The Importance of Classifying Risk DB Question

User Generated

QVRFRY

Health Medical

Description

The importance of classifying risk relates to the duration of its impact on business continuity: short, medium, or long. Review the FIRM and PESTLE models of Risk Classification Systems. How do you see them contributing to organizational Risk Management? Would either be appropriate for any type of organization (hospital, bank, nuclear power plant, Disney world, etc?)

600 words APA style

Unformatted Attachment Preview

i Fundamentals of Risk Management ii THIS PAGE IS INTENTIONALLY LEFT BLANK iii Fundamentals of Risk Management Understanding, evaluating and implementing effective risk management Paul Hopkin iv Publisher’s note Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and authors cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the editor, the publisher or any of the authors. First published in Great Britain and the United States in 2010 by Kogan Page Limited. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licences issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned addresses: 120 Pentonville Road London N1 9JN United Kingdom www.koganpage.com 525 South 4th Street, #241 Philadelphia PA 19147 USA 4737/23 Ansari Road Daryaganj New Delhi 110002 India © The Institute of Risk Management, 2010 The right of The Institute of Risk Management to be identified as the author of this work has been asserted by them in accordance with the Copyright, Designs and Patents Act 1988. ISBN 978 0 7494 5942 0 E-ISBN 978 0 7494 5943 7 British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library. Library of Congress Cataloging-in-Publication Data Hopkin, Paul. Fundamentals of risk management : understanding, evaluating, and implementing effective risk management / Paul Hopkin. p. cm. Includes index. ISBN 978-0-7494-5942-0 -- ISBN 978-0-7494-5943-7 (ebook) 1. Risk management. I. Title. HD61.H567 2010 658.15'5--dc22 2009046006 Typeset by Saxon Graphics Ltd, Derby Printed and bound in India by Replika Press Pvt Ltd v Dedication Michael, David and Kathy vi THIS PAGE IS INTENTIONALLY LEFT BLANK vii Contents Dedication List of Figures List of Tables Preface Acknowledgements Introduction Part 1 v xvii xix xxiii xxv 1 Introduction to risk management Learning outcomes for Part 1 Part 1 Further reading 9 9 10 1 Approaches to defining risk Definitions of risk Types of risks Risk description Inherent level of risk Risk classification systems Risk likelihood and magnitude 11 11 13 14 16 16 17 2 Impact of risk on organizations Risk importance Impact of hazard risks Attachment of risks Risk and reward Risk and uncertainty Attitudes to risk 20 20 21 22 23 25 26 viii Contents 3 Types of risks Timescale of risk impact Hazard, control and opportunity risks Hazard tolerance Management of hazard risks Uncertainty acceptance Opportunity investment 28 28 29 31 32 33 34 4 Development of risk management Origins of risk management Insurance origins of risk management Specialist areas of risk management Enterprise risk management Levels of risk management sophistication Risk maturity models 36 36 40 41 42 43 45 5 Principles and aims of risk management Principles of risk management Importance of risk management Risk management activities Efficient, effective and efficacious Perspectives of risk management Implementing risk management 46 46 47 48 49 50 52 6 Risk management standards Scope of risk management standards Risk management process Risk management framework COSO ERM cube Features of RM standards Control environment approach 53 53 56 56 58 59 62 Case study: Barclays Bank – risk management objectives 63 Risk strategy Learning outcomes for Part 2 Part 2 Further reading 65 65 66 Part 2 Contents ix 7 Risk management policy Risk architecture, strategy and protocols Risk management policy Risk management architecture Risk management strategy Risk management protocols Risk management guidelines 67 67 69 72 72 73 74 8 Risk management documentation Record of risk management activities Risk response and improvement plans Event reports and recommendations Risk performance and certification reports Designing a risk register Using a risk register 76 76 77 78 79 79 83 9 Risk management responsibilities Allocation of responsibilities Risk management and internal audit Range of responsibilities Statutory responsibilities of management Role of the risk manager Chief risk officer (CRO) 87 87 88 88 90 92 93 10 Risk architecture and structure Risk architecture Corporate structure Risk committees Risk communications Risk maturity Alignment of activities 95 95 97 98 100 101 103 11 Risk-aware culture Styles of risk management Defining risk culture Components of a risk-aware culture Measuring risk culture 104 104 105 106 107 x Contents Risk culture and risk strategy Establishing the context 108 108 Risk training and communication Risk training and risk culture Risk information and communication Shared risk vocabulary Risk information on an intranet Risk management information systems (RMIS) Consistent response to risk 110 110 111 112 113 113 115 Case study: Tesco – risk management responsibilities 117 Risk assessment Learning outcomes for Part 3 Part 3 Further reading 119 119 120 13 Risk assessment considerations Importance of risk assessment Approaches to risk assessment Risk assessment techniques Risk matrix Risk perception Risk appetite 121 121 122 123 125 126 127 14 Risk classification systems Short, medium and long-term risks Purpose of risk classification systems Examples of risk classification systems FIRM risk scorecard PESTLE risk classification system Hazard, control and opportunity risks 131 131 132 132 134 135 137 15 Risk likelihood and impact Application of a risk matrix Inherent and current level of risk Control confidence 140 140 141 143 12 Part 3 Contents xi 4Ts of risk response Risk significance Risk capacity 143 144 146 16 Loss control Risk likelihood Risk magnitude Hazard risks Loss prevention Damage limitation Cost containment 148 148 149 150 151 152 152 17 Defining the upside of risk Upside of risk Opportunity assessment Riskiness index Upside in strategy Upside in projects Upside in operations 154 154 156 157 160 161 162 18 Business continuity planning Importance of BCP and DRP Business continuity standards Successful BCP and DRP Business impact analysis (BIA) BCP and ERM Civil emergencies 163 163 164 166 168 168 169 Case study: Invensys – risks and uncertainties 171 Risk and organizations Learning outcomes for Part 4 Part 4 Further reading 173 173 174 Corporate governance model Corporate governance OECD principles of corporate governance 175 175 176 Part 4 19 xii Contents LSE corporate governance framework Corporate governance for a bank Corporate governance for a government agency Evaluation of board performance 177 179 180 182 20 Stakeholder expectations Range of stakeholders Stakeholder dialogue Stakeholders and core processes Stakeholders and strategy Stakeholders and tactics Stakeholders and operations 185 185 186 188 189 189 190 21 Analysis of the business model Simplified business model Core business processes Efficacious strategy Effective processes Efficient operations Reporting performance 192 192 193 194 195 196 196 22 Project risk management Introduction to project risk management Development of project risk management Uncertainty in projects Project life cycle Opportunity in projects Project risk analysis and management 198 198 199 200 200 202 202 23 Operational risk management Operational risk Definition of operational risk Basel II Measurement of operational risk Difficulties of measurement Developments in operational risk 205 205 206 207 208 210 212 Contents 24 xiii Supply chain management Importance of the supply chain Scope of the supply chain Strategic partnerships Joint ventures Outsourcing of operations Risk and contracts 214 214 215 216 217 217 219 Case study: Hercules Incorporated – outsourcing logistics 221 Part 5 Risk response Learning outcomes for Part 5 Part 5 Further reading 223 223 224 25 Enterprise risk management Enterprise-wide approach Definitions of ERM ERM in practice ERM and business continuity ERM in energy and finance Future development of ERM 225 225 226 227 229 229 231 26 Importance of risk appetite Risk capacity Risk exposure Nature of risk appetite Cost of risk controls Risk management and uncertainty Risk appetite and lifestyle decisions 233 233 235 236 239 240 242 27 Tolerate, treat, transfer and terminate The 4Ts of hazard response Risk tolerance Risk treatment Risk transfer Risk termination Project and strategic risk response 244 244 248 248 249 250 250 xiv Contents 28 Risk control techniques Hazard risk zones Types of controls Preventive controls Corrective controls Directive controls Detective controls 253 253 254 257 258 258 259 29 Control of selected hazard risks Risk control Control of financial risks Control of infrastructure risks Control of reputational risks Control of marketplace risks Learning from controls 261 261 262 265 270 272 273 30 Insurance and risk transfer