Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
94 Cards in this Set
- Front
- Back
|
Anything that has tangible or intangible value to the organization |
asset
|
|
|
Systematic, independent, objective and documented process for obtaining, examining, verifying, and evaluating information relative to a set of criteria |
audit |
|
|
Process of evaluating the 1. competence, aptitude, and experience of people and the organization, 2. suitability of technology, and 3. application of processes for particular purposes to determine whether or not the expected output will fall within and acceptable range. |
capability analysis |
|
|
Organization or person that receives a product or service |
client |
|
|
Ongoing, iterative, and two-way processes for the exchange of information with and between stakeholders and decision-makers regarding the management of risk. |
communication and consultation |
|
|
A group of associated organization and people sharing common interests. |
community |
|
|
Consistency with a requirement. |
conformity |
|
|
Result or effect of an action, condition, or decision on achieving objectives and outcomes. |
consequence |
|
|
Ongoing processes to improve products, services, and management practices to enhance the ability to fulfill requirements. |
continual improvement |
|
|
Action to rectify the causes of a detected nonconformity or other undesirable circumstances. |
corrective action |
|
|
Of essential importance with respect to objectives and/ or outcomes. |
criticality |
|
|
A process designed to systematically identify, evaluate, and rank positive and negative impacts on an organization's stakeholders, assets, services, and activities based on the importance of its mission or function, or the significance of risks on the organization's ability to meet its objectives and expectations. |
criticality analysis |
|
|
A point, step, or process at which controls can be applied to modify risk. |
critical control point (CCP) |
|
|
An event that interrupts planned activities, operations, or functions, whether anticipated or unanticipated. |
disruptive event |
|
|
Information and supporting medium in any format. |
document |
|
|
Extent to which planned activities accomplish a purpose thereby producing the intended or expected outcomes. |
effectiveness |
|
|
Change occurring in an interval of time with the potential to alter outcomes. |
event |
|
|
The positive or negative effect on someone or something (see consequence). |
impact |
|
|
Process that identifies and evaluates the potential effects of change upon an organization. This may include an assessment of the pros and cons of pursing a course of action in light of its possible consequences, or the extent and nature of further change (intended or unintended) that such change may cause. |
impact analysis |
|
|
An event with consequences that has the capacity to cause gains or losses/ harm to objectives and/ or assets (e.g. tangible, intangible and human assets, the environment, and rights of stakeholders). |
incident |
|
|
Assuring the soundness, reliability, and completeness of tangible and intangible assets. |
integrity |
|
|
Change or probability of something happening. |
likelihood |
|
|
Framework of policies, processes, and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives. |
management system |
|
|
Ongoing scrutiny, oversight, evaluation, and situational awareness for determining the current status and to identify changes in the internal and external environments as well as performance. |
monitoring |
|
|
Failure to fulfill a requirement. |
nonconformity |
|
|
Process of identifying uncertainties that may be exploited and analyzing the organization's capability and readiness to exploit them. The process may include identifying unmet or undeserved customer/ client needs, identifying target markets, analyzing competitive advantages, as well as analyzing the organization's resource capacity to undertake an opportunity. |
opportunity analysis |
|
|
Group of people and facilities with an arrangement of responsibilities, authorities, and relationships. |
organization |
|
|
Part of a management process focused on setting objectives, projecting risks to these objectives, and ensuring resources and systems are in place to ensure objectives are achieved. |
planning |
|
|
Measures that enable an organization to avoid, preclude, or limit the impact of an undesired or potentially disruptive event. |
prevention |
|
|
Proactive change or improvement implemented to address a weakness that is not yet responsible for causing nonconformity. |
preventative action |
|
|
An established or specified way to conduct an activity or a process. |
procedure |
|
|
A document set down in writing or some other permanent form for later reference. |
record |
|
|
Remaining risk after risk treatment |
residual risk |
|
|
Adaptive capacity of an organization in a complex and changing environment. |
resilience |
|
|
Any asset (human, physical, information, or intangible), facilities, equipment, materials, products, or waste that has potential value and can be used. |
resources |
|
|
Activity undertaken to determine the suitability, adequacy, and effectiveness of the management system and its component elements to achieve established objectives. |
