The book classifies risks in the following methods.

Describe examples that would fit into these: Pure (or Insurance) Risk Is the risk a person takes when there is no potential benefit from the risk, in other words where there is a chance of loss or no loss, but no gain. There may be means to mitigate that risk through the use of insurance to financially cover that risk, such as purchasing flood insurance for a home located in a region that has the potential for flooding. Business Risk Is the probability of loss intrinsic in an organization's operations and their environment that may ruin its capacity to provide returns on investments. Business risks can be a factor resulting from external and/or internal circumstances or a change in environments such as changes in supply and demand for certain products. Project Risk Is the risk a company or organization accepts when it decides to engage in some type of project that is outside the scope of the organizations primary purpose, such as expanding the current facility. The risk the company or organization accepts is determined by how much time and research went into the project and how accurate all assessments and estimates are concerning time, money and quality of service. Inaccurate estimates can put the project at risk due to underestimated budgets, supplies or labor costs. Operational Risk Is the risk a company or organization accepts when it decides to produce a goods or service in a particular business sector. It is the risk that remains after determining a companys or organizations financing and systematic risk, and include risks consequential from failures in internal procedures (operations), people and systems, in other words, human error. Technical Risk Is a risk a company or organization incurs due to possible changes in technology where the outcome is unknown, such as untested engineering, technological or manufacturing procedures that require some level technical risk that can result in the loss of time, resources, and possibly harm to individuals and facilities. Political Risk Is the risk investors, corporations and governments accept when engaging in commerce that may have political ramifications due to crisis or instability within a region or regions of the world. This can happen through the expropriation of assets, changes in tax policy, and restrictions on the exchange of foreign currency, the drop in currency value or other changes in the business climate of a country. When looking at TQM, describe how risk management can take these principles and apply them. Total Quality Management or TQM had been around for decades before it became Six-Six-Six Sigma (Six Sigma) (Jacobson, 2011), as I affectionately call it, is a process to improve or streamline repetitive tasks to reduce costs, overhead, steps and improve overall output quality.

As a personal side note, I do not believe that TQM or Six Sigma can be used in every scenario or in every job. TQM, in my opinion, is geared for industries such as manufactures that deal with production lines or that deals with repetitive tasks, not businesses that deal with constant dynamic situations. External threats are the only thing that TQM and Risk Management share according to the author (Frame, 2003), but these external threats do pose a risk that TQM can mitigate, but I do not think can totally eliminate the risks. The risk from external threats companys carry is loss of revenue which can happen when a company does not plan against those external threats. This is where TQM can assess, streamline and reduce those external risks, but to a point. For a company to stay competitive in a global market, it must look for avenues to improve, streamline and capitalize on to keep them relevant in this technology heavy day and age. While I do believe TQM can alleviate some if not most risk management with a company, I do not believe it can reduce all risk, if it could businesses would be using TQM relentlessly and repeatedly reporting record breaking profits. I also believe TQM can be employed in some aspects of security administration, I do not believe TQM can be used every aspect. TQM can be too ridged, when there needs to be some type of fluid action such as something that happens dynamically as opposed to something that happens constantly. Another aspect that needs to be looked at when thinking about utilizing TQM for anything, is the amount of resources used during the total TQM process less than, equal to or greater than the overall outcome? If it is equal to or greater than, then one needs to rethink the TQM approach and either continue as before or possibly find another solution. This is what makes TQM problematic; the amount of time, money and resources can be huge just to squeeze out a 1% - 2% increase in productivity. You may think to yourself that such a small percentage is worth it in the overall spectrum of things, but this is where people forget that once you start TQM, it does not stop. The process itself is redundant, it constantly requires you go back to see if it can be reduced or streamlined even more. At some point, someone has to call no joy with TQM and move on In chapter 8, it list risk treatment methodology. Provide examples of the four types. Risk Avoidance This is the means of taking steps to remove vulnerability, pursue alternative activity or attempt to terminate a specific exposure. An example of risk avoidance would be establishing a new facility in a very low crime rate area or outside of an active flood plain. Risk Mitigation This is the means of taking steps to reduce vulnerability, pursue strategic activity or attempt to diminish a specific exposure. An example of risk mitigation would be establishing specific procedures on how to operate a specific piece of equipment that could cause grave bodily harm if operated incorrectly.

Risk Transfer This is the means of taking steps to remove or reduce vulnerability, pursue alternative activity or attempt to mitigate or terminate a specific exposure by shifting this responsibility to a third party. An example of risk transfer would be the use of insurance to financially cover costs of vulnerabilities or exposures. Risk Acceptance This is the means of acknowledging the vulnerability and allowing it to continue unabated. Risk acceptance is usually recognized and utilized when it is decided through risk management and probability factors. An example of risk acceptance would be the decision to not keep an additional secondary or spare server on hand in the event the primary server fails. Describe the perils of risk monitoring and how to counteract these perils. The monitoring effort must be focused on the right sources of information. It does not make sense to watch the last step of the assembly line to determine if the product has any flaws so why would a company spend time and resources on areas that do not contribute towards the risk? To counteract this, policies and procedures need to be established prior to actually implementing risk monitoring, there should be a plan that stipulates how often risk monitoring is actually evaluated and reported and the discovery of new risks or new risk treatment alternatives that may require review and reassessment. Acceptable thresholds need to be established and its associated risk should be compared against the condition to determine the need for implementing a new risk mitigation plan. The information must be timely. Again, it does not make sense to sit on pertinent information or wait for a later time. Like the saying goes, Information is money and so is disseminating it to people who have a need to know. Theres nothing like coming home to a burned down house and one of your kids says, I smelled smoke right before we left the house To counteract this, policies and procedures need to be established that spell out how often risk monitoring information is reported, who receives these reports and what would trigger additional reporting or more frequent reporting. Another aspect of reporting risk monitoring information data is who determines or has the authority to change or update reporting procedures. A designated person or department enables information is coming from one person or department as opposed to a myriad of people and departments trying to change things up. The people reviewing the information must be able to make sense out of it. It does not make sense to have someone from accounting looking at electrical schematics, so why would you have someone without the proper knowledge monitoring something that is vital to the companys bottom-line? To counteract this, policies and procedures need to be established that determine the criteria needed for individuals that will be reviewing the information. These individuals should have very intimate knowledge of the entire process and how each step works and the desired outcome for each of these steps. Meticulous and anal retentive people are usually the finest specimens for this type of performance. (Just kidding)

References Frame, J. D. (2003). Managing risk in organizations: a guide for managers. San Francisco: Jossey-Bass. Jacobson, J. (2011). Asq: The global voice of quality. In American Society for Quality. Retrieved from http://asq.org/learn-about-quality/total-qualitymanagement/overview/overview.html