides a gateway for hackers.
Risk management policy

A risk management policy should include the following sections:
1. Risk management and internal control objectives

2. Statement of the attitude of the organization to risk (risk strategy)
3. Description of the control environment
4. Level and nature of risk that is acceptable
5. Risk management organization and arrangements (risk architecture)
6. Arrangements for communicating risk information
7. Standard procedures for risk recognition and rating (risk assessment)
8. List of documentation for analysing and reporting risk (risk protocols)
9. Risk mitigation requirements and control mechanisms
10. Allocation of risk management roles and responsibilities
11. Criteria for monitoring and benchmarking risks
12. Allocation of appropriate resources
13. Risk priorities and performance targets
14. Risk management calendar of the coming year
3 lines defence model

7 Factors for Internal Audit's Role in Artificial Intelligence
1. AI Governance — Establish accountability and oversight. What policies and procedures need to be
established to ensure appropriate governance? Do existing governance frameworks work? Who is
accountable and do they have the necessary skills and expertise to effectively monitor AI? How do
organizations make sure their values and ethics are reflected?
2. Data Quality — It is rare for an organization to have a well-defined, coherent structure to their data. More
often, it rests in systems that don't communicate with each other. How this data is brought together is
critical. Auditors need to consider completeness, accuracy, and reliability.
3. Human Factor — AI relies on complex algorithms produced by humans. How do natural human biases
factor into AI design? How can AI effectively be tested to ensure the results reflect the original objective?
How are privacy and security ensured? Is adequate transparency possible given the complexity?
4. Measuring Performance — AI is developed to achieve certain objectives. Given the potential complexity,
how does an organization know the objectives are being achieved in the best way possible? How are
performance metrics established and how does one effectively compare results to alternatives?
5. Reemphasize Cybersecurity — Imagine a situation where your AI has been hacked and is now doing the
bidding of some outside malevolent force. Consider the four R's of cyber resilience: resist, react, recover,
reevaluate.
6. Filling the Understanding Gap — To start with, the potential impact associated with AI-related risks will
be huge and on the top of the list for boards to consider. How can internal audit help to make sure boards
and audit committees are prepared to discuss these risks and make good decisions based on the right
information? On top of that, how do you begin to improve your audit function's skills, recognizing that
new skills may be required?
7. Ethical Issues With AI — Most importantly, AI causes us to refocus on ethics. I already mentioned the
Human Factor above, which is important enough to treat separately. With data privacy and the ethical use
of personal data already a big concern, AI will only complicate things further. Beyond that, check out the
top nine ethical issues in AI from the World Economic Forum.
Categories of disruption
Benefits for Risk Management applying Artificial intelligence

AI is ever more recognised for its potential. It will change people’s day-to-day activities, including in risk and
insurance & management. Insights, that now become visible only when losses occur, can in future emerge before
then through learning from large volumes of historical data.
For risk management, key benefits will relate to:
1. Data processing: Usage of not only structured but also unstructured data in massive amounts;
combinations of datasets and updating patterns.
2. Improving efficiency: Reducing cost by automating day-to-day assistance and guidance in the risk
management processes.
3. Real-time and predictive: Awareness of new exposures, increasing preventative risk advices, faster
response time in critical situations.
4. Business decisions: Better decision-making through greater (predictive) insights and visibility of risk
(also for top management).
AI in Risk management process

Ways AI can improve ERM
1. AI-powered tools can provide general guidance and assistance to risk management professionals, which
saves costs.
2. The ERM process needs to use the enterprise helpdesk ticket data for insights into what kind of
challenges the customers, partners, and employees face. Now, the helpdesk ticket data is massive, and it
can be hard to gain insights from it. AI can smartly categorize the incident data, therefore, ERM tools can
extract insights easily.
3. AI can study a large volume of enterprise helpdesk ticket data and recommend mitigation measures.
4. Enterprise risk management professionals can use AI to predict the likelihood of incidents. They can also
use AI to predict the financial loss occurring from such incidents.
5. AI-powered tools make a big difference in identifying breaches in security and/or other business controls.
Enterprise risk management requires audit and compliance managers to find such breaches, and AI can
make their work easier.
Using ML for risk mitigation

