Business Strategy and Risk Management

Questions and Answers

Which of the following is considered an internal factor impacting strategy and objective achievement?

• Global environment
• Political climate
• Current technology (correct)
• Social trends

Which of these elements is an internal influence on an organization's strategic goals?

• Political stability
• Economic conditions
• Social media
• Business processes (correct)

What type of risk is characterized by the potential gains or losses associated with either pursuing or not pursuing a certain course of action?

• Opportunity risks (correct)
• Control risks
• Hazard risks
• Compliance risks

Which of the following options is the best example of a technology-related risk?

Privacy violations (A)

In what category does inappropriate behavior by a senior manager fall under relating to business disruptions?

People related disruptions (B)

Which of the following scenarios describes a disruption most likely caused by a process failure?

Failure of IT hardware or software systems (C)

What kind of disruption is best illustrated by the delivery of defective goods or components?

Disruptions caused by products (C)

Which of the following is an internal factor that affects strategy and objective achievement?

Personnel (C)

What is a core assurance objective of risk management?

To aid in achieving effective and efficient strategy, tactics, and operations with reduced volatility in results. (B)

Which of the following best describes the types of hazard controls?

Corrective, Preventive and Detective (C)

What is a primary mechanism for transferring the financial impact of losses from hazard risks?

Insurance (C)

If a risk has a low likelihood but a high potential impact, what action is most appropriate?

Transfer the risk (A)

What is synonymous with terminating a risk?

Eliminating (A)

What action is equivalent to transferring a risk?

Contracting (C)

What is the primary aim of 'treating' a risk?

Reducing the risk to an acceptable level (B)

What does it mean to 'tolerate' risk?

Retaining the risk (D)

What is the primary goal of evaluating the external context?

To assess the risk level tied to the external environment. (D)

Which of the following should be considered when assessing the marketplace component of the external context?

All of the above. (D)

What two main functions must the risk management context fulfill?

To support risk management processes and communicate outputs to stakeholders. (A)

How does the internal context help evaluate an organization?

By analyzing the organization’s strengths and weaknesses regarding internal opportunities and threats. (D)

Which of these is a risk to an organization's external context?

Technological disruption. (A)

What is the main focus of the marketplace component in the external context evaluation?

Understanding market dynamics, competition, and customer's expectations. (D)

Which statement best describes the disadvantages of top-down risk assessments?

None of the above (D)

What is one benefit of a top-down assessment?

They are likely to be consistent with method. (A)

Which technique involves the physical examination of locations and the evaluation of adherence to established protocols?

Inspections and audits (D)

What is the primary purpose of workshops and brainstorming in risk assessment?

To gather ideas regarding potential events impacting objectives (A)

What risk assessment technique relies on the use of structured forms to gather information?

Questionnaires and checklists (C)

Which of the following is a disadvantage of the bottom-up approach to risk assessment?

Possibly missing new operational risks due to a lack of reporting (A)

Which of the following can be a negative outcome of a very detailed bottom up risk assessment?

A siloed approach can form, limiting holistic risk understanding (D)

What is a key advantage of a top down risk assessment?

It can provide a broad overview of important risks (D)

Which risk assessment methods are MOST likely to require staff training before they can be used effectively? Select TWO that apply.

Inspections and audits (A), Flow charts and dependency analysis (C)

What is the correct approach to managing significant risks facing an organization?

Combining impact, scope, and likelihood (B)

Which term refers to the practice of minimizing the negative consequences of an event on an organization?

Cost containment (D)

Which of the following is NOT a consideration when evaluating reputational components in an organization's external context?

Employee satisfaction ratings (B)

Which stakeholder group is generally considered the most critical for many organizations?

Customers (B)

Detective controls can be best described as:

Reviews and inspections to identify existing issues (D)

Which option best reflects a strategy to deal with significant risks in terms of cost-effective improvement?

Prioritizing high likelihood and impact for action (C)

What should organizations prioritize to ensure business continuity following asset damage?

Implementing effective cost containment strategies (A)

Which of the following is essential for evaluating an organization's governance standards?

