Understanding Risk: Definitions and Types

Questions and Answers

According to the Oxford English Dictionary, risk signifies primarily positive consequences.

False (B)

Owning a car presents only benefits by increasing mobility and offering related advantages.

False (B)

Corporate objectives are typically fully stated by most organizations, ensuring clarity in risk assessment.

False (B)

ISO 31000 defines risk exclusively as having negative impacts on objectives.

False (B)

Hazard risks are primarily speculative in nature, aiming to explore potential gains.

False (B)

Organizations generally have an aversion to embracing control risks.

True (A)

Opportunity risks primarily focus on minimizing potential losses rather than achieving positive gains.

False (B)

The description of a risk needs to be vague to allow for broad interpretation across different departments.

False (B)

The list of information to fully understand a risk is universally applicable to all categories of risks without modification.

False (B)

The inherent level of risk represents the risk after all possible control measures have been implemented.

False (B)

A risk matrix plots the likelihood of an event against its potential financial cost.

False (B)

The term 'frequency' is preferred over 'likelihood' in risk management as it encompasses a broader range of event possibilities.

False (B)

In mature markets, organizations typically move towards a higher-risk, higher-return quadrant.

False (B)

Opportunity management seeks to minimize risks to achieve stable operations, even at the cost of potential growth.

False (B)

Uncertainty risks are an avoidable component in undertaking projects if project budgets are carefully managed.

False (B)

Over-focus on internal control and control management always promotes entrepreneurial initiative.

False (B)

Organizations operating within the gambling industry do not have significant regulatory requirements placed on them.

False (B)

Risk management in the finance sector is strictly isolated to operational risks.

False (B)

Effective risk management involves both tolerating certain hazard risks and having an appetite for investment.

True (A)

Control management aims to broaden the range of possible outcomes from any given procedure.

False (B)

Flashcards

What is Risk?

A chance of danger, loss, injury or other adverse consequences; signifies negative outcomes.

Organizational Risk

Anything that can impact the fulfillment of corporate objectives.

Four Categories of Risk

Compliance (or mandatory), hazard (or pure), control (or uncertainty), opportunity (or speculative).

Hazard Risks

Risks that can only result in negative outcomes, also thought of as operational or insurable risks.

Control Risks

Risks related to uncertainty about the outcome of a situation, associated with project management.

Opportunity Risks

Risks taken deliberately to achieve a positive return, often marketplace or commercial risks.

Inherent Level of Risk

The uncontrolled level of all risks before any actions have been taken; the inherent or gross risk.

Current Level of Risk

The current level of risk after controls have been put in place; also referred to as the residual, net, or the managed level of risk.

Risk Matrix

Plots the likelihood of an event against the magnitude or impact should the event materialize.

Mandatory risk management objective

Ensuring conformity with applicable rules, regulations and mandatory obligations.

Enterprise Risk Management (ERM)

A strategic business discipline; supports objective achievement by addressing the full spectrum of risks.

Define Likelihood

The chance that something will happen, whether defined, measured or subjectively assessed.

Risk Management Outcomes

Minimize compliance risks; hazard management makes outcomes less negative; control management reduces the range of possible outcomes; opportunity management makes outcomes more positive.

First step of risk management

Recognition or identification of risks and identification of the nature of the risk and the circumstances in which it could materialize.

Study Notes

Definitions of Risk

• Risk, according to the Oxford English Dictionary, is a chance or possibility of danger, loss, injury, or other adverse consequences
• "At risk" means exposed to danger
• Risk can sometimes result in a positive outcome
• It can also relate to the uncertainty of an outcome
• Risk can impact the fulfillment of corporate objectives in an organizational context
• Corporate objectives are usually internal, annual and change objectives

Types of Risks

• Risks can have positive or negative outcomes, or simply result in uncertainty
• Risks can relate to opportunity, loss, or the presence of uncertainty
• Organizations seek to minimize compliance, mitigate hazard, manage control, and embrace opportunity risks
• Pure or speculative risks are the two common types of risk
• Hazard or pure risks can only result in negative outcomes; these risks are insurable or operational
• Theft is an example of hazard risk
• Control risks create uncertainty about a situation's outcome and are commonly associated with project management
• Opportunity or speculative risks aims to take action involving investments to achieve positive gains

Risk Description

• A risk description is needed to fully understand risk to identify ownership / responsibilities
• The risk description applicable to hazard risks should be modified to describe control or opportunity risks

Inherent Level of Risk

• The uncontrolled level of all identified risks is the inherent level of risk
• The inherent level of risk is before taking any actions to change the likelihood / magnitude of the risk
• Identifying this level can identify the importance of control measures
• The IIA says assessments should start with identifying this level
• A risk matrix shows the inherent level of risk in terms of likelihood and magnitude
• Absolute risk or gross risk are other terms for inherent level of risk
• Terminology varies as current level of risk can be called residual level, net level, or the managed level of risk

Risk Classification Systems

• Risks can be classified by various characteristics like:
  • Timescale for impact
  • Nature of impact
  • Magnitude of risk
  • Timescale of impact after an event
• Source of risk can be the basis of classification, such as counterparty or credit risk
• The nature of the impact can classify risk:
  • Detriment to finances
  • Impact on the organization’s activities
  • Impact on infrastructure
  • Impact on reputation, status, or market perception
• Risks can be classified by impacted components:
  • People
  • Premises
  • Processes
  • Products
• Organizations should consider source, impacted component, and consequences when classifying risks
• Individual organizations determine risk classification system, and align with risk management standards and frameworks
• Classifying risks several ways to understand potential impact is likely