machine learning can support more informed predictions about the likelihood of an individual or organization
defaulting on a loan or a payment, and it can be used to build variable revenue forecasting models.
Risks in AI Adoption
Some of the main risks associated with AI include:
1. Algorithmic bias: Machine-learning algorithms identify patterns in data and codify them in predictions,
rules and decisions. If those patterns reflect some existing bias, the algorithms are likely to amplify that
bias and may produce outcomes that reinforce existing patterns of discrimination.
2. Overestimating the capabilities of AI: Since AI systems do not understand the tasks they perform, and rely
on their training data, they are far from infallible.
3. Programmatic errors: Where errors exist, algorithms may not perform as expected and may deliver
misleading results that have serious consequences.
4. Risk of cyber attacks: Hackers who want to steal personal data or confidential information about a
company are increasingly likely to target AI systems.
5. Legal risks and liabilities: At present, there is little legislation governing AI, but that is set to change.
Systems that analyze large volumes of consumer data may not comply with existing and imminent data
privacy regulations, especially the EU’s General Data Protection Regulation.
6. Reputational risks: AI systems handle large amounts of sensitive data and make critical decisions about
individuals in a range of areas including credit, education, employment and health care. So any system
that is biased, error-prone, hacked or used for unethical purposes poses significant reputational risks to
the organization that owns it.
Key Considerations for Board with respect to AI adoption
1. Does the board understand the potential impact of AI on the organization’s business model, culture,
strategy and sector?
2. How is the board challenging management to respond strategically to both the opportunities presented
by AI and the risks associated with it?
3. How is the organization using AI technology and new data sets for governance and risk management?
How are the dashboards of the board and the audit committee changing?
4. Does the organization have a talent strategy for recruiting and retaining people with the necessary
skillsets to manage and staff AI-related projects?
5. Has the board asked management to assess how the adoption of AI impacts the integrity of its finance
function or its financial statements?
AI & ML for credit risk management

1. Automated process: To handle big data and generate reports on each application, banks hire a quality
team of over ten employees. AI can reduce staff expenses by automating the whole credit risk
management process. It allows distributing money more effectively setting free workers with other tasks.
2. Reduction in loan management time: Financial organizations and banks take up to three weeks to
physically verify each application. Scoring software powered with AI cut the time to minutes. For instance,
modern solutions like GiniMachine verify 1,000 applications in ten seconds.
3. Error-free: Traditional methods do not guarantee a low percentage of scoring errors. While AI can
process a huge amount of information and detect patterns as much error-free as possible.
4. Decline in credit losses: Prediction of delinquencies before they actually occur is one of the main goals of
risk management software. As was mentioned above, traditional solutions can make predictions for
several months. While AI credit score software significantly increases the prediction time for a year in
advance.
5. Accuracy in predictions: Traditional risk management software functions under clearly defined
parameters. Utilizing AI and ML, a user gets an intuitive solution that can analyze more databases and
learn during the process. Eventually, AI software comes up with more accurate predictions and declines
scoring mistakes.
6. Strong fraud-detection: Modern software is equipped with tech-savvy solutions strengthening fraud
detection mechanisms. This allows protecting banking operations and draws a more reliable picture of a
bank for liable borrowers.
The following risks could arise when a financial institution outsources its
operational functions to third-party service providers:
1. Compliance risk refers to a service provider not operating in compliance with the relevant local laws and
regulations.
2. Concentration risk refers to having very few service providers to choose from or that the service
providers are clustered in only a few geographic areas.
3. Reputational risk refers to a service provider executing its tasks in a substandard manner, resulting in a
negative public perception of the financial institution.
4. Country risk refers to using a service provider based in a foreign country and subjecting the financial
institution to potential economic and political risks in that country.
5. Operational risk refers to potential losses sustained by a financial institution as a result of internal control
breaches and human error caused by a service provider.
6. Legal risk refers to subjecting the financial institution to lawsuits and other costs due to potentially
negligent activities of a service provider.
data issues that increase risk for an organization
The most common data issues that increase risk for an organization are as follows:
• Data-entry errors.
• Missing data.
• Duplicate records.
• Inconsistent data.
• Nonstandard formats.
• Complex data transformations.
• Failed identity management processes.
• Undocumented, incorrect, or misleading metadata (description of content and context of data files).
Examples of risks arising out of data errors include:
• Fraudulent payroll overpayments to fictitious employees or those who are no longer employed by the
firm.
• Underbilling for services rendered.
• Underestimating insurance risk due to missing and inaccurate values (e.g., insured value).
RCSA
A risk control self-assessment (RCSA) requires the documentation of risks and provides a rating system and
control identification process that is used as a foundation in the OpRisk framework. Once the RCSA is created, it
is commonly performed every 12–18 months to assess the business unit’s operational risks.
Steps in designing RCSA
The following four steps are commonly used in designing an RCSA program:
1. Identify and assess risks associated with each business unit’s activities. The manager first identifies key
functions in the firm and performs risk scenarios to assess potential losses, the exposure or potential loss
amount, and the correlation risk to other important aspects of the firm such as financial, reputation, or
performance.
2. Controls are then added to the RCSA program to mitigate risks identified for the firm. The manager also
assesses any residual risk which often remains even after controls are in place.
3. Risk metrics, such as key risk indicators or internal loss events, are used to measure the success of OpRisk
initiatives and are linked to the RCSA program for review. These risk metrics would also include all
available external data and risk benchmarks for operational risks.
4. Control tests are performed to assess how effective the controls in place mitigate potential operational
risks.
Management of technology risk