Degree of industry regulation (B)

What is essential for ensuring resilience and data protection in the financial component of the internal context?

Availability of funds to meet historical and anticipated future liabilities (D)

Which aspect is critical to prevent fraud within the internal financial control environment?

Robust procedures for correct allocation of funds for investment (C)

What financial issue should be addressed to support strategy fulfillment?

Availability of adequate funds and future flows of funds (C)

What defines the financial procedures and profit management within an organization?

The financial component (B)

Which of the following arrangements is important for service delivery within the financial context?

Arrangements for service delivery and reliable communication infrastructure (A)

What must be in place to ensure continuity of activities after major disruptions?

Business continuity plans (C)

Which of the following factors is not part of evaluating financial components in an organization?

Effectiveness of the sales team (A)

What is crucial for protecting data and ensuring operational resilience?

Information technology infrastructure (C)

Flashcards

External Factors

Factors that can affect strategy and objective achievement originate from outside the company and include social, political, and economic elements.

Internal Factors

Factors that can affect strategy and objective achievement originate from within the company and include elements like technology, personnel, processes, and infrastructure.

Opportunity Risks

Risks associated with taking an opportunity. It involves analyzing potential negative consequences of pursuing a course of action.

Technology Related Risks

Risks related to disruptions caused by technology, including privacy breaches, disaster recovery issues, cyberattacks, and security vulnerabilities.

Disruptions Caused By People

Disruptions caused by inappropriate behaviour of individuals, mainly senior management, affecting the company's operations and performance.

Disruptions Caused By Processes

Disruptions caused by problems with processes, including IT system failures, faulty products or services, and inadequate information management.

Disruptions Caused By Products

Disruptions caused by problems with products or services, including delivery of defective goods or components, inadequate information management, and failure of communication or transport systems.

Failure Of IT Hardware or Software Systems

A situation in which the information flow, data processing, and internal communication systems are affected, often leading to operational disruptions or data loss.

Assurance Objective of Risk Management

Risk management activities should ensure that appropriate risk-based information is available to support decision making.

Types of Hazard Control

Corrective, preventive, and detective measures are all types of hazard control.

How Insurance Transfers Risk

Insurance acts as a mechanism for transferring the financial impact of losses arising from hazard risks and, to a lesser extent, control risks.

Transferring Risk

When a risk has a low likelihood but a high potential impact, organizations may choose to transfer the risk to another party.

Terminating Risk

Terminating a risk is equivalent to eliminating the risk entirely.

Transferring Risk (alternative definition)

Transferring a risk is equivalent to contracting with another party to assume the risk.

Treating Risk

Treating a risk involves actions taken to reduce the likelihood or impact of the risk.

Tolerating Risk

Tolerating a risk means accepting the risk and taking no action to reduce it.

Significant Risks

Risks that have a high or very high impact on the organization, are likely to occur at or above the benchmark level, and have significant potential for cost-effective improvement in control.

Cost Containment

Focuses on decreasing the negative impacts of incidents while keeping repair costs as low as possible.

Reputational Risk Factors

Components of the external context when evaluating reputational risk include: governance standards, product/service quality, public perception of the industry, and corporate social responsibility.

Most Important Stakeholder

Customers are often the most important external stakeholders for many organizations.

Detective Controls

Controls that focus on detecting problems or irregularities after they occur.

Detective Control Examples

Examples include: checking driver licenses for violations, inspecting vehicles for damage, and reviewing fuel consumption to identify aggressive driving.

Purpose of External Context Evaluation

Evaluating the external context helps understand the potential risks and uncertainties that could impact an organization's operations and success.

Marketplace Component of External Context

The marketplace component of the external context includes factors like aggressive competitors, customer expectations, economic stability, supply chain complexity, and exposure to disruptions like technology or geopolitical events.

Risk Management Context

The risk management context encompasses the framework and processes used to identify, assess, and manage risks. It includes governance, culture, strategy, objective-setting, and internal and external communication.

Internal Context

The internal context considers the elements within the organization that influence risk, such as its structure, processes, people, and resources.

