Question 1. What Are The Company’s Top Risks, How Severe Is Their Impact And How Likely Are They To Occur?
Managing enterprise risk at a strategic level requires focus, meaning generally emphasizing no more than five to 10 risks. Day-to-day risks are an ongoing operating responsibility.
Question 2. How Often Does The Company Refresh Its Assessment Of The Top Risks?
The enterprise wide risk assessment process should be responsive to change in the business environment. A robust process for identifying and prioritizing the critical enterprise risks, including emerging risks, is vital to an evergreen view of the top risks.
Question 3. Who Owns The Top Risks And Is Accountable For Results, And To Whom Do They Report?
Once the key risks are targeted, someone or some group, function or unit must own them. Gaps and overlaps in risk ownership should be minimized, if not eliminated.
Question 4. How Effective Is The Company In Managing Its Top Risks?
A robust process for managing and monitoring each of the critical enterprise risks is essential to successful risk management, and risk management capabilities must be improved continuously as the speed and complexity of business change.
Question 5. Are There Any Organizational “blind Spots” Warranting Attention?
Cultural issues and dysfunctional behavior can undermine the effectiveness of risk management and lead to inappropriate risk taking or the undermining of established policies and processes. For example, lack of transparency, conflicts of interest, a shoot-the-messenger environment and/or unbalanced compensation structures may encourage undesirable behavior and compromise the effectiveness of risk management.
Question 6. Does The Company Understand The Key Assumptions Underlying Its Strategy And Align Its Competitive Intelligence Process To Monitor External Factors For Changes That Could Alter Those Assumptions?
A company can fall so in love with its business model and strategy that it fails to recognize changing paradigms until it is too late. While no one knows for sure what will happen that could invalidate the company’s strategic assumptions in the future, monitoring the validity of key assumptions over time as the business environment changes is a smart thing to do.
Question 7. Does The Company Articulate Its Risk Appetite And Define Risk Tolerances For Use In Managing The Business?
The risk appetite dialogue helps to bring balance to the conversation around which risks the enterprise should take, which risks it should avoid and the parameters within which it should operate going forward. The risk appetite statement is decomposed into risk tolerances to address the question, “How much variability are we willing to accept as we pursue a given business objective?” For example, separate risk tolerances may be expressed differently for objectives relating to earnings variability, interest rate exposure, and the acquisition, development and retention of people.
Question 8. Does The Company’s Risk Reporting Provide Management And The Board Information They Need About The Top Risks And How They Are Managed?
Risk reporting starts with relevant information about the critical enterprise risks and how those risks are managed. Are there opportunities to enhance the risk reporting process to make it more effective and efficient? Is there a process for monitoring and reporting critical enterprise risks and emerging risks to executive management and the board?
Question 9. Is The Company Prepared To Respond To Extreme Events?
Does the company have response plans for unlikely extreme events? Has it prioritized its high-impact, low-likelihood risks in terms of their reputational effect, velocity to impact and persistence of impact, as well as the enterprise’s response readiness?
Question 10. Does The Board Have The Requisite Skill Sets To Provide Effective Risk Oversight?
To provide input to executive management regarding critical risk issues on a timely basis, directors must understand the business and industry, as well as how the changing environment impacts the business model.
Question 11. Who Is Responsible For The Enterprise Risk Management Or Risk Management Process?
Without assigning someone clear accountability for the process of risk management, it is unlikely that risks would be identified, prioritized and mitigated across an organization on a periodic basis and in a thorough way. In addition, it is unlikely risk would be given the focus that is required to achieve a reasonable degree of control over the many uncertainties facing organizations in today’s highly dynamic marketplace.
Less important are such details as the title of the individual with the accountability or how large a budget or staff the individual is provided. A named, accountable person is key to ensuring that a sound process is in operating.
Question 12. What Are The Most Significant Risks To The Strategy, And What Is Being Done To Address These?
Given that failures are generally caused by a strategic risk that has not been addressed rather than by a catastrophic storm or single cyber attack, for example, it is vital for organizations to know and deal with their strategic risks.
Strategic risks typically involve aspects of the business such as:
- What is the organization’s vision of the future – does it take into account where technology, science and other dynamic forces are going?
- What is the mission – what does the organization make or sell, to whom and in which geographies?
- What are the goals and objectives – how much does the organization want to grow, at what margins, keeping what capital and debt levels?
- What are the values – how does the organization want to behave and be perceived in the marketplace?
- What is the position with strategic partners, investors and vendors?
Question 13. Is There A Single Risk Register That Collates All Significant Risks (strategic And Non-strategic), With Action Plans To Mitigate Them?
Strategic and non-strategic risks of a certain magnitude should be combined into one risk register that allows management and the board to see:
- all the major risks
- what is being done to mitigate them
- what is the progress against the risk mitigation plan
The board should expect to see such a report or ask for one, if it is not already being created.
