Activities

Activity 1

1. Explain the meaning of these terms

a) Risk - A possibility of an event (something happens) to the possibility of an effect

and, in particular, an effect on objectives.

b) Risk management - Risks affecting organization can have consequences in the

terms of economic performance and professional reputation, as well as
environmental, safety and societal outcomes. Therefore, managing risk effectively
helps the organization to perform well in an environment full of uncertainty.

c) Risk capacity - Risk Capacity is an objective measurement of the amount of risk

an organization needs to take in order to meet their established financial goals. It
can also be used to assess the impact of any risk occurrence on the company’s
portfolio able to meet their financial obligations.

d) Risk appetite - Risk appetite is the level of risk an organization is prepared to

accept. Risk appetite is a tool or technique that used to define the overview that
provides key information about the associated risks and risk management
approaches within the organization. This helps to identify the scope of
opportunity and scope of improvement areas. Normally the risks that an
organization defines or assume before an activity and also develop an action plan
to control or reduce it in this situation this tool represents a balance between
perspective benefits and associate threats or risks that can happen if any unwanted
situation will come.

2. Why should risk management policies and procedures be periodically reviewed?

 It is always necessary to periodically review risk management policies and

procedures because it helps the organization decide on whether they align with the
current risk management standards. This will help them identify any gaps or
necessary improvements to the risk management procedures currently undertaken. It
is also necessary because new risks will emerge and existing risks will disappear.
Risks that the organization has already acknowledged may become more or less
frequent, severe or relevant to it. Therefore the risk management strategy should
always be a fluid document that is regularly updated to take account of changes in the
organization.
Activity 2
How will you identify the risk management scope—what things do you need to look at?
What challenges does a scope of this size pose and how would you approach the risk
assessment process?

Identifying the risk management scope:

In order to determine the risk management scope, we have to determine the worst-case scenario
questions in terms of possibility and probability. The scope should be determined within the
context of the organization’s objectives. The following are steps to identify the risk management
scope:
 Interviews: Select key stakeholders.
 Brainstorming: Plan your brainstorming questions.
 Checklists: See if your company has a list of the most common risks.
 Assumption Analysis.
 Cause and Effect Diagrams.
 Nominal Group Technique (NGT)
 Affinity Diagrams.
 Work Breakdown Structure (WBS)

Advantages:

1. Proper pre-plan to addresses the issues and challenges on the basis of studied past data.

2. Identification of risks associated with the activities that the organization has to complete.

3. Pre-planning and post-analysis will provide a scope of improvement and scope of

opportunity areas that helps to define the success path.

4. The organization can able to introduce the control and checks points that control, reduce,
minimize and eliminate the possible risks.

Difficulties and challenges:

1. This organization required experts and high expertise to provides their services to the target
groups because the organization deals in regulatory sectors that need strong and structured
controls and checks points because the small error will be caused to lose a client.

2. Involve high levels of financial and manpower in terms of expertise risks.

 3. Challenges to define the suitable plan and implement and execute the plan in the
organization that addresses the risks associated with tasks.

The above paragraphs consist of information about the nature of the company and different
benefits, difficulties and challenges that can be addressed through the risk management
procedures. The service provider organization is providing its services in the area of the
Australian taxation solution that carries lots of regulations and policies. These policies and
regulations are quite strict. To provide the services successfully and minimize the risk or achieve
the expected outcomes the risk management needs to identify the areas that require control and
improvements. Through an audit team, expert team, numerous training sessions the organization
can reduce the different risks associated with the activities. A part of these to provide services in
the area of taxation require through and update knowledge of taxation policies within employees.

Activity 3
Who is an organization stakeholder and why should they and their issues be identified?
Stakeholders are the people who have an interest in or are affected and impacted by a proposed
change. The whole range of people can be from individual to groups, including owners,
managers, shareholders, employees, customers, suppliers, financiers, business sponsors, the
general public, government agencies communities, the environment competitors, statutory
watchdogs, and trade unions, who will be held ultimately responsible, and have an interest in the
consequences of the corporation’s process, system, and actions.

