Paul Hopkin. Fundamentals of Risk Management

Подождите немного. Документ загружается.

344 Appendix A

Term Deﬁ nition Reference

Retain See ‘Tolerate’ Chapter 27

Table 27.1

Risk For a range of some of the accepted deﬁ nitions

‘Risk’, see Table 1.1

Chapter 1

Table 1.1

Risk appetite The level of risk that it is acceptable to the

organization, encompassing the hazard risks that it

is willing to tolerate, the control risks that it is

willing to accept and the opportunity risks in which

it is willing to invest

Deﬁ ned in BS 31100 as ‘Amount and type of risk that

an organization is prepared to seek, accept or tolerate’

Chapter 26

Figure 26.2

Risk architecture,

strategy and protocols

See ‘Risk management framework’ Chapter 7

Risk assessment Means by which signiﬁ cant risks to the organization

are evaluated and prioritized by undertaking the

activities of ‘Risk recognition’ and ‘Risk ranking’

Chapter 13

Risk assurance Means by which an organization receives reasonable

assurance that the signiﬁ cant risks are being

adequately controlled

Chapter 33

Table 33.3

Risk capacity Maximum level of risk to which the organization

should be exposed, having regard to the ﬁ nancial

and other resources available

Chapter 26

Figure 26.2

Risk exposure Level of risk to which the organization is actually

exposed, either with regard to an individual risk or

the cumulative exposure to the risks faced by the

organization

Chapter 26

Figure 26.2

Risk management For a range of the recognized deﬁ nitions of ‘risk

management’, see Table 4.1

Part 1

Table 4.1

Risk management

framework

Set of activities that support the risk management

process, referred to in this book as the risk

architecture, strategy and protocols (RASP)

Deﬁ ned by ISO Guide 73 as a set of interrelated

activities and rules for co-ordinating and directing

risk management processes within an organization

Chapter 6

Table 7.1

Glossary of terms 345

Term Deﬁ nition Reference

Risk management

information system

Computer software system and/or part of the intranet

of the organization that records and communicates a

range of risk management information

Chapter 12

Table 12.2

Risk management

process

Co-ordinated range of activities that deliver

management and control of risks within the

organization, referred to in this book as recognition,

ranking, responding, resourcing controls, reaction

planning, reporting and review (7Rs)

Figure 4.1

Table 4.3

Risk management

standard

Guidance to organizations on the design and

implementation of risk management and made up

of a description of the risk management process,

together with advice on establishing a suitable risk

management framework

Chapter 6

Risk map See ‘Risk matrix’ Figure 1.1

Risk matrix Presentation of risk information or risk analysis on

a 2 x 2 graph, sometimes referred to as a risk map or

heat map, and often used to provide a graphical

representation of the information contained in the

risk register

Figure 1.1

Risk proﬁ le See ‘Risk register’ Chapter 8

Risk ranking Stage in the risk assessment process that rates and

prioritizes individual risks according to the

likelihood of occurrence and the impact (or

sometimes magnitude) of the risk should it

materialize, also referred to as risk analysis, risk

evaluation or risk estimation

Chapter 13

Risk recognition First stage in the risk management process, which

involves the organization in the identiﬁ cation of all

of the risks that it faces

Chapter 13

Risk register Proﬁ le and record of the risks faced by an

organization, with particular emphasis on the

signiﬁ cant risks, the controls currently in place,

additional controls that have been identiﬁ ed and

responsibility for control activities

Chapter 8

346 Appendix A

Term Deﬁ nition Reference

RMIS See ‘Risk management information system’ Chapter 12

Table 12.2

Sarbanes–Oxley Act of

2002

US legislation that encourages use of the COSO

Internal Control framework (1992) to ensure that

the information disclosed by companies listed on

the stock exchange is accurate

Chapter 34

Severity

See ‘Magnitude’ Chapter 15

Signiﬁ

cant risk Risk with the ability to impact about the benchmark

test for signiﬁ cance for the organization

Chapter 15

Table 15.1

Signiﬁ cant weakness Weakness in controls in an organization with the

potential to cause a signiﬁ cant or material loss

Chapter 33

Stakeholder Persons or groups of persons with an interest in the

activities of the organization

Chapter 20

Strategic risk Long-term or opportunity risk that can impact the

key dependencies or corporate objectives of an

organization, with the impact materializing some

time after the action or event occurs

Deﬁ ned in BS 31100 as ‘Risk concerned with where

the organization wants to go, how it plans to get

there and how it can ensure survival’

Chapter 3

Tactical risk Medium-term, control or uncertainty risk that is

associated with change, projects and the means by

which the organization will deliver strategy

Chapter 3

Target risk The ultimate level of risk that is desired by the

organization when all cost-effective/necessary

controls have been implemented

Chapter 15

Figure 15.3

Terminate Risk response that is appropriate when the level of

risk is not acceptable to the organization, also

referred to as ‘avoid’ or ‘eliminate’

Chapter 27

Table 27.1

Tolerate Risk response option that is appropriate when the

level of risk is acceptable to the organization, also

referred to as ‘accept’ or ‘retain’

Chapter 27

Table 27.1

Glossary of terms 347

Term Deﬁ nition Reference

Transfer Risk response option for risks that the organization

wishes to transfer to another party, usually by

means of insurance or contractual transfer

Chapter 27

Table 27.1

Treat

Risk response option for risks that the organization

believes can be further treated by the introduction

of cost-effective (corrective) controls, also referred

to as ‘control’ or ‘reduce’

Chapter 27

Table 27.1

Upside of risk

Additional beneﬁ ts available to the organization by

taking risk – for a range of descriptions of the

‘Upside of risk’, see Table 17.1

Chapter 17

Table 17.1

Appendix B:

Implementation guide

The table below provides a detailed overview of the steps involved in the implementation of a

successful enterprise risk management (ERM) initiative. It uses the structure described in

Figure 29.3 (page 275) to indicate the steps involved in learning from controls.