Technology risk management tools are similar to those suggested for operational risk management and include:
1. Governance and oversight controls.

2. Policies and procedures in place to identify and assess technology risks.
3. Written risk appetite and tolerance statements.
4. Implement a risk control environment.
5. Establish risk transfer strategies to mitigate technology risks.
6. Monitor technology risks and violations of thresholds and risk limits.
7. Create a sound technology infrastructure (i.e., the hardware and software components, data and
operating environments).
Outsourcing policies
Outsourcing policies should include:
1. Processes and procedures for determining which activities can be outsourced and how the activities will
be outsourced.
2. Processes for selecting service providers (e.g., due diligence).
3. Structuring the outsourcing agreement to describe termination rights, ownership of data, and
confidentiality requirements.
4. Monitor risks of the arrangement including the financial health of the service provider.
5. Implement a risk control environment and assess the control environment at the service provider.
6. Develop contingency plans.
7. Clearly define responsibilities of the bank and the service provider.
Operational Risk
Operational risk is inherent in banking activities
The three common “lines of defense” employed by firms to control operational risks are:
1. Business line management. Business line management is the first line of defense. Banks now, more than ever,
have multiple lines of business, all with varying degrees of operational risk. Risks must be identified and
managed within the various products, activities, and processes of the bank.
2. An independent operational risk management function. This is the second line of defense and is discussed in
the next section.
3. Independent reviews of operational risks and risk management. The review may be conducted internally with
personnel independent of the process under review or externally.
Responsibilities of the RMF or Operational risk function may include:

✓ Measurement of operational risks.
✓ Establishing reporting processes for operational risks.
✓ Establishing risk committees to measure and monitor operational risks.
✓ Reporting operational risk issues to the board of directors.
Tools that may be used to identify and assess operational risk include:
1. Business process mappings, which do exactly that, map the bank’s business processes. Maps can reveal
risks, interdependencies among risks, and weaknesses in risk management systems.
2. Risk and performance indicators are measures that help managers understand the bank’s risk exposure.
There are Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). KRIs are measures of
drivers of risk and exposures to risk. KPIs provide insight into operational processes and weaknesses.
Escalation triggers are often paired with KRIs and KPIs to warn when risk is
3. approaching or exceeding risk thresholds.
4. Scenario analysis is a subjective process where business line managers and risk managers identify
potential risk events and then assess potential outcomes of those risks.
5. Measurement involves the use of outputs of risk assessment tools as inputs for operational risk exposure
models. The bank can then use the models to allocate economic capital to various business units based on
return and risk.
6. Audit findings identify weaknesses but may also provide insights into inherent operational risks.
7. Analysis of internal operational loss data. Analysis can provide insight into the causes of large losses. Data
may also reveal if problems are isolated or systemic.
8. Analysis of external operational loss data including gross loss amounts, dates, amount of recoveries and
losses at other firms.
9. Risk assessments, or risk self-assessments (RSAs), address potential threats. Assessments consider the
bank’s processes and possible defenses relative to the firm’s threats and vulnerabilities. Risk Control Self-
Assessments (RCSA) evaluate risks before risk controls are considered (i.e., inherent risks). Scorecards
translate RCSA output into metrics that help the bank better understand the control environment.
10. Comparative analysis combines all described risk analysis tools into a comprehensive picture of the
bank’s operational risk profile. For example, the bank might combine audit findings with internal
operational loss data to better understand the weaknesses of the operational risk framework.
Major risks faced by insurance companies