All of these can act upon or be acted upon by the business. Stakeholders can have a vital role in
the direction and performance of the company. The internal stakeholders, such as shareholders
and employees, often have the concerns of monetary, preserving reputation and personal safety,
while the external stakeholder, such as customers and regulators, who are not directly involved in
the business but care about or are impacted by the performance of the business, also place the
significant importance of their concerns on the company. In other words, these two groups have
very different issues, require different issues, require different communicating processes and risk
management solutions.
It is significantly important to consider the scope of stakeholders and their issues because any
organization is nothing but a group of stakeholders bringing about the production of goods and
services which the organization should provide. They can carry on their contributions and
provide feedback to better identify and manage the relevant risks and improve the corporation’s
performance. The employees can be a good example to illustrate this point.

With respect to employees as stakeholders, there are collectively or individually affect risks that
could have an impact on business operations. Therefore, effective communication, honest and
free information exchange environment, active contribution to a clear reward system will result
in high productivity and motivate employees to work toward goals and achieve objectives. This
is to say, better decision making executing will be enabled by the culture of risk understanding.

The reason why their issues should be identified

Different stakeholders have different issues and different perspectives on risks. All their issues
should be identified as it helps in coming up with a risk management plan especially for those
stakeholders who are closest to various risk areas, their issues should be identified in order to
come up with a thorough risk management plan. Identifying stakeholder’s issues would also help
solve any problems arising in the organization. This would also help leaders in coming up with
strategies and responses.
Activity 4
When considering organization risk it is important to review the political, economic, social,
legal, technological, and policy context. Comment on the influence impact each of those
factors has on organization risk profile – the risk scope and context.

Political Factors:
The political factor that impacts the organization is because of political forces that might affect
the organization. Political risks are always related to legislative and regulatory changes, political
unrest, and change of government, corruption, and contractual issues in either home countries or
countries where organization markets or from which imports.
Organizations have no direct controls over these political risks when they occur but the
organization should be fully informed of what’s happening in the world especially for external
political risks in order to know how to go about.

Economic:
The economic factor that impacts the organization is because of the competition in nature and
also because of the financial resources available in the economy.

Social:
The social factors that impact the organization are due to the fact that the organization meets
with demographic changes, the new trends in the market and so on other possibilities.

Technological:
The technological factors that impact the organization are the new approach and the new ways
and equipment of tacking the problems.
Policy: Thus new laws, rules, and regulations create a problem for the organization.

Activity 5
Why is it necessary to review existing risk management arrangements and standards?
Briefly explain.
Organizations risk management arrangements and standards should be periodically reviewed. By
conducting reviews, the organization will be able to identify any gap or weaknesses in the
current risk management procedures and will also assist in ensuring the existing risk
management arrangement is current. Each organization should have documented risk
management policies and procedures that inform staff about what risk is and how the
organization approaches risk management or control.
They will explain how to conduct risk assessments when risk assessments should be conducted,
what metrics will apply and when and to whom risks must be communicated.
Policies, procedures, and practices should be regularly reviewed to check that they are up to date,
continue to be relevant to the organization, continue to support the organization vision and
mission, are current in line with stakeholder and shareholder expectations, are aligned with
relevant and current legislation and are still relevant inline ISO risk management advice and
standards.

Activity 6
Activity 7
How can support for risk management policies and procedures be encouraged? What skills
might be used when garnering support and with whom should you communicate the risk
management intentions?

 Effective communication with those who are involved or will be directly affected by the
risk management procedure or the risk itself.
 Promote the benefits of supporting an organization's risk management policies,
procedures, and plans.
 Staff needs to know what procedures are in place to identify risk, what type of risk does
the organization assesses, and the results of each periodic risk management.
 It’s necessary for staff to have a basic understanding of what constitutes risk and why it is
necessary to act on, eliminate or accept identified risks.
 Staff backing and participation are more likely to be supported if they understand the risk
management process and what is required of the individual.

Skills:
  Assess the effectiveness of current strategies
 Assess the degree of the organization’s reliance
 Consider the potential failure scenarios, the likelihood of occurrence and projected
outcomes.
 Consider events that are out of the organization’s control
 Consult with experts and relevant stakeholders
 List or matrix the impact of identified risk scenarios on vital business service.
 List at-risk services/ processes/operations.
 Develop and document risk management strategies.
 Develop and document contingency plans.
Whom:
Managing risks involves everyone in your organization such as board/committee, staff,
volunteers, players/clients/members/visitors - anyone who comes into contact with the group.
We need to develop systems to ensure good communication between different levels of the
organization, as well as a feedback loop. While dealing with risk management, we must have a
core group of people dedicated to the task is a good idea.