Importance of insurance History of insurance Types of insurance cover Evaluation of insurance needs Purchase of insurance Captive insurance companies 277 277 278 279 281 282 284 Case study: Intercontinental Hotels Group – loss-control strategy 287 Risk assurance and reporting Learning outcomes for Part 6 Part 6 Further reading 289 289 290 Evaluation of the control environment Nature of internal control Purpose of internal control Control environment Features of the control environment CoCo framework of internal control Risk-aware culture 291 291 292 293 295 296 298 Part 6 31 Contents xv 32 Activities of the internal audit function Scope of internal audit Financial assertions Risk management and internal audit Risk management outputs Role of internal audit Management responsibilities 299 299 299 300 302 302 304 33 Risk assurance techniques Audit committees Role of risk management Risk assurance Hazard, control and opportunity risks Control risk self-assessment Benefits of risk assurance 306 306 308 309 310 311 312 34 Reporting on risk management Risk documentation Sarbanes–Oxley Act of 2002 Risk reports by US companies Charities risk reporting Public sector risk reporting Government Report on National Security 313 313 314 315 317 318 320 35 Corporate social responsibility CSR and corporate governance CSR and risk management CSR and reputational risk CSR and stakeholder expectations Supply chain and ethical trading CSR reporting 321 321 322 323 323 324 326 36 Future of risk management Review of benefits of risk management Steps to successful risk management Changing face of risk management Concept of risk appetite 327 327 328 331 332 xvi Contents Concept of upside of risk Future developments 333 334 Case study: BP – risk reporting 336 Appendix A: Glossary of terms Appendix B: Implementation guide Index 338 348 351 xvii Figures 1.1 2.1 2.2 4.1 4.2 6.1 6.2 6.3 6.4 6.5 10.1 10.2 13.1 13.2 15.1 15.2 15.3 18.1 19.1 19.2 20.1 21.1 22.1 26.1 26.2 26.3 Risk likelihood and magnitude Attachment of risks Risk and reward 7Rs and 4Ts of (hazard) risk management Risk management sophistication IRM risk management process Components of an RM framework COSO ERM framework Risk management framework from BS 31100 Risk management process from ISO 31000 RM architecture for a large corporation RM architecture for a charity Risk appetite matrix (risk averse) Risk appetite matrix (risk aggressive) Personal risk matrix Risk matrix and the 4Ts of hazard management Inherent, current and target levels of risk Model for business continuity planning Corporate governance framework Corporate governance in a government agency Importance of core processes Simplified business model Project life cycle Risk and uncertainty Risk appetite, exposure and capacity (optimal) Risk appetite, exposure and capacity (vulnerable) 18 22 24 40 44 55 57 58 60 61 96 97 128 128 140 141 142 165 178 180 188 193 201 234 237 238 xviii 26.4 26.5 27.1 27.2 27.3 28.1 29.1 29.2 29.3 29.4 30.1 31.1 32.1 Figures Illustration of control effect Risk management and uncertainty Types of controls for hazard risks Risk versus uncertainty in projects Risk versus reward in strategy Hazard risk zones Cost-effective controls Cost–benefit analysis Learning from controls Risk and reward decisions Role of captive insurance companies Criteria of Control (CoCo) framework Role of internal audit in ERM 239 241 246 251 252 254 262 274 275 276 285 293 303 xix Tables 1.1 1.2 3.1 4.1 4.2 4.3 5.1 6.1 6.2 7.1 7.2 7.3 7.4 8.1 8.2 8.3 8.4 8.5 9.1 9.2 10.1 10.2 11.1 12.1 12.2 13.1 Definitions of risk Risk description Categories of disruption Definitions of risk management Importance of risk management 7Rs and 4Ts of (hazard) risk management Principles of risk management Risk management standards COSO ERM framework Risk management framework Risk management policy Risk management protocols Types of RM documentation Format for a basic risk register Risk register for a sports club Risk register for a hospital Project risk register Risk register attached to a business plan Risk management responsibilities Historical role of the insurance risk manager Responsibilities of the RM committee Four levels of risk maturity Risk-aware culture Risk communications guidelines Risk management information system (RMIS) Techniques for risk assessment 12 15 31 37 38 39 47 54 59 68 70 71 74 80 81 82 84 85 89 92 99 102 106 111 114 123 xx 13.2 14.1 14.2 14.3 14.4 15.1 16.1 17.1 17.2 18.1 19.1 19.2 19.3 20.1 22.1 23.1 23.2 23.3 24.1 25.1 25.2 27.1 27.2 28.1 28.2 30.1 30.2 31.1 31.2 32.1 33.1 33.2 34.1 34.2 35.1 Tables Advantages and disadvantages of RA techniques Risk classification systems Attributes of the FIRM risk scorecard PESTLE classification system Personal issues grid Benchmark tests for risk significance Generic key dependencies Upside of risk Riskiness index Key activities in business continuity planning OECD principles of corporate governance Nolan principles of public life Evaluating the effectiveness of the board Data for shareholders PRAM model for project RM ORM principles (Basel II) Operational risk for a bank Operational risk in financial and industrial companies Risks associated with outsourcing Definitions of enterprise risk management Benefits of enterprise risk management Description of the 4Ts of hazard response Key dependencies and significant risks Description of types of hazard controls Examples of the hierarchy of hazard controls Different types of insurance Identifying the necessary insurance Definitions of internal control Components of the CoCo framework Allocation of responsibilities Responsibilities of the audit committee Sources of risk assurance Risk report in a Form 20-F Government risk reporting principles Scope of issues covered by CSR 124 133 135 136 138 145 150 155 158 165 177 181 183 187 203 208 209 211 218 226 228 245 247 255 255 280 282 291 294 304 307 309 316 319 322 Tables xxi 36.1 36.2 Achieving successful risk management Implementation barriers and actions 329 330 xxii THIS PAGE IS INTENTIONALLY LEFT BLANK xxiii Preface Benefits of enterprise risk management A string of large and highly public organizational and Governmental failures over the past 10 years (Woolworths, Golden Wonder, Northern Rock, Citigroup, Enron and even the entire banking system of Iceland) has focused the attention of investors, customers and regulators on the way in which directors, managers and boards are managing risk. This has led to a greater appreciation of the wider scope of risks facing organizations, which in turn has led to risk management becoming a core management discipline. Risk is everywhere and derives directly from unpredictability. The process of identifying, assessing and managing risks brings any business full circle back to its strategic objectives: for it will be clear that not everything can be controlled. The local consequences of events on a global scale, such as terrorism, pandemics and credit crunches, are likely to be unpredictable. However, they can also include the creation of new and valuable opportunities. Many of today’s household names were born out of times of adversity. Risk management provides a framework for organizations to deal with and to react to uncertainty. Whilst it acknowledges that nothing in life is certain, the modern practice of risk management is a systematic and comprehensive approach, drawing on transferable tools and techniques. These basic principles are sector-independent and should improve business resilience, increase predictability and contribute to improved returns. This is particularly important given the pace of change of life today. Risk management involves a healthy dose of both common sense and strategic awareness, coupled with an intimate knowledge of the business, an enquiring mind and most critically superb communication and influencing skills. The Institute of Risk Management’s International Certificate in risk management is an introductory qualification which reflects the changing and global nature of risk management. Recognizing both the enterprise-wide (or ‘ERM’) importance of comprehensive risk management xxiv Preface and the growing use of international standards (such as ISO 31000), this qualification equips future professional risk managers with the fundamental knowledge and tools to make invaluable contributions to long-term organizational growth and prosperity. This textbook, as well as being the core reading for the IRM International Certificate, is a valuable resource for all organizations and indeed anyone with an interest in risk management. Sophie Williams is Deputy Chief Executive of the Institute of Risk Management, risk management’s leading worldwide professional education, training and knowledge body. Further information about the International Certificate or the Institute is available from the IRM website www.theirm.org. Sophie Williams xxv Acknowledgements The author is grateful to a large number of people who have helped with the development of the ideas that are included in this book. In particular, the following individuals