1. Insufficient funds to satisfy policyholders’ claims. The liability computations often provide a significant
cushion, but it is always possible to have a sudden surge of payouts in a short time (e.g., mortality risk and
catastrophe risk) or payouts that continue for longer than expected (e.g., longevity risk).
2. Poor return (market risk) on investments. Insurance companies often invest in fixed-income securities
and if defaults suddenly increase, insurance companies will incur losses. Diversification of investments by
industry sector and geography can help mitigate such losses.
3. Credit risk. By transacting with banks and reinsurance companies, insurance companies face credit risk if
the counterparty defaults on its obligations.
4. Operational risk. Similar to banks, an insurance company faces losses due to failure of its systems and
procedures or from external events outside the company’s control (e.g., computer failure and human
error).
Misc
Types of RM documentation
Risk administration
✓ Risk management policy (and priorities)

✓ Specific risk statements (health and safety policy)
✓ Terms of reference of the risk/audit committees
✓ Risk protocols and procedures
✓ Risk awareness training records
Risk response
✓ Results of risk assessments (risk register)

✓ Risk control standards
✓ Risk improvement recommendations
✓ Risk assurance reports
✓ Business continuity plans/disaster recovery plans
Event reports
✓ Loss/claim reports and recommendations

✓ Legal and litigation reports
✓ Enforcement action/customer complaints
✓ Incident and near-miss investigations
✓ Business performance reports/key performance indicators
Risk performance
✓ Control risk self-assessment (CRSA) returns

✓ Audit procedures and protocols
✓ Internal audit reports
✓ Unit risk management reports
✓ External disclosure reports

RM Extra Material RHX

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RM Extra Material RHX

Uploaded by

Copyright:

Available Formats

Chapter 1

Environmental Risk Analysis

Systematic risk v/s Unsystematic risk

Basis for Comparison Systematic Risk Unsystematic Risk

What is Risk Exposure?

Risk Exposure formula = Probability of Event * Loss Due to Risk (Impact)

Impact of hazard risks

Risk Management is about

Examples of technical risk

Examples of external risks

Examples of environmental risks

Examples of organisational risks

Examples of regulatory risks

Examples of project management risks

Legal Risk v/s Regulatory risk

Advantages of risk classification

Property & Causality insurance

Importance of risk categorisation

Gross risk & Net Risk

Performing delphi technique

Step 2: Identify Your Experts

Step 3: Define the Problem

Step 4: Round One Questions

Step 5: Round Two Questions

Step 6: Round Three Questions

Step 7: Act on Your Findings

Strengths of the Delphi technique:

Weaknesses of Delphi technique:

What does effective risk communication look like?

Risk Analysis is to identify the existing and possible threats

1. Human – Illness, death, injury, or other loss of a key individual.

What is Risk analysis?

What is the purpose of Risk analysis?

What are the different types of Risk analysis?

Principles of Risk management

How to achieve risk aware culture

Contingent Risk Response Strategies

Successful risk management

What are the activities associated with risk management?

Risk Mitigation methods

Treatment for supplier risks

Treatment for project risks

Treatment for client quality risks

Treatments for out-of-area location risks

Purpose of Risk Management

One of the strategies for managing risk is internal control.

Threat agent | Threat | Vulnerability | Type of threat

Risk Factor | Threat | Threat agent | vulnerability | affects

Example of fault tree analysis

Risk Analysis v/s Risk Management

What are the different types of Risk context?

What is the Risk context?

What is the purpose of developing a Risk management process?

What is a Risk Management Plan?

What is a Risk action plan?

What is the purpose of a Risk action plan?

What are the different types of Risk action plans?

✓ the measures adopted resulted in what was intended

Key Challenges for implementing Risk appetite framework

Importance of risk management

• improves the ability to respond to and mitigate risks that occur

What is the purpose of a Business contingency plan?

What is the main goal of a Business contingency plan?