Activity 8
1. The organization for which you work is planning an extension to the premises and
an increase in staff numbers with a view to expanding into view markets. You have
been asked to conduct research that will identify any risk or contingency
requirements for the department that you head to. What parties might be invites to
assist with the risk identification and what contribution could they make?

 Involves the whole organization (senior management and employees)

 Range of stakeholder groups – assists with the identification of risk
 Boards and senior management (a holistic approach to risk identification )
 Necessary to identify all business risks including, social, ethical, environmental,
financial and operational.
 Enterprise-wide risk management (ERM) is a structured process that involves the
whole organization identifying assessing risk, deciding on responses and
reporting opportunities and threats that compromise organizational goals.
 We all know that communication in the workplace is paramount to a safe
environment so involving stakeholders, especially employees, in the process of
assessing risks makes a lot of sense. The employee has a good understanding of
their area of work and the risks involved
 Who better to offer advice on controlling risk than the person who is working
with the hazard themselves?
 Different stakeholders have different roles within the organization and are likely
to offer in the way they like to have the information communicated to them
 Managers
 Client
  Employee
 HSEs

2. Why should employees be invited to participate in risk management consultation?

Inviting participation from employees, particularly, makes them feel valued and valuable.
If their ideas and options are recognized and utilized they will generally be motivated to
continue contributing to improvement ideas. Consultation and involvement will motivate
the employees and encourage them to contribute to continuous improvement in the
organization. Normally, employees are the group who deals with the processes and day-
to-day operations of the business and are often in a good position to recognize risk factors
and assists with the design and development of risk controls. Employees are the first
people who are at risk, so they are entitled to an opinion on how to work are design,
developed, monitored and assessed. They will also be involved in the activation of
contingency plan s and the implementation of risk management strategies. It is always of
benefit to improve them in the development process because it encourages ownership and
compliance.

3. What is the danger of attempting to manage risks without properly researching

them?

The danger of attempting to manage risks without proper research is that we won’t be
able to know the types of risks that could occur in some areas or departments. We won’t
be able to know the effects of all risks, scope, and management of those risks. Research
is, therefore, necessary in order for an organization to come up with proper strategies to
manage the risks.

4. List 12 aspects of risk that might contribute to the new research process.

1) Ecology
2) Finance – capital, investments, and loans,
3) Inventory/stock
4) Process and process design
5) Health and safety
6) Suppliers/supplies/raw materials
7) Product cost
8) Market conditions-trends, customer needs, and expectations.
9) Information systems
10) The competition that is local, national and global
11) Experimentation and innovation
 12) Staff skills, competencies and training needs

Activity 9
a. A number of tools can be used to collect risk-related information and data ready for
analysis. List eight.

 Brainstorming
 Suggestion boxes
 Project/department meetings
 Customer feedback forms
 Risk identification workshop
 One to one discussions and interviews
 Spreadsheet simulations
 Market research

b. From the list select two methods. Explain what they are how they work.

Market research
Market research is the process of collecting and analyzing data to determine whether a
particular product, service or business plan will satisfy the organization and its customers.
Market research’s intention is to find, satisfy the organization's customers whilst
increasing company profit. Effective market research can give your organization the
upper hand on your competitors, identify potential economics shifts, client demographics
and the current market trends and spending traits of your customers. Market research may
be conducted directly by an organization or a consultant hired by the organization itself.
Market research may be conducted directly by an organization or a consultant hired by
the organization itself. Market research can involve surveying the organization's
customers, scoping potential competitors to the organization, market testing an
organization's new product or collating and analyzing customer feedback. Market
researchers may also be futurists.