Question 14. What Are The Top 10 Risks Overall?
These should be top of mind for the organization’s senior team at all times and be a familiar topic of discussion with the board. Board members should consider if these make sense based on all the information they have been privy to about the organization.
Question 15. Do Individual Performance Plans Include Risk Management?
If managing risk is really important to the organization, the individual performance plans of a large number of employees at different levels of the organization should include a specific objective or task related to risk management. Thus, the performance against these would be evaluated at regular intervals. It is well-known that what gets measured gets managed, and what gets rewarded gets attention.
Question 16. Who Is Responsible For Information Technology Security?
Clear accountability for the task of ensuring IT security is also critical. With the risk of cyber breaches, demands for service, extortion and stealing of bank accounts and intellectual property so high, an organization needs to ensure it has the necessary expertise to create a secure technological platform. This can be in the form of hired staff or expert contractors.
In the case of some recent, high-profile breaches, it appears that the role of chief information security officer (CISO) was either non-existent or that the individual filling the role was brand new. An inference can be drawn that a seasoned CISO who understood the organization might have made a difference.
Of course, having the role filled does not guarantee never having a security risk come to fruition. But it does reduce the risk to some extent, and having a CISO makes the discovery and recovery from a breach or attack quicker and more efficient when one does occur.
Question 17. Do All Employees Get Some Information And Training On Identifying And Reporting A Risk? Is There A Risk Reporting “hot-line”?
The answer to this question will give the board insight into several things. If there is a hot-line, it shows that the organization is seriously interested in identifying risks and that the topic of risk is being handled fairly transparently within the organization. If there is not one, the board may wonder why there is no channel for the rank and file to alert management about risks.
Question 18. Have Correlated Risks Been Looked For, And What Are They?
Large and small organizations, alike, have the potential to harbor correlated risks. Correlated risks are a group of risks that might occur at the same time because there is a relationship of some sort among them. The aspect at play could be:
- a geography in common
- a single source with multiple ties. For example, a company that has call centers, data processing and manufacturing plants in a single Southeast Asia country has the potential for correlated risk if that country is hit by a natural catastrophe, political upheaval or some other turbulence. Another example is, if different product units of a manufacturing company use the same supplier for raw materials or OEM parts, there is the potential for correlated risk if that supplier is unable to deliver on its orders.
A correlation might also be in terms of chain reactions. One risk event may give rise to other risks, which is often true in the case of natural disasters such as earthquakes and hurricanes.
A question about correlated risks will not only elicit an answer about those risks but also provide insight as to whether risk is being discussed in depth and across organizational silos.
Question 19. Are A Business Continuity Plan And Disaster Recovery Plan In Place?
No matter how robust a risk management process is, a company will experience catastrophes of one sort or another from time to time. There is a need for plans that deal with these because reaction speed is critically important in managing them well.
The business continuity plan has the aim of keeping all or some of the business running from another venue or with back-up systems or on-call staff, or whatever allows continuous operations. The disaster recovery plan has the mission to restore normal operations as quickly as possible after the business has been interrupted in whole or in part.
In reviewing these plans, key elements to look for include:
- a communication hierarchy for notification that is complete and up to date
- a decision tree for creating clarity around who can make which decisions
- a list of third-party resources that have been previously vetted and can be called in to assist – some will be part of any insurance policies that may be triggered by the risk/loss event.
Question 20. What Risks Are Being Transferred By Insurance Versus What Is Being Mitigated Internally, And What Is The Quality Of The Insurer?
Insurance can be an effective and efficient way to handle risk when it is used in a well-constructed fashion. The board will want to consider high-level issues such as:
- Is the right set of risks covered; i.e. those that are less predictable, require special expertise and are beyond the financial wherewithal of the organization to withstand?
- Are the right limits being purchased; i.e. is the value of the policy high enough to truly cover a major loss?
- How highly is the insurer rated, and what is its claims service reputation.
A way in which the board can judge the merit of the answers to these questions is to find out:
- the kind of analysis that was done to determine the insurance program
- who did the analysis
- whether there is benchmark information to look at from comparable organizations.
There are, undoubtedly, other questions that the board may need to ask. These are an excellent starting place for getting a sense of how well the organization is addressing risk.
Question 21. What Is The Difference Between A Risk Assessment And A Method Statement?
A risk assessment is simply a careful examination of what, in your work, could cause harm to people, so that you can weigh up whether you have enough precautions or whether you should do more.
As an employer or self-employed person, you must do a risk assessment but you only need to record it if you employee five or more people.
A safety method statement is not required by law. It describes in a logical sequence exactly how a job is to be carried out in a safe manner and without risks to health. It includes all the risks identified in the risk assessment and the measures needed to control those risks. This allows the job to be properly planned and resourced.