provided considerable input into the final version: • Richard Archer; • Bill Aujla; • Steve Fowler; • Alex Hindson; • Edward Sankey; • Paul Taylor; • Carolyn Williams; • Sophie Williams. Paul Hopkin xxvi THIS PAGE IS INTENTIONALLY LEFT BLANK 1 Introduction Risk management in context This book is intended for all who want a comprehensive introduction to the theory and application of risk management. It sets out an integrated introduction to the management of risk in public and private organizations. Studying this book will provide insight into the world of risk management and may also help readers decide whether risk management is a suitable career option for them. Many readers will wish to use this book in order to gain a better understanding of risk and risk management and thereby fulfil the primary responsibilities of their jobs with an enhanced understanding of risk. This book is designed to deliver the syllabus of the International Certificate in Risk Management qualification of the Institute of Risk Management. However, it also acts as an introduction to the discipline of risk management for those interested in the subject but not (yet) undertaking a course of study. An introduction to risk and risk management is provided in the first Part of this book and the key features of risk management are set out in the next two Parts. Parts 4, 5 and 6 concentrate on the application of risk management tools and techniques, as well as considering the outputs from the risk management process and the benefits that arise. We all face risks in our everyday lives. Risks arise from personal activities and range from those associated with travel through to the ones associated with personal financial decisions. There are considerable risks present in the domestic component of our lives and these include fire risks in our homes and financial risks associated with home ownership. Indeed, there are also a whole range of risks associated with domestic and relationship issues, but these are outside the scope of this book. This book is primarily concerned with business and commercial risks and the roles that we fulfil during our job or occupation. However, the task of evaluating risks and deciding 2 Introduction how to respond to them is a daily activity not only at work, but also at home and during leisure activities. Nature of risk Recent events in the world have brought risk into higher profile. Terrorism, extreme weather events and the global financial crisis represent the extreme risks that are facing society and commerce. These extreme risks exist in addition to the daily, somewhat more mundane risks mentioned above. Evaluating the range of risk responses available and deciding the most appropriate response in each case is at the heart of risk management. Responding to risks should produce benefits for us as individuals, as well as for the organizations where we work and/or are employed. Within our personal and domestic lives, many of the responses to risk are automatic. Our ways of avoiding fire and road traffic accidents are based on well-established and automatic responses. Fire and accident are the types of risks that can only have negative outcomes and they are often referred to as hazard risks. Certain other risks have established or required responses that are imposed on us as individuals and/or on organizations as mandatory requirements. For example, in our personal lives, buying insurance for a car is usually a legal requirement, whereas buying insurance for a house is often not, but is good risk management and very sensible. Keeping your car in good mechanical order will reduce the chances of a breakdown. However, even vehicles that are fully serviced and maintained do occasionally break down. Maintaining your car in good mechanical order will reduce the chances of breakdown, but will not eliminate them completely. These types of risks that have a large degree of uncertainty associated with them are often referred to as control risks. As well as hazard and control risks, there are risks that we take because we desire (and probably expect) a positive return. For example, you will invest money in anticipation that you will make a profit from the investment. Likewise, placing a bet or gambling on the outcome of a sporting event is undertaken in anticipation of receiving positive payback. People participate out of choice in motor sports and other potentially dangerous leisure activities. In these circumstances, the return may not be financial, but can be measured in terms of pride, self-esteem or peer group respect. Undertaking activities involving risks of this type, where a positive return is expected, can be referred to as taking opportunity risks. Introduction 3 Risk management Organizations face a very wide range of risks that can impact the outcome of their operations. The desired overall aim may be stated as a mission or a set of corporate objectives. The events that can impact an organization may inhibit what it is seeking to achieve (hazard risks), enhance that aim (opportunity risks), or create uncertainty about the outcomes (control risks). Risk management needs to offer an integrated approach to the evaluation, control and monitoring of these three types of risk. This book examines the key components of risk management and how it can be applied. Examples are provided that demonstrate the benefits of risk management to organizations in both the public and private sectors. Risk management also has an important part to play in the success of not-for-profit organizations such as charities and (for example) clubs and other membership bodies. The risk management process is well established, although it is presented in a number of different ways and often uses differing terminologies. The different terminologies that are used by different risk management practitioners and in different business sectors are explored in this book. In addition to a description of the established risk management standards, a simplified description of risk management that sets out the key stages in the risk management process is also presented to help with understanding. The risk management process cannot take place in isolation. It needs to be supported by a framework within the organization. Once again, the risk management framework is presented and described in different ways in the range of standards, guides and other publications that are available. In all cases, the key components of a successful risk management framework are the communications and reporting structure (architecture), the overall risk management strategy that is set by the organization (strategy) and the set of guidelines and procedures (protocols) that have been established. The importance of the risk architecture, strategy and protocols (RASP) is discussed in detail in this book. The combination of risk management processes, together with a description of the framework in place for supporting the process, constitutes a risk management standard. There are several risk management standards in existence, including the IRM Standard and the recently published British Standard BS 31100. There is also the American COSO ERM framework. The latest addition to the available risk management standards is the international standard, ISO 31000, published in 2009. The well established and respected Australian Standard AS 4360 (2004) was withdrawn in 2009 in favour of ISO 31000. AS 4360 was first published in 1995 and ISO 31000 includes many of the features and offers a similar approach to that previously described in AS 4360. Further information on existing standards and other published guides is set out in Chapter 1.6. Additionally, references are included in each Part of this book to provide further material to enable the reader to gain a comprehensive introduction to the subject of risk management. 