Brainstorming
Brainstorming focuses on gathering ideas, in many ways it is similar to data gathering;
the difference is the ‘data’ exists to be discovered and ideas need to create. Brainstorming
is a group creativity technique by which group members try to find a solution for a
specific problem by gathering a list of ideas spontaneously contributed by its members.
One person builds on the other’s suggestion and may come upon a solution that otherwise
would not have surfaced.
 After the session is completed, the proposed solution must be evaluated realistically.
Regularly, a solution that never would have been proposed in routine analytical sessions
meets the real world tests and provides a feasible solution to a problem.
The analyst brainstorms on ways to meet the objectives, temporarily disrespecting all the
reasons why the ideas will not work. Only when the best alternatives to meet the system
objectives have been formulated will the systems analyst start to consider the limitations
of the working environment. With more clear thinking and planning, the best-proposed
plan will survive the test. There are general rules of brainstorming these include:
 Focus on quantity
 Withhold criticism
 Welcome unusual ideas
 Combine and improve ideas

Activity 10
1. Plotting business risks on a risk matrix are recommended. What are the benefits of
doing this?

- The risk matrix is used for identification and evaluation purposes.

- Evaluating risks results in the decision regarding the treatment/control and
subsequently the development of an action plan to deal with said risk.
- Risks should be rated and prioritized in terms of importance, severity, and likelihood,
- Plotting risks on a risk matrix can be presented as
 Catastrophic/critical
 Major
 Moderate
 Minor/marginal
 Insignificant/negligible
- Plotting on a risk matrix helps to order priority
- Ensures the most serious risks cannot be ignored
- Plotting risks allows you to grade the most to least serious risks to assist the company
by focusing on only the critical areas and mitigating the more serious risks before
they become a crisis.
- A matrix can assist with identifying, assessing, tabulating and monitoring potential
risk

2. List four questions that might be asked when assessing and prioritizing risk.

a) What is likely to have an impact (the nature of the risk)?

 b) What are the chances that this impact will occur?
c) How serious will that impact be consequences?
d) Will it be offset by benefits?

3. How does categorizing risk help? List four benefits of categorizing risk.

Categorizing can assist with identifying, assessing, tabulating and monitoring potential
risk impacts and risk reduction processes.
Categorizing risk help:
a) Differentiate credible high-risk threats from less probable risks
b) Prioritize action needs
c) Identify long and short-terms risk control mechanisms
d) Make risk VS cost decisions

4. List six factors that might contribute to financial risk.

The financial business risk could be addressed under the heading of:
1) Exposure in the light of recent trading experience
2) Market conditions and prospects
3) Ability to address market opportunities and downturns
4) Financial audit records
5) Competencies and behaviors of key personal
6) Internal financial monitoring and control
Activity 11
1. A number of different risk treatments will be applied depending on the industry in
which an organization operates its structure and the risks it faces. Explain what risk
treatment is and the categories of risk treatment options that could be applied.

Risk treatment

Risk treatment is a procedure for choosing and implementing measures to modify risk. In
addition to understanding the threats your organization faces, knowledge of how risk
treatment options can help mitigate the effects of those threats is important. Risk
treatment measures can include avoiding, optimizing, transferring or retaining risk.

Categories of risk treatment options that could be applied

 Avoidance – This is where an organization chooses not to take on the risk by

avoiding the actions that cause the risk.
 Prevention – This is whereby risk isn’t allowed to occur.
 Reduction – Taking mitigation actions that reduce the risk to a manageable state
  Sharing/Spreading the risk over the range of different areas to reduce the impact
of transferring to other areas. It can be a distribution of risk to multiple
organizations or individuals.
 Retaining/Accepting and managing or retaining because the benefits outweigh the
risks. The organization generally accepts to face the risks.
 Choosing a more acceptable/alternative activity with less risk.
 Transferring to other areas – This is whereby an organization transfers all or part
of the risk to a third party. The two main types of transfer are insurance and
outsourcing.

2. Under what circumstances might it be appropriate to accept risks, without applying

controls?

Risk can at times be accepted due to the following reasons. The cost of treatment far
exceeds the benefits, so that acceptable is the only option. The level of risk is so low that
specific risk treatment is not appropriate with available resources. The opportunities
presented outweigh the threats to such a degree that the risk is justified.