Risk Likelihood and Magnitude

• A risk matrix best demonstrates risk likelihood and magnitude
• A risk matrix plots likelihood against the magnitude to illustrate risk
• Using a risk matrix to illustrate risk likelihood and magnitude is fundamental
• A risk matrix plots individual risks so the organization can determine if the risk is acceptable
• The horizontal axis of a risk matrix represents likelihood
• The term 'likelihood' is broader as frequency implies events will definitely occur
• The word 'probability' is often used to describe likelihood

Risk and Maturity

• Businesses move to a higher return level for the same level of risk as they develop
• As investment matures, the reward stays high, but the risks should reduce
• An organization becomes fully mature and moves towards the low-risk/low-return quadrant eventually
• The organization or market needs to identify particular risks that the business faces
• Organizations apply risk management techniques to identified risks

Opportunity Risks

• Risk management efforts must produce rewards
• Reward for increased hazard-risk management is fewer disruptive events
• Increased project-risk management effort rewards could be delivery on time, within budget, and to specification/quality
• Organizations deliberately take risks to achieve their mission
• These are market place / commercial risks that are taken expecting a positive return
• Opportunity risks may enhance the achievement of an organization's mission, but can also inhibit
• All organizations have an appetite for seizing and investing in opportunities in effective and efficient operations, tactics, and strategy
• Opportunity risks are linked to new / amended strategies and enhancements to efficiency in operations and change initiatives
• It is unwise if an organization embarks on a potentially high-risk course of action if it does not have resources to develop new products
• Opportunity management seeks to maximize entrepreneurial risks and integrates with strategic planning

Managing Uncertainty Risks

• Organizations must accept uncertainty when undertaking projects and implementing change
• Control risks are uncertainty are inevitable in projects, and these must be accounted for with contingency funds and timelines
• Organizations must identify and assign resources to respond to all consequences of risk
• The nature of control risks and responses depend on the level of uncertainty and the nature of the risk
• Deviations from expected outcomes are uncertainties that are only acceptable within a certain range
• Internal auditors and accountants typically use control management
• UK corporate governance code concentrates on this with little reference to risk assessment
• Control management reduces uncertainty with significant risks and variations in outcomes
• Becoming too concerned with control management results in too much focus on internal control and control management can stifle entrepreneurial effort

Compliance Risks

• Organizations must fulfill compliance requirements that vary between business sectors
• Organizations in the gambling or gaming industry have significant regulatory requirements
• Failure to comply with requirements may result in loss of the operating license
• Compliance issues in the insurance industry are significant and complex
• Failure to comply with obligations may result in insurance claims not being paid, or being illegal in a particular country
• Organizations must fulfill health and safety requirements to ensure the health, safety, and welfare of employees
• Safety requirements extend to employees working in other countries
• Detailed road safety obligations apply to organizations that own vehicles
• Specialist risk professionals employed minimize compliance risks
• It is important to recognize compliance risks and ensure risk management areas expertise cooperate for an organized approach

Specialist Areas of Risk Management

• Risk management is constantly evolving, originating in the insurance industry and branches of hazard management
• It has connections to credit and treasury functions
• Large organizations have this component in activities like tax, treasury, HR, procurement, and logistics
• One of the best known areas is health and safety
• Disaster recovery planning and business continuity planning are other specialist areas
• Quality management is also a well-developed branch
• Project risk management is a developed area that has an emphasis on managing uncertainty or control risks
• Clinical risk management is primarily concerned with patient care, especially during surgical operations, covering patient awareness, and accurate and timely reporting of incidents
• Risk management has been applied in the finance and energy sectors, focusing on operational, market, and credit risks
• The finance sector developed the title Chief Risk Officer
• The energy sector is focused on future price and exploration risk

Risk Management Approaches

• Risk management approach is like the treasury function, where financial techniques form the basis of risk management
• Financial risk management has a high profile, being broader than operational risk
• Banks and financial institutions deal with credit, market, and operational risk
• Finance and insurance are highly regulated
• IT risk management is a well-developed branch, resulting from the increasing importance of data management and security
• There are 8Rs and 4Ts of (hazard) risk management
• Enterprise Risk Management (ERM):
  • Enterprise-wide risk management is holistic
  • It unifies management across all risk types
  • Organizations consider risks' impact on strategy, projects, and operations by embarking on it
  • Supports achieving objectives by addressing risks and their combined impact
• Risk Management's Principles:
  • Proportionate: Activities should be proportionate to the risk level
  • Aligned: ERM should align with other activities
  • Comprehensive: The approach must be comprehensive
  • Embedded: ERM should be embedded in the organization
  • Dynamic: Activities must be dynamic in response to emerging risks
• Risk Management Objectives:
  • Mandatory: Conformity with rules, regulations, and obligations
  • Assurance: That risk management and internal control activities comply with PACED
  • Decision-making: Risk-based information supports decisions
  • Processes: Risk consideration assists with strategy, tactics, operations, and compliance ensuring best outcome with reduced volatility
• Implementations require directors be confident of risk identification and steps to manage it
• Risk management styles and approaches adopted should be complementary and integrate with each other in an organization
• The organization must:
  • Tolerate certain hazard risks
  • Have an appetite for investment in opportunity risks
• Risk Management Tools + Techniques used should:
  • Provide risk governance through compliance management
  • Make outcomes less negative via hazard management
  • Reduce potential outcomes through control management
  • Make outcomes more positive via opportunity management