Disadvantages of Top-Down Risk Assessment

Top-down risk assessment involves starting the evaluation from the highest level of the organization and then cascading it down. While this ensures consistency and a company-wide approach, it can be less detailed and miss risks at lower levels.

Financial Component of Internal Context

This involves ensuring that an organization has enough money to cover its financial obligations, both present and future.

Internal Financial Control Environment

This refers to the ability of an organization to manage its money effectively, including processes for allocating funds for investments and preventing fraud.

Adequate Funds and Future Flows of Funds

This addresses whether sufficient funds are available to execute strategic plans and cover future financial needs.

Robust Procedures for Fund Allocation

This involves ensuring that an organization has procedures in place to allocate funds correctly for investment, promoting financial stability and profitable growth.

Financial Component of Internal Context

This assesses the overall financial procedures and policies that influence how a company manages its money and generates profits.

Risk Culture

This addresses the organizational culture and senior management's attitude toward risk. It is crucial to avoid excessive risk-taking, which could lead to financial instability.

Adequate Physical Assets

This aspect focuses on the availability of sufficient physical assets, such as buildings, equipment, and infrastructure, to support operational activities.

Business Continuity Plans

This involves having systems in place to ensure operational continuity in case of major disruptions, such as natural disasters or cyberattacks.

Workshops and brainstorming

Identifying and analyzing potential problems that could affect your objectives, core processes or key dependencies. It involves collecting ideas from different individuals and brainstorming solutions.

Flow charts and dependency analysis

A visual representation of a process with clear steps, showing how tasks depend on each other. It helps identify potential bottlenecks and risks.

Inspections and audits

Thorough examinations of facilities, operations, and systems to ensure compliance with established rules and regulations.

Crowdsourcing technology

Gathering ideas from a large group of people online, often used to get diverse input on risks or solutions.

Questionnaires and checklists

Using structured questions and checklists to gather information about potential risks, allowing for consistent and efficient data collection.

Bottom-up risk assessment

A method for evaluating risks that involves starting from the bottom of the organization and working up. Individual teams identify and assess their specific risks.

New risks may not be reported

A potential drawback of bottom-up risk assessment is that it might overlook emerging risks that aren't being reported by operational staff.

Silo approach to risk assessment

A potential drawback of bottom-up risk assessment is that it can become too focused on small details and lose sight of the broader picture, leading to a siloed approach where different parts of the organization are unaware of each other's risks.

Study Notes

Risk and Control

• Failure to comply with regulations is an example of compliance risks.
• Opportunity risks
• Control risks
• Hazard risks
• Long-term risks

Dominant Response to Risk

• High-impact/high-likelihood risks: Treat
• High-impact/low-likelihood risks: Transfer
• High-likelihood/low-impact risks: Tolerate
• Low-likelihood/low-impact risks: Tolerate

Risk Level After Planned Controls

• Financial risk
• Net, residual or current risk
• Rational risk
• Irrational risk

Risk Level After Existing Controls

• Financial risk
• Gross or inherent risk
• Rational risk
• Irrational risk
• Net, residual or current risk

Risk Management Approach

• Risk management is the approach that seeks to maximize the benefits of taking entrepreneurial risks.
• Control management
• Risk management
• Compliance management
• Opportunity management
• Hazard management

Deliberately Sought Risks

• Long-term risks
• Compliance risks
• Hazard risks
• Opportunity risks
• Control risks

Uncertainty Risks

• Operational risks
• Non-financial risks
• Control risks
• Hazard risks
• Financial risks

Common Operational Risks

• Occupational health and safety
• Theft

Risks Associated with Potential Harm

• Non-financial risks
• Compliance risks
• Financial risks
• Operational risks
• Hazard risks

Legal and Financial Penalties

• Financial risks
• Non-financial risks
• Operational risks
• Compliance risks
• Hazard risks

Risk Management Organization and Arrangements

• Risk assessment
• Risk appetite
• Risk protocols
• Risk response
• Risk architecture

Risk Management Processes

• Risk evaluation
• Risk development