3. Insurance is valuable and necessary, but why is it not a real risk control?

Insurance is whereby the business transfers the risk away from the organization by
insuring against substantial financial loss. Insurance is not a real control it is passive and
also cannot directly manipulate the risks, or more importantly risk drivers, it cannot
reduce, eliminate or treat risk but can only mitigate risk circumstances by providing
compensatory financial backup to the organization.

Activity 12
Activity 13
List six methods that could be used to communicate risk management plans to relevant
parties.
The senior accountant at Abacus Accounting, a small accountancy firm, has their laptop stolen
from an interstate restaurant where they were conducting a dinner meeting with clients. The
laptop contains nearly four weeks of data that has not been backed up to the main server. This is
a significant loss. In addition, the accountant is now without the use of a laptop and still has
much client work to conduct. The firm recognizes that the use of laptops by accounting staff is
critical, as is the information the laptops contain. Abacus Accounting decides to develop a risk
management plan that will mitigate or minimize such losses in the future. Amongst other things,
the plan contains details of:

 protocols for safeguarding laptops whilst traveling

 protocols for backing up data
 procedures for updating the asset register with laptop warranty and insurance details
 procedures for reporting the loss of the laptop and how to
  practices to follow in order to expedite replacement

Activity 14
Why should risk management data and plans be documented and appropriately stored?
The risk management plan is an important element of business continuity planning, which helps
in identifying, evaluating risks and creating approaches to deal with risks. It helps in
understanding and creates a competitive advantage. Its purpose is to challenge the assumption of
the management team aware of the pitfalls of intended actions and at least give them the ability
to change course.
Risk management data and plans are documented from the following reason:
 Demonstrate that the risk management process has been conducted properly
 Provide management and other decision-makers with the plan that addresses the key
exposures for the organization is logical and prioritized ways
 Provide an accountability mechanism that supports the organization’s corporate plan
 Facilitate continuous monitoring and review of risk management.
 Provide an audit trail for the follow up of key actions related to the exposures being
addressed.
 Support the sharing and communication of risk management strategies with stakeholders.

Good documentation is a prerequisite in the successful implementation of risk management, as it

acts both as a delivery and message mechanism. Documentation must deliver a consistent
message, speak a common language and have clear objectives allied to the maintenance of the
organization's objectives, capable of being constantly reviewed and evaluated.
To achieve clarity, the risk documentation should be written by someone, independent of the
organization, who can challenge known assumptions with a questioning mind. The risk writer
will still need input from the business, seek collaboration and guide the organization towards
ownership of the final document. This is to enable an easier process of finding data in the future
and also making easier to track data as well as protecting data.

Activity 15
It is important to monitor and evaluate an action plan once it has moved into its
implementation phase. How does monitoring and evaluation help and what sorts of things
might come under scrutiny?
Action plans should be monitored and evaluated for the following reasons:
 To ensure that they are actually acting to mitigate the risk and prevent business
disruptions.
 They should be monitored to determine when or whether they should go from short to
long term implementation
 To make a determination whether the plan implementation should be recalled, that is
whether the emergency crisis is over, the risks have been addressed and work can go back
to normal. That is whether it will lead to risk reduction.
 Things that come under Scrutiny are:
1) Types of data to be collected and the format of data.
2) The people responsible for the collection of data
3) The reason why it is necessary that is why data collection is necessary.
4) Ways to ensure that data is valid and reliable.
5) Methods on how data will be collated, analyzed and evaluated.
6) The people who need to see the results.
Therefore monitoring and analysis of monitoring data will help the managers review the
effectiveness of the action plan, strategies, and management system. It will, therefore, help with
problem identification and contribute to changes or adjustments to action plans.

Activity 16
1. Explain who should be involved in the evaluation of risk management treatment?

The people who should be involved in the evaluation of risk management strategies are
the auditors. This could be internal auditors or external auditors. It is always advisable for
an organization to use external or independent auditors as the return on investment might
be sufficient to warrant it.

2. Sometimes external auditors can be called in to evaluate risk management plans and
strategies. What are three advantages of using external auditors?

Advantages of using external auditors:

 They can accurately assess the effectiveness of the processes as they aren’t too
close to them
 They have the necessary skills, knowledge, and experience
 External auditors are credible to employees to an internal auditor.