4 Introduction Risk management terminology Most risk management publications refer to the benefits of having a common language of risk within the organization. Many organizations manage to achieve this common language and common understanding of risk management processes and protocols at least internally. However, it is usually the case that within a business sector, and sometimes even within individual organizations, the development of a common language of risk can be very challenging. Reference and supporting materials have a great range of terminologies in use. The different approaches to risk management, the different risk management standards that exist and the wide range of guidance material that is available often use different terms for the same feature or concept. This is regrettable and can be very confusing, but it is inescapable. Attempts are being made to develop a standardized language of risk, and ISO Guide 73 has been developed as the common terminology that should be used in all ISO standards. The terminology set out in ISO Guide 73 will be used throughout this book as the default set of definitions, wherever possible. However, the use of a standard terminology is not always possible and alternative definitions may be required. To assist with the difficult area of terminology, Appendix A sets out the basic terms and definitions that are used in risk management. It also provides cross reference between the different terms in use to describe the same concept. Where appropriate and necessary a table setting out a range of definitions for the same concept is included within the relevant chapter of the book and these tables are cross-referenced in Appendix A. Benefits of risk management There are a range of benefits arising from successful implementation of risk management. These benefits are summarized in this book as compliance, assurance, decisions and efficiency/ effectiveness/efficacy (CADE3). Compliance refers to risk management activities designed to ensure that an organization complies with legal and regulatory obligations. The board of an organization will require assurance that significant risks have been identified and appropriate controls put in place. In order to ensure that correct business decisions are taken, the organization should undertake risk management activities that provide additional structured information to assist with business decision making. Finally, a key benefit from risk management is to enhance the efficiency of operations within the organization. Risk management should provide more than assistance with the efficiency of operations. It should also help ensure that business processes (including process enhancements by way of projects and other change initiatives) are effective and that the selected strategy is efficacious, in that it is capable of delivering exactly what is required. Introduction 5 Risk management inputs are required in relation to strategic decision making, but also in relation to the effective delivery of projects and programmes of work, as well as in relation to the routine operations of the organization. The benefits of risk management can also be identified in relation to these three timescales of activities within the organization. The outputs from risk management activities can benefit organizations in three timescales and ensure that the organization achieves: • efficacious strategy; • effective processes and projects; • efficient operations. In order to achieve a successful risk management contribution, the intended benefits of any risk management initiative have to be identified. If those benefits have not been identified, then there will be no means of evaluating whether the risk management initiative has been successful. Therefore, good risk management must have a clear set of desired outcomes/benefits. Appropriate attention should be paid to each stage of the risk management process, as well as to details of the design, implementation and monitoring of the framework that supports these risk management activities. Features of risk management Failure to adequately manage the risks faced by an organization can be caused by inadequate risk recognition, insufficient analysis of significant risks and failure to identify suitable risk response activities. Also, failure to set a risk management strategy and to communicate that strategy and the associated responsibilities may result in inadequate management of risks. It is also possible that the risk management procedures or protocols may be flawed, such that these protocols may actually be incapable of delivering the required outcomes. The consequences of failure to adequately manage risk can be disastrous and result in inefficient operations, projects that are not completed on time and strategies that are not delivered, or were incorrect in the first place. The hallmarks of successful risk management are considered in this book. In order to be successful, the risk management initiative should be proportionate, aligned, comprehensive, embedded and dynamic (PACED). Proportionate means that the effort put into risk management should be appropriate to the level of risk that the organization faces. Risk management activities should be aligned with other activities within the organization. Activities will also need to be comprehensive, so that any risk management initiative covers all the aspects of the organization and all the risks that it faces. The means of embedding risk management activities within the organization are discussed in this 6 Introduction book. Finally, risk management activities should be dynamic and responsive to the changing business environment faced by the organization. Book structure The book is presented in six Parts, together with two appendices. Part 1 provides the introduction to risk management and introduces all of the basic concepts. These concepts are explored in more detail in later Parts. Part 2 explores the importance of risk management strategy and considers the vital importance of the risk management policy, as well as exploring the successful implementation of that policy. Part 3 considers the importance of risk assessment as a fundamental requirement of successful risk management. Risk classification and risk analysis tools and techniques are considered in detail in this Part. Part 4 considers the impact of risk on organizations, and this extends to the evaluation of corporate governance requirements. Also, the analysis of stakeholder expectations and the relationship between risk management and a simple business model is considered. Part 5 sets out the options for risk response in detail. Analysis of the various risk control techniques is presented, together with examples of options for the control of selected hazard risks. This Part also considers the importance of insurance and risk transfer. Finally, Part 6 considers risk assurance and risk reporting. The role of the internal audit function, together with the importance of corporate social responsibility and the options for reporting on risk management are all considered. Appendix A provides a glossary of terms and cross-references the different terminologies used by different risk management practitioners. Appendix B provides a step-by-step implementation guide to enterprise risk management (ERM), as described in Chapter 25. It includes reference to all of the acronyms used in the book and sets out the key concepts relevant to each step of the successful implementation of a risk management initiative. Risk management in practice In order to bring the subject of risk management to life, short illustrative examples are used throughout the text. These examples focus on a small number of organizations in order to give some context to the ideas described. Risk management activities cannot be undertaken out of context, and so these organizations provide context to the ideas and concepts that are described. The most often used examples to illustrate a point are a haulage company, a sports club, a theatre, a publisher and the large stock-exchange-listed company that, for the sake of illustration, owns Introduction 7 the sports club and the haulage company. Examples are also used of how risk management principles can be applied to the personal risks faced in private life. In addition to these general examples, real life situations and examples are also used, where a case study is helpful. Each Part of the book concludes with a brief extract from the report and accounts of a selected company to illustrate the main risk management topics covered in the Part. Although many of these examples are from the UK, the principles are equally applicable to other parts of the world. Future for risk management As the global financial crisis has enfolded, there is an increasing tendency for news reports to indicate that risk is bad and risk management has failed. In reality, neither of these two statements is correct. Organizations have to address the risks that they face because many of them have to undertake high-risk activities, either because these activities cannot be avoided, or because the activities are undertaken in order to produce a positive outcome for the organization and its stakeholders. The global financial crisis does not demonstrate the failure of risk management, but rather the failure of the management of organizations to successfully address the risks that they faced. Achieving benefits from risk management requires carefully planned implementation of the risk management process in the organization, as well as the design and successful embedding of a suitable and sufficient risk management framework. By setting out an integrated approach to risk management, this book provides a description of the fundamental components of successful management of business/corporate risks. It describes a wealth of risk management tools and techniques and provides information on successful delivery of an integrated and enterprise-wide approach to risk management. Global financial crisis The extract below offers a summary of the actions that would help to avoid a repeat of the global financial crisis. Many organizations lack a common risk management framework across the enterprise. This has many elements, each of which is required to help avoid similar disasters in the future: • First, there should be common processes, terminology and practices for managing risks of all kinds. • Second, it is essential that risk tolerances be fully understood, communicated and monitored across the enterprise. 