review |
|
|
Effect of uncertainty on the achievement of strategic, tactical, and operational objectives. |
risk |
|
|
Informed action of consenting to retain, receive, or undertake a particular risk. |
risk acceptance |
|
|
Process to characterize and understand the nature of risk and to define the level of risk. |
risk analysis |
|
|
The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes. |
risk appetite |
|
|
Overall and systematic process of evaluating the effects of uncertainty on achieving objectives. |
risk assessment |
|
|
Organization's or individual's view/perspective of the perceived qualitative or quantitative value that may be gained in comparison to the related potential loss or losses. |
risk attitude |
|
|
Terms of reference used to measure and evaluate the significance and effects of risk. |
risk criteria |
|
|
Event, individual(s), process, or trends having impact on the objectives of the organization. |
risk driver |
|
|
Process of equating the results of risk analysis with risk criteria to determine whether a particular risk level is within an acceptable tolerance or presents a potential opportunity. |
risk evaluation |
|
|
Process for determining what risks are anticipated, their characteristics, time dependencies, frequencies, duration period, and possible outcomes. |
risk identification |
|
|
A strategic business discipline that supports the achievement of an organization's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. |
risk management |
|
|
A compilation for all risks identified, analyzed, and evaluated in the risk assessment process. |
risk register |
|
|
A factor with the potential to create uncertainty in achieving objectives. |
risk source |
|
|
The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category, or for a specific initiative. |
risk tolerance |
|
|
Process of selecting and implementing measures to modify risk to achieve objectives. e.g. avoiding, accepting, sharing, adapting internal or external parameters, exploiting a risk to pursue opportunity, etc. |
risk treatment |
|
|
The condition of being protected against hazards, threats, risks or loss. |
security |
|
|
Person or organization with an interest or concern. |
stakeholder |
|
|
A two-way relationship of organizations, people, activities, logistics, information, technology, and resources engaged in activities and creating value from point of origin to point of consumption, including transforming materials/ components to products and services for end users. |
supply chain |
|
|
Process of identifying and quantifying the potential cause of an unwanted event which may result in harm to individuals, assets, a system or organization, the environment, or the community. |
threat analysis |
|
|
Person or group of people responsible and accountable for formulating organizational goals, objectives, strategies, policies, and/ or allocating resources. |
top management |
|
|
Any event that has the potential to cause a negative impact on the achievement of objectives or assets whether tangible or intangible. |
undesirable event |
|
|
The series of functions, processes, or activities, from raw materials to the eventual end-user that creates and builds value at every step in order to delivery a product or service |
value chain |
|
|
A model for an overall risk assessment program or individual risk assessments that a) sets measurable policies, objectives and targets b) methodically implements the program c) monitors, measures, and evaluates progress d) identifies, prevents, or remedies problems e) assesses competence requirements and trains people working on org's behalf f) provides top mang with feedback and g) manages info within org. |
PDCA Model (Plan-Do-Check-Act) |
|
|
A technique used to determine what steps might need to be taken to improve an org's capacity to conduct a risk assessment to move from a current state to a desired, future state. |
gap analysis (Risk Assessment) |
|
|
List the three steps for gap analysis (risk assessment): |
1. Note currently available factors (abilities, competencies, time, performance levels) given current resource situation; 2. List success factors needed to achieve future, desired objectives; 3 Highlight gaps - the amount by which the need exceeds the resources |
|
|
Risk Portfolio Design Format - list four main areas: |
Strategic, Operations, Financial, External -each area has categories and then may have sub-categories |
|
|
A systematic technique used to understand how risk estimates and risk-based decisions are dependent on variability and uncertainty in the factors contributing to risk. |
sensitivity analysis |
|
|
An analysis that considers the kind and quantity of error that may occur. |
error analysis |
|
|
A form of simulation used to determine reactions to different situations. |
stress analysis |
|
|
An analysis that considers impacts, timeframes, and factors that may prevent achievement of objectives. |
threat analysis |
|
|
An analysis that looks at the potential for change that an organization might undergo to improve its overall results. |
opportunity analysis |
|
|
Three types of threat tree analysis are (mapping, matrix techniques): |
asset tree, threat type tree, adversary tree |
|
|
An analysis that evaluates the efficacy of the risk measures in place (deliberate and/ or inherent) that will have an effect on the likelihood of a threat or opportunity materializing and the likelihood and extent of consequences. |
vulnerability/ capability analysis |
|
|
An analysis that provides a measure of impact of the risk event relative to achieving the org's objectives and the impact of losing a tangible or intangible asset, activity, or function will have on the operations of the org and its stakeholders, respectively. |
criticality and consequence (impact) analysis |
|
|
An analysis/ process to understand that nature and level of risk to determine its significance. |
risk analysis |
|
|
An analysis that provides a method for evaluating and comparing the value and cost of risk treatment options. |
cost-benefit analysis |
|
|
Examples of two assessment paths: |
tracing - chronologically tracking a process or risk event process method - test a sequence of steps or interactions of activities |
|
|
The process or technique of selecting a representative part of a population for the purpose of determining parameters or characteristics of the whole population. |
sampling |
|
|
Two types of sampling methods: |
non-statistical sampling (knowledge, experience) and statistical sampling (probability theory) |
|
|
Examples of non-statistical sampling: |
judgmental sampling (deliberate choice), convenience sampling, haphazard sampling |
|
|
Examples of statistical sampling: |
random sampling, systematic sampling (every nth unit selected), stratified sampling, cluster/ block sampling |
|
|
An analysis that refers to multiple risk assessment techniques and approaches, at times applied as a series, which are designed to identify the underlying or initiating risk source or driver. |
root cause analysis (RCA) |
|
|
Three major steps to root cause analysis: |
define - what is the problem? analyze - evidence? why? why? why? solve - how can it be prevented, controlled, modified for success? |
|
|
A risk treatment procedure that defines the measures to be taken by the org to minimize the likelihood of a disruptive event or to minimize the potential for the severity of the consequences of the event. |
prevention and mitigation procedures |
|
|
A risk treatment procedure that defines the initial measures to be taken by the org in response to the disruptive event. |
response procedures |
|
|
A risk treatment procedure that defines the measures to be taken by the org to maintain and/or re-establish priority activities of the organization and its supply chain partners. |
continuity procedures |
|
|
A risk treatment procedure that defines the measures to be taken by the org to recover from a disruptive event and thus ensure it is able to meet its strategic and operational objectives. |
recovery procedures |
|
|
An analysis that provides a structured approach to gaining information about the critical activities, functions, and processes of the organization and the associated resources necessary for an organization to mitigate the impacts of the undesirable and disruptive events. |
business impact analysis (BIA) |
|
|
Output of business impact analysis includes: |
a) recovery time objectives, b) recovery point objectives, c) recovery capacity or performance, d) timeframe when org requires 100% op capability, e) prioritization of recovery resources, f) content for response and recovery strategies, g) reset of product/ service acceptable disruption periods |
|
|
Steps in risk management process (ISO 31000: 2009) |
1. establishing context 2. risk identification 3. risk analysis 4. risk evaluation 5. risk treatment THROUGHOUT - monitor & review; communication & consultation |
|
|
A process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage the risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. |
enterprise risk management |
|
|
Components of enterprise risk management (8): |
1. internal environment, 2. objective setting, 3. event identification, 4. risk assessment, 5. risk response, 6. control activities, 7. information and communications, 8. monitoring |
|
|
Categories of enterprise risk management objectives (4): |
1. strategic, 2. operations, 3. reporting, 4. compliance |
|
|
Providing value to an org through enterprise risk management encompasses: |
1. aligning risk appetite and strategy, 2. enhancing risk response decisions, 3. reducing operational surprises/ losses, 4. identifying multiple cross-enterprise risks, 5. seizing opportunities, 6. improving deployment of capital |
|
|
Types of external risks (PESTLE): |
1. Political, 2. Economic, 3. Socio cultural, 4. Technological, 5. Legal, 6. Environmental |
|
|
Five key aspects of addressing risk (T's): |
1. Tolerate, 2. Treat, 3. Transfer, 4. Terminate, 5. Take the opportunity |
|
|
Four different types of controls in "Treat"-ing the risk: |
1. preventative controls, 2. corrective controls, 3. directive controls, 4. detective controls |
|
|
The management of risk has to be reviewed and reported on for two reasons: |
1. to determine if risk profile is changing; 2. to gain assurance risk management is effective and identify further action, if necessary |