Successful implementation of an ERM initiative is an ongoing process that involves working

through the 10 steps set out below on a continuous basis. Also, because it is sometimes difﬁ -

cult to recognize the distinction between planning, implementing, measuring and learning,

the 10 steps in implementing an ERM initiative are presented under the headings:

planning/implementing; •

implementing/measuring; •

measuring/learning; •

learning/planning. •

The information in the table below is an extended version of the steps involved in achieving

successful risk management, as set out in Table 36.1 (page 329). In addition to identifying the

10 steps involved in the successful implementation of an ERM initiative, the table also describes

the concepts or tools and techniques that are required to deliver each step.

Many acronyms are used in this book and these are referenced in the table below to show

where they ﬁ

t into the overall implementation of risk management in general, and ERM in

particular. In addition to identifying the acronyms relevant to each step, the table also pro-

vides reference to the chapter of the book where further information can be found.

The steps set out below relate to the implementation of an overall enterprise risk management

initiative. Much of this book is concerned with the implementation of risk management in

relation to speciﬁ

c individual risks. ERM is the overall philosophy that consolidates the man-

agement of individual risks into a uniﬁ ed and consistent approach to risk across the whole

enterprise.

348

Implementation guide 349

Activity Concepts/tools and

techniques

Acronym Reference

Planning/implementing

1. Identify intended beneﬁ ts

of the enterprise risk

management initiative and

gain board support

Risk appetite

Corporate governance

ERM

CADE3

Chapter 5

Chapter 19

Chapter 25

Chapter 26

Plan the scope of the ERM

initiative and develop

common language of risk

RM sophistication

Upside of risk

Stakeholder expectations

PACED

7Rs

Chapter 5

Chapter 17

Chapter 20

3. Establish the risk

management strategy,

framework and the roles

and responsibilities

Risk management policy

Risk architecture

Level of risk maturity

RASP

4Ns

Chapter 6

Chapter 7

Chapter 10

Implementing/measuring

4. Adopt suitable risk

assessment procedures and

an agreed risk classiﬁ cation

system

Risk protocols

Risk management

guidelines

Risk classiﬁ cation systems

Risk description

FIRM

PESTLE

COSO

Chapter 8

Chapter 9

Chapter 13

Chapter 14

5. Establish risk signiﬁ cance

benchmarks and undertake

risk assessments

Benchmark tests of

signiﬁ cance

Risk register

Chapter 8

Chapter 15

6. Determine risk appetite

and risk tolerance levels

and evaluate the existing

controls

Risk appetite

Risk matrix

Loss control

4Ts

PCDD

Chapter 13

Chapter 16

Chapter 26

Chapter 27

Chapter 28

Measuring/learning

7. Ensure cost-effectiveness of

existing controls and

introduce improvements

Risk improvement plans

Reaction planning

BIA

BCP/DRP

Chapter 16

Chapter 18

Chapter 29

8. Embed risk-aware culture

and align risk management

with other management

tasks

Control environment

Resource allocation

Risk communications

Business model

LILAC Chapter 11

Chapter 12

Chapter 21

Chapter 31

350 Appendix B

Activity Concepts/tools and

techniques

Acronym Reference

Learning/planning

9. Monitor and review risk

performance indicators to

measure ERM contribution

Audit plan

Sources of risk assurance

RMIS Chapter 12

Chapter 33

10. Report risk performance in

line with legal and other

obligations and monitor

improvement

Risk reporting

Turnbull/Sarbanes–Oxley

COSO

CoCo

Chapter 32

Chapter 34

Index

NB: page numbers in italic indicate ﬁ gures or tables

4As of uncertainty management 144, 200, 327

4Es of opportunity management 144, 251–52,

252, 327

4Ns of risk maturity 101, 102

7Rs and 4Ts of risk management 39, 39, 40, 48

4Ts of risk management 49, 141, 143–44,

167, 200, 244–52, 253, 256–57, 334

key dependencies 247

and project risk management 250–51, 251

risk matrix 246

termination 250

tolerance 248

transfer 249

treatment 248–49

appetite see risk appetite

AS 4360 (2004) 3, 53, 231, 334

Association for Project Management

(APM) 202

attachment of risks 22, 22–23

attitudes to risk 26–27

balanced scorecard 109

Barclays Bank 63–64

Basel II Accord 205, 206, 207–08, 208, 212, 230

Brent Spar 324

BS 31100:2008 3, 10, 46, 48, 53, 56, 59–61, 60,

67, 121, 133, 163, 164, 188, 231, 236, 240,

244, 248, 249, 292, 334

business continuity planning (BCP) 150,

163–70, 256, 284

business continuity standards 164

business impact analysis (BIA) 168

and civil emergencies 169

designing and implementing a BCP 166–67

and enterprise risk management 168–69, 229

importance of 163–64

key activities 165

model for 165

principles of 166

and strategic partnerships 217

testing of 166

business impact analysis (BIA) 168

business model, analysis of

core processes 193–94

effective processes 195

efﬁ cacious strategy 194–95

efﬁ cient operations 196

reporting 196–97

simplifying the model 192–93, 193

strengths, weaknesses, opportunities and

threats (SWOT) analysis 195