RISK QUESTIONS & DETAILED
COMPLETE SOLUTIONS
supply chain risk - Correct Answer ✔✔ the variety of possible events and their
outcomes that could have a negative effect on the flow of goods, services, funds, or
information resulting in some level of quantitative or qualitative loss for the supply
chain.... risks aren't always bad just uncertain: buying up an investment could positively
impact the company, but also if it doesn’t have the ROI and fails, it is negative.
risk management - Correct Answer ✔✔ the identification, assessment, and prioritization
of risks followed by coordinated and economical application of resources to minimize,
monitor, and control the probability and/or impact of unfortunate event or to maximize
the realization of opportunities.
supply chain risk management - Correct Answer ✔✔ the systematic identification,
assessment, and quantification of potential supply chain disruptions with the objective to
control exposure to risk or reduce its negative impact on supply chain performance.
Types of Risk and General Maturity Level - Correct Answer ✔✔ Supply Risk: Most
Mature category (vet your suppliers). SRM, spend management etc.
Demand Risk: Moderately Mature. Sales forecasting developed but doesnt incorporate
risk into models. S&OP does do what if analyses.
Process Risk: Middle/low maturity. Many tools for planning and scheduling but rarely
incorporate risk
Environmental risk: Low Maturity. New are for risk management. Regulations continue
to change so its hard to keep up.
3 Ways of Expressing an Organizations attitude towards Risk - Correct Answer ✔✔
Risk appetite: Amount and type of risk that an organization is willing to pursue or retain.
(risk -seeking vs risk averse)
Risk tolerance: An organization's or stakeholder's readiness to accept a threat or
potential negative outcome in order to achieve its objectives.
Risk threshold: A cutoff point below which a risk will be accepted and above which
some type of proactive response is required
, COSO ERM (Risk Management Framework) - Correct Answer ✔✔ The Committee of
Sponsoring Organizations of the Treadway Commission. developed an enterprise Risk
management framework in 2001.
8 Components:
1. Internal Environment: how is risk viewed from the org
2. Objective setting
3. Event Identification: threats and opportunities identified
4. Risk Assessment: risk likelihood/impact? determine response
5. Risk Response: Response that aligns with risk appetite
6. Control Activities: policy and procedure reinforces response
7. Information Communication: timely info shared up and down
8. Monitoring: audit continuously to improve ERM
Governance, Risk and Compliance (GRC) Framework - Correct Answer ✔✔ A 3
Legged Stool. Each leg must be in place for the organization to remain balanced
Governance: oversight by BOD and top executives. Need to have the top level set the
tone for the organizations mission and vision when it comes to risk management and
align all stakeholders.
Risk: identify, analyze, and respond appropriately. GRC Risk focus categories:
commercial, financial, IT security, Legal, and external risks.
Compliance: conformance to laws, regulations, contractual agreements, and internal
policies.
ServiceNOw is a SaaS that has GRC suite for policy setting etc.
ISO 31000 - Correct Answer ✔✔ a standard adopted by the International Standards
Organization that outlines principles and a set of guidelines to manage risk in any
endeavor. The standard outlines guidelines for understanding risk, developing a risk
management policy, integrating risk management into organizational processes
(including accountability and responsibility), and establishing internal and external risk
communication processes. ISO 31000 is not a management system standard and is not
intended or appropriate for certification purposes or regulatory or contractual use.
IT is designed to help any size or type of organization effectively manage risk
Can You Seek Certification for ISO 31000? - Correct Answer ✔✔ NO. it is a practical
document that seeks to assist organizations in developing their own approach to the
management of risk. But this is not a standard that organizations can seek certification
to.