Safety method statements are most often found in the construction sector. They are particularly helpful for:
- higher-risk, complex or unusual work (eg steel and formwork erection, demolition or the use of hazardous substances)
- providing information to employees about how the work should be done and the precautions to be taken
- providing the principal contractor with information to develop the health and safety plan for the construction phase of a project
Whether safety method statements are used or not, it is essential to make sure that risks are controlled.
Question 22. What Are Risk Matrices?
Most businesses will not need to use risk matrices. However, they can be used to help you work out the level of risk associated with a particular issue. They do this by categorising the likelihood of harm and the potential severity of the harm. This is then plotted in a matrix (please see below for an example). The risk level determines which risks should be tackled first.
Using a matrix can be helpful for prioritising your actions to control a risk. It is suitable for many assessments but in particular to more complex situations. However, it does require expertise and experience to judge the likelihood of harm accurately. Getting this wrong could result in applying unnecessary control measures or failing to take important ones.
Question 23. Do Hse Carry Out Risk Assessments For Businesses?
No. We are an independent regulator and act in the public interest to reduce work-related death, illness and serious injury across Great Britain’s workplaces. We also provide advice through our website and publications which are freely available to download.
If you need external help or advice, please go to the following web pages:
- Get competent advice
- The Occupational Safety and Health Consultants Register (OSHCR)
Question 24. What Are Significant Risks?
Significant risks are those that are not trivial in nature and are capable of creating a real risk to health and safety which any reasonable person would appreciate and would take steps to guard against.
What can be considered as ‘insignificant’ will vary from site to site and activity to activity, depending on specific circumstances.
Question 25. What Is A Hierarchy Of Control?
Risks should be reduced to the lowest reasonably practicable level by taking preventative measures, in order of priority. This is what is meant by a hierarchy of control. The list below sets out the order to follow when planning to reduce risks you have identified in your workplace. Consider the headings in the order shown, do not simply jump to the easiest control measure to implement.
- Elimination – Redesign the job or substitute a substance so that the hazard is removed or eliminated.
- Substitution – Replace the material or process with a less hazardous one.
- Engineering controls – for example use work equipment or other measures to prevent falls where you cannot avoid working at height, install or use additional machinery to control risks from dust or fume or separate the hazard from operators by methods such as enclosing or guarding dangerous items of machinery/equipment. Give priority to measures which protect collectively over individual measures.
- Administrative Controls – These are all about identifying and implementing the procedures you need to work safely. For example: reducing the time workers are exposed to hazards (eg by job rotation); prohibiting use of mobile phones in hazardous areas; increasing safety signage, and performing risk assessments.
- Personal protective clothes and equipment – Only after all the previous measures have been tried and found ineffective in controlling risks to a reasonably practicable level, must personal protective equipment (PPE) be used. For example, where you cannot eliminate the risk of a fall, use work equipment or other measures to minimise the distance and consequences of a fall (should one occur). If chosen, PPE should be selected and fitted by the person who uses it. Workers must be trained in the function and limitation of each item of PPE.
Question 26. Who Is Responsible For Doing A Risk Assessment?
As an employer or a self-employed person, you are responsible for health and safety in your business.
You can delegate the task, but ultimately you are responsible. You will need to make sure that whoever does the risk assessment:
- is competent to do so. See ‘What training/qualifications do I need to do a risk assessment?’
- involves your workers in the process
- understands when specialist help might be needed. See ‘Do I need to use a consultant?’
Question 27. Is Risk Assessment A Legal Requirement?
Yes, if you are an employer or self-employed. It is a legal requirement for every employer and self-employed person to make an assessment of the health and safety risks arising out of their work. The purpose of the assessment is to identify what needs to be done to control health and safety risks. Regulation 3 of the Management of Health and Safety at Work Regulations 1999.
Question 28. During Which Stage Of Risk Planning Are Risks Prioritized Based On Probability And Impact?
Risk probability and impact are defined during Qualitative risk analysis.
Question 29. Beta Is The Project Manager Of A Road Construction Project. During A Project Review, Beta Realizes That One Particular Risk Has Occurred. To Take Appropriate Action Against Risk That Has Happened, Beta Needs To Refer To Which Document?
Beta needs to refer to the Risk response plan that documents responses to identified risks.
Question 30. What Is Risk Breakdown Structure?
Andrew has joined as the Project Manager of a project. One of the project documents available to Andrew lists down all the risks in a hierarchical fashion, this document is called Risk Breakdown Structure.
Financial Management Interview Questions
Financial Management Tutorial
Working Capital Management Interview Questions
Working Capital Management Tutorial
International Relations(IR) Interview Questions
Internal Audit Interview Questions
Internal-Combustion engine Interview Questions
Financial Management Interview Questions
Business process outsourcing (BPO) Interview Questions
Assistant Manager Interview Questions
Working Capital Management Interview Questions
Internal Control Interview Questions
International Relations(IR) Interview Questions
Internal Audit Interview Questions