8 Introduction • Third, risk management practices should be incorporated into all key business processes and decisions. • And, fourth, management should make risk-related decisions using dedicated high quality risk information. 9 Part 1 Introduction to risk management Learning outcomes for Part 1 • provide a range of definitions of risk and risk management and describe the usefulness of the various definitions; • list the characteristics of a risk that need to be identified in order to provide a full risk description; • describe options for classifying risks according to the nature, source and timescale of impact; • outline the options for the attachment of risks to various attributes of an organization and describe advantages of each approach; • use a risk matrix to represent the likely impact of a risk materializing in terms of likelihood and magnitude; • outline the principles (PACED) and aims of risk management and its importance to operations, projects and strategy; • describe the nature of hazard, control and opportunity risks and how organizations should respond to each type; 10 Introduction to risk management • outline the development of the discipline of risk management, including the various specialist areas and approaches; • describe the key benefits of risk management in terms of compliance, assurance, decisions and efficiency/effectiveness/efficacy (CADE3); • describe the key stages in the risk management process and the main components of a risk management framework; • briefly describe the key features of the best-established risk management standards and frameworks. Part 1 Further reading British Standard BS 31100 (2008) Risk management – Code of practice, www.standardsuk.com. COSO Enterprise Risk Management – Integrated Framework (2004) Executive Summary, www.coso.org. Financial Reporting Council Internal Control Revised Guidance for Directors on the Combined Code (2005), www.frc.org.uk. Institute of Risk Management A Risk Management Standard (2002), www.theirm.org. International Standard ISO 31000 (2009) Risk management – Principles and guidelines, www.iso.org. ISO Guide 73 (2009) Risk management – Vocabulary – Guidelines for use in standards, www.iso.org. 11 1 Approaches to defining risk Definitions of risk The Oxford English Dictionary definition of risk is as follows: ‘a chance or possibility of danger, loss, injury or other adverse consequences’ and the definition of at risk is ‘exposed to danger’. In this context, risk is used to signify negative consequences. However, taking a risk can also result in a positive outcome. A third possibility is that risk is related to uncertainty of outcome. Take the example of owning a motorcar. For most people, owning a motorcar is an opportunity to become more mobile and gain the related benefits. However, there are uncertainties in owning a motorcar that are related to maintenance and repair costs. Finally, motor cars can be involved in accidents, so there are obvious negative outcomes that can occur. Definitions of risk can be found from many sources and some key definitions are set out in Table 1.1. An alternative definition is also provided to illustrate the broad nature of risks that can affect organizations. The Institute of Risk Management (IRM) defines risk as the combination of the probability of an event and its consequence. Consequences can range from positive to negative. This is a widely applicable and practical definition that can be easily applied. The international guide to risk-related definitions is ISO Guide 73 and it defines risk as ‘effect of uncertainty on objectives’. This definition appears to assume a certain level of knowledge about risk management and it is not easy to apply to everyday life. The meaning and application of this definition will become clearer as the reader progresses through this book. Guide 73 also notes that an effect may be positive, negative, or a deviation from the expected. These three types of events can be related to risks as opportunity, hazard or uncertainty, and this relates to the example of motorcar ownership outlined above. The guide notes that risk is often described by an event, a change in circumstances, a consequence, or a combination of these and how they may affect the achievement of objectives. 12 Introduction to risk management Table 1.1 Definitions of risk Organization Definition of risk ISO Guide 73 ISO 31000 Effect of uncertainty on objectives. Note that an effect may be positive, negative, or a deviation from the expected. Also, risk is often described by an event, a change in circumstances or a consequence. Institute of Risk Management (IRM) Risk is the combination of the probability of an event and its consequence. Consequences can range from positive to negative. “Orange Book” from HM Treasury Uncertainty of outcome, within a range of exposure, arising from a combination of the impact and the probability of potential events. Institute of Internal Auditors The uncertainty of an event occurring that could have an impact on the achievement of the objectives. Risk is measured in terms of consequences and likelihood. Alternative Definition by the author Event with the ability to impact (inhibit, enhance or cause doubt about) the mission, strategy, projects, routine operations, objectives, core processes, key dependencies and / or the delivery of stakeholder expectations. The Institute of Internal Auditors (IIA) defines risk as the uncertainty of an event occurring that could have an impact on the achievement of objectives. The IIA adds that risk is measured in terms of consequences and likelihood. Different disciplines define the term risk in very different ways. The definition used by health and safety professionals is that risk is a combination of likelihood and magnitude, but this may not be sufficient for more general risk management purposes. Risk in an organizational context is usually defined as anything that can impact the fulfilment of corporate objectives. However, corporate objectives are usually not fully stated by most organizations. Where the objectives have been established, they tend to be stated as internal, annual, change objectives. This is particularly true of the personal objectives set for members of staff in the organization, where objectives usually refer to change or developments, rather than the continuing or routine operations of the organization. It is generally accepted that risk is best defined by concentrating on risks as events, as in the definition of risk provided in ISO 31000 and the definition provided by the Institute of Internal Auditors, as set out in Table 1.1. In order for a risk to materialize, an event must occur. Greater clarity is likely to be brought to the risk management process if the focus is on events. For example, consider what could disrupt a theatre performance. Approaches to defining risk 13 The events that could cause disruption include a power cut, absence of a key actor, substantial transport failure or road closures that delay the arrival of the audience, as well as the illness of a significant number of staff. Having identified the events that could disrupt the performance, the management of the theatre needs to decide what to do to reduce the chances of one of these events causing the cancellation of a performance. This analysis by the management of the theatre is an example of risk management in practice. Types of risks Risk may have positive or negative outcomes or may simply result in uncertainty. Therefore, risks may be considered to be related to an opportunity or a loss or the presence of uncertainty for an organization. Every risk has its own characteristics that require particular management or analysis. In this book, as in the Guide 73 definition, risks are divided into three categories: • hazard (or pure) risks; • control (or uncertainty) risks; • opportunity (or speculative) risks. It is important to note that there is no ‘right’ or ‘wrong’ subdivision of risks. Readers will encounter other subdivisions in other texts and these may be equally appropriate. It is, perhaps, more common to find risks described as two types, pure or speculative. Indeed, there are many debates about risk management terminology. Whatever the theoretical discussions, the most important issue is that an organization adopts the risk classification system that is most suitable for its own circumstances. There are certain risk events that can only result in negative outcomes. These risks are hazard risks or pure risks, and these may be thought of as operational or insurable risks. In general, organizations will have a tolerance of hazard risks and these need to be managed within the levels of tolerance of the organization. A good example of a hazard risk faced by many organizations is that of theft. There are certain risks that give rise to uncertainty about the outcome of a situation. These can be described as control risks and are frequently associated with project management. In general, organizations will have an aversion to control risks. Uncertainties can be associated with the benefits that the project produces, as well as uncertainty about the delivery of the project on time, within budget and to specification. The management of control risks will often be undertaken in order to ensure that the outcome from the business activities falls within the desired range. At the same time, organizations deliberately take risks, especially marketplace or commercial risks, in order to achieve a positive return. These can be considered as opportunity or speculative risks, and an organization will have a specific appetite for investment in such risks. 14 Introduction to risk management The application of risk management tools and techniques to the management of hazard risks is the best and longest-established branch of risk management, and much of this text will concentrate on hazard risks. There is a hierarchy of controls that apply to hazard risks and this will be discussed in a later chapter. Hazard risks are associated with a source of potential harm or a situation with the potential to undermine objectives in a negative way. Hazard risks are the most common risks associated with organizational risk management, including occupational health and safety programmes. Control risks are associated with unknown and unexpected events. They are sometimes referred to as uncertainty risks and they can be extremely difficult to quantify. Control risks are often associated with project management. In these circumstances, it is known that the events will occur, but the precise consequences of those events are difficult to predict and control. Therefore, the approach is based on minimizing the potential consequences of these events. There are two main aspects associated with opportunity risks. There are risks/dangers associated with taking an opportunity, but there are also risks associated with not taking the opportunity. Opportunity risks may not be visible or physically apparent, and they are often financial in nature. Although opportunity risks are taken with the intention of having a positive outcome, this is not guaranteed. Opportunity risks for small businesses include moving a business to a new location, acquiring new property, expanding a business and diversifying into new products. Risk description In order to fully understand a risk, a detailed description is necessary so that a common understanding of the risk can be identified and ownership/responsibilities may be clearly understood. Table 1.2 provides information on the range of information that must be recorded to fully understand a risk. The list of information set out in Table 1.2 is most applicable to hazard risks and the list will need to be modified to provide a full description of control or opportunity risks. So that the correct range of information can be collected about each risk, the distinction between hazard, control and opportunity risks needs to be clearly understood. The example below is intended to distinguish between these three types of risk, so that the information required in order to describe each type of risk can be identified. Approaches to defining risk Table 1.2 Risk description • Name or title of risk • Statement of risk, including scope of risk and details of possible events and • • • • • • • • • • • • dependencies Nature of risk, including details of the risk classification and timescale of potential impact Stakeholders in the risk, both internal and external Risk attitude, appetite, tolerance or limits for the risk Likelihood and magnitude of event and consequences should the risk materialize at current/residual level Control standard required or target level of risk Incident and loss experience Existing control mechanisms and activities Responsibility for developing risk strategy and policy Potential for risk improvement and level of confidence in existing controls Risk improvement recommendations and deadlines for implementation Responsibility for implementing improvements Responsibility for auditing risk compliance Computer viruses In order to understand the distinction between hazard, control and opportunity risks, the example of the use of computers is useful. Virus infection is an operational or hazard risk and there will be no benefit to an organization suffering a virus attack on its software programs. When an organization installs or upgrades a software package, control risks will be associated with the upgrade project. The selection of new software is also an opportunity risk, where the intention is to achieve better results by installing the new software, but it is possible that the new software will fail to deliver all of the functionality that was intended and the opportunity benefits will not be delivered. In fact, the failure of the functionality of the new software system may substantially undermine the operations of the organization. 15 16 Introduction to risk management Inherent level of risk It is important to understand the uncontrolled level of all risks that have been identified. This is the level of the risk before any actions have been taken to change the likelihood or magnitude of the risk. Although there are advantages in identifying the inherent level of risk, there are practical difficulties in identifying this with certain types of risks. Identifying the inherent level of the risk enables the importance of the control measures in place to be identified. The Institute of Internal Auditors (IIA) has the view that the assessment of all risks should commence with the identification of the inherent level of the risk. The guidance from the IIA states that ‘in the risk assessment, we look at the inherent risks before considering any controls.’ The new International Risk Management Standard, ISO 31000, recommends that risks are assessed at both inherent and current levels. Often, a risk matrix will be used to show the inherent level of the risk in terms of likelihood and magnitude. The reduced or current level of the risk can then be identified, after the control or controls have been put in place. The effort that is required to reduce the risk from its inherent level to its current level can be clearly indicted on the risk matrix. Terminology varies and the inherent level of risk is sometimes referred to as the absolute risk or gross risk. Also, the current level of risk is often referred to as the residual level or the managed level of risk. The example in the box below provides an example of how inherently high-risk activities are reduced to a lower level of risk by the application of sensible and practical risk response options. Crossing the road Crossing a busy road would be inherently dangerous if there were no controls in place and many more accidents would occur. When a risk is inherently dangerous, greater attention is paid to the control measures in place, because the perception of risk is much higher. Pedestrians do not cross the road without looking and drivers are always aware that pedestrians may step into the road. Often, other traffic calming control measures are necessary to reduce the speed of the motorists or increase the risk awareness of both motorists and pedestrians. Risk classification systems Risks can be classified according to the nature of the attributes of the risk, such as timescale for impact, and the nature of the impact and/or likely magnitude of the risk. They can also Approaches to defining risk 17 be classified according to the timescale of impact after the event occurs. The source of the risk can also be used as the basis of classification. In this case, a risk may be classified according to its origin, such as counterparty or credit risk. A further way of classifying risks is to consider the nature of the impact. Some risks can cause detriment to the finances of the organization, whereas others will have an impact on the activities or the infrastructure. Further, risks may have an impact on the reputation of the organization or on its status and the way it is perceived in the marketplace. Individual organizations will decide on the risk classification system that suits them best, depending on the nature of the organization and its activities. Also, many risk management standards and frameworks suggest a specific risk classification system. If the organization adopts one of these standards, then it will tend to follow the classification system recommended. The risk classification system that is selected should be fully relevant to the organization concerned. There is no universal classification system that fulfils the requirements of all organizations. It is likely that each risk will need to be classified in several ways in order to clearly understand its potential impact. However, many classification systems offer common or similar structures, as will be described in later chapters. Risk likelihood and magnitude Risk likelihood and magnitude are best demonstrated using a risk map, sometimes referred to as a risk matrix. Risk maps can be produced in many formats. Whatever format is used for a risk map, it is a very valuable tool for the risk management practitioner. The basic style of risk map plots the likelihood of an event against the magnitude or impact should the event materialize. Figure 1.1 is an illustration of a simple risk matrix, sometimes referred to as a heat map. This is a commonly used method of illustrating risk likelihood and the magnitude (or severity) of the event should the risk materialize. The use of the risk matrix to illustrate risk likelihood and magnitude is a fundamentally important risk management tool. The risk matrix can be used to plot the nature of individual risks, so that the organization can decide whether the risk is acceptable and within the risk appetite and/or risk capacity of the organization. Throughout this book, a standard format for presenting a risk map has been adopted. The horizontal axis is used to represent likelihood. The term likelihood is used rather than frequency, because the word frequency implies that events will definitely occur and the map is registering how often these events take place. Likelihood is a broader word that includes frequency, but also refers to the chances of an unlikely event happening. However, in risk management literature, the word probability will often be used to describe the likelihood of a risk materializing. 18 Introduction to risk management Magnitude Low likelihood High magnitude High likelihood High magnitude Low likelihood Low magnitude High likelihood Low magnitude Likelihood Figure 1.1 Risk likelihood and magnitude The vertical axis is used to indicate magnitude in Figure 1.1. The word magnitude is used rather than severity, so that the same style of risk map can be used to illustrate hazard, control and opportunity risks. Severity implies that the event is undesirable and is, therefore, related to hazard risks. Figure 1.1 maps likelihood against the magnitude of an event. However, the more important consideration for risk managers is not the magnitude of the event, but the impact or consequences. For example, a large fire could occur that completely destroys a warehouse of a distribution and logistics company. Although the magnitude of the event may be large, if the company has produced plans to cope with such an event, the impact on the overall business may be much less than would otherwise be anticipated. The magnitude of an event may be considered to be the inherent level of the event and the impact can be considered to be the risk-managed level. Because the impact (or consequences) of an event is usually more important than its magnitude (or severity), then every risk matrix used in the remainder of this book will plot impact against likelihood, rather than magnitude against likelihood. The risk matrix will be used throughout this book to provide a visual representation of risks. It can also be used to indicate the likely risk control mechanisms that can be applied. The risk matrix can also be used to record the inherent, current (or residual) and target levels of the risk. Colour coding is often used on the risk matrix to provide a visual representation of the importance of each risk under consideration. As risks move towards the top right-hand corner of the Approaches to defining risk 19 risk matrix, they become more likely and have a greater impact. Therefore, the risk becomes more important and immediate and effective risk control measures need to be introduced. As a practical example of risk management in action at strategic level, consider the uncertainties embedded in the merger involving Delta Airlines and Northwest Airlines. This illustrates that organizations take strategic decisions that involve high levels of risk and uncertainty. There will be considerable uncertainties relating to whether all of the benefits outlined below can be delivered in practice. Uncertainty in strategic decisions An agreement has been reached and, barring any roadblocks from antitrust authorities, Delta Airlines and Northwest Airlines are merging and will operate under the Delta Airlines name. Delta Airlines released information outlining the basic elements of the deal and the ramifications it foresees for the new airline and its passengers. The list of benefits it sees by merging • Combining Delta and Northwest will create a global US carrier that can compete with foreign airlines that continue to increase service to the United States. • Customers and communities will benefit from access to a global route system and a more financially stable airline. • More destinations will result in more schedule options and more opportunities to earn and redeem frequent flyer miles. • Delta customers will benefit from Northwest’s routes to Asian markets and Northwest’s customers will benefit from Delta’s routes to other markets. • Delta and Northwest complementary common membership in the SkyTeam alliance will ease the integration risk that has complicated some airline mergers. 20 2 Impact of risk on organizations Risk importance Following the events in the world financial system during 2008, all organizations are taking a greater interest in risk and risk management. It is increasingly understood that the explicit management of risks brings benefits. By taking a proactive approach to risk and risk management, organizations will be able to achieve the following three areas of improvement: • Operations will become more efficient because events that can cause disruption will be identified in advance and actions taken to reduce the likelihood of these events occurring, reducing the damage caused by these events and containing the cost of the events that can cause disruption to normal efficient production operations. • Processes will be more effective, because consideration will have been given to selection of the processes and the risks involved in the alternatives that may be available. Also, process changes that are delivered by way of projects will be more effectively and reliably delivered. • Strategy will be more efficacious in that the risks associated with different strategic options will be fully analysed and better strategic decisions will be reached. Efficacious refers to the fact that the strategy that will be developed will be fully capable of delivering the required outcomes. It is no longer acceptable for organizations to find themselves in a position whereby unexpected events cause financial loss, disruption to normal operations, damage to reputation and loss of market presence. Stakeholders now expect that organizations will take full account of the risks that may cause disruption within operations, late delivery of projects or failure to deliver strategy. The exposure presented by an individual risk can be defined in terms of the likelihood of the risk materializing and the impact of the risk when it does materialize. As risk exposure Impact of risk on organizations 21 increases, then likely impact will also increase. Throughout this book, the term impact is used in preference to the alternative word, consequences. This is because the term impact is preferred in business continuity planning evaluations. Injury to key player A sports club will wish to reduce the chances of a key player being absent through injury. However, key players do get injured and the club will need to consider the impact of such an event in advance of it happening. If the injury is serious, the player may be absent for a significant length of time. There is likely to be a substantial impact, which will be most obvious on the pitch where the success of the team is likely to be reduced. However, other consequences may also result and these could include the loss of revenue from the sale of shirts and other merchandise with that player’s name and number. Arrangements to reduce the potential for loss of income should also be considered. Impact of hazard risks Hazard risks undermine objectives, and the level of impact of such risks is a measure of their significance. Risk management has its longest history and earliest origins in the management of hazard risks. Hazard risk management is closely related to the management of insurable risks. Remember that a hazard (or pure) risk can only have a negative outcome. Hazard risk management is concerned with issues such as health and safety at work, fire prevention, damage to property and the consequences of defective products. Hazard risks can cause disruption to normal operations, as well as resulting in increased costs and poor publicity associated with disruptive events. Hazard risks are related to business dependencies, including IT and other supporting services. There is increasing dependence on the IT infrastructure of most organizations and IT systems can be disrupted by computer breakdown or fire in server rooms, as well as virus infection and deliberate hacking or computer attacks. Theft and fraud can also be significant hazard risks for many organizations. This is especially true for organizations handling cash or managing a significant number of financial transactions. Techniques relevant to the avoidance of theft and fraud include adequate security procedures, segregation of financial duties, and authorization and delegation procedures, as well as the vetting of staff prior to employment. 22 Introduction to risk management Attachment of risks Although most standard definitions of risk referred to risks as being attached to corporate objectives, Figure 2.1 provides an illustration of the options for the attachment of risks. Risks are shown in the diagram as being capable of impacting the key dependencies that deliver the core processes of the organization. Corporate objectives and stakeholder expectations help define the core processes of the organization. These core processes are key components of the business model and can relate to operations, projects and corporate strategy. The intention of Figure 2.1 is to demonstrate that significant risks can be attached to features of the organization other than corporate objectives. Significant risks can be identified by considering the key dependencies of the organization, the corporate objectives and/or the stakeholder expectations, as well as by analysis of the core processes of the organization. In the build-up to the recent financial crisis, banks and other financial institutions established operational and strategic objectives. By analysing these objectives and identifying the risks that could prevent the achievement of them, risk management made a contribution to the achievement of the high-risk objectives that ultimately led to the failure of the organizations. This example illustrates that attaching risks to attributes other than objectives is not only possible but may well have been desirable in these circumstances. Mission statement Strategic or business plan (and annual budget) Corporate objectives Stakeholder expectations Core processes Key dependencies Significant risks Figure 2.1 Attachment of risks Support or deliver Impact or attach Impact of risk on organizations 23 It is clearly the case that risks are greater in circumstances of change. Therefore, linking risks to change objectives is not unreasonable, but the analysis of each objective in turn may not lead to robust risk recognition/identification. In any case, business objectives are usually stated at too high a level for the successful attachment of risks. To be useful to the organization, the corporate objectives should be presented as a full statement of the short, medium and long-term aims of the organization. Internal, annual, change objectives are usually inadequate, because they may fail to fully identify the operational (or efficiency), change (or competition) and strategic (or leadership) requirements of the organization. The most important disadvantage associated with the ‘objectives-driven’ approach to risk and risk management is the danger of considering risks out of the context that gave rise to them. Risks that are analysed in a way that is separated from the situation that led to them will not be capable of rigorous and informed evaluation. It can be argued that a more robust analysis can be achieved when a ‘dependencies-driven’ approach to risk management is adopted. It remains the case that many organizations continue to use an analysis of corporate objectives as a means of identifying risks, because some benefits do arise from this approach. For example, using this ‘objectives-driven’ approach facilitates the analysis of risks in relation to the positive and uncertain aspects of the events that may occur, as well as facilitating the analysis of the negative aspects. If the decision is taken to attach risks to the objectives of the organization, then it is important that these objectives have been fully and completely developed. Not only do the objectives need to be challenged to ensure that they are full and complete, but the assumptions that underpin the objectives should also receive careful and critical attention. Core processes will be discussed later in this book and may be considered as the high level processes that drive the organization. In the example of a sports club, one of the key processes is the operational process ‘delivering successful results on the pitch’. Risks may be attached to this core process, as well as being attached to objectives and/or key dependencies. Although risks can be attached to other features of the organization, the standard approach is to attach risks to corporate objectives. One of the standard definitions of risk is that it is something that can impact (undermine, enhance or cause doubt) the achievement of corporate objectives. This is a useful definition, but it does not provide the only means of identifying significant risks. Risk and reward Another feature of risk and risk management is that many risks are taken by an organization in order to achieve a reward. Figure 2.2 illustrates the relationship between the level of risk and 24 Introduction to risk management the anticipated size of reward. A business will launch a new product because it believes that greater profit is available from the successful marketing of the new product. In launching a new product, the organization will put resources at risk because it has decided that a certain amount of risk taking is appropriate. The value put at risk represents the risk appetite of the organization with respect to the activity that it is undertaking. When an organization puts value at risk in this way, it should do so with the full knowledge of the risk exposure and it should be satisfied that the risk exposure is within the appetite of the organization. Even more important, it should ensure that it has sufficient resources to cover the risk exposure. In other words, the risk exposure should be quantified, the appetite to take that level of risk should be confirmed and the capacity of the organization to withstand any foreseeable adverse consequences should be clearly established. Not all business activities will offer the same return for risk taken. Start-up operations are usually high risk and the initial expected return may be low. Figure 2.2 demonstrates the probable risk–return development for a new organization or a new product. The activity will commence in the bottom right-hand corner as a start-up operation, which is high risk and low return. As the business develops, it is likely to move to a higher return for the same level of risk. This is the growth phase for the business or product. As the investment matures, the reward may remain high, but the risks should reduce. Eventually, an organization will become fully mature and move towards the low-risk and low-return quadrant. The normal expectation in very mature markets is that the organization or product will be in decline. Potential reward Mature operation Growth Decline Start-up operation Risk exposure Figure 2.2 Risk and reward Impact of risk on organizations 25 The particular risks that the organization faces will need to be identified by management or by the organization. Appropriate risk management techniques will then need to be applied to the risks that have been identified. The nature of these risk responses and the nature of their impact will be considered in a later chapter. The above discussion about risk and reward applies to opportunity risks. However, it must always be the case that risk management effort produces rewards. In the case of hazard risks, it is likely that the reward for increased risk management effort will be fewer disruptive events. In the case of project risks, the reward for increased risk management effort will be that the project is more likely to be delivered on time, within budget and to specification/quality. For opportunity risks, the risk–reward analysis should result in fewer unsuccessful new products and a higher level of profit or (at worst) a lower level of loss for all new activities or new products. Risk versus reward In a Formula 1 Grand Prix, the Ferrari team decided to send a driver out on wetweather tyres, before the rain had actually started. Wet-weather tyres wear out very quickly in dry conditions and make the car much slower. If the rain had started immediately, this would have proved to be a very good decision. In fact, the rain did not start for four or five laps, by which time the driver had been overtaken by most other drivers and his set of wet-weather tyres were ruined in the dry conditions. He had to return to the pits for a further set of new tyres more suited to the race conditions. In this case, a high-risk strategy was adopted in anticipation of significant rewards. However, the desired rewards were not achieved and significant disadvantage resulted. Risk and uncertainty Risk is sometimes defined as uncertainty of outcomes. This is a somewhat technical, but nevertheless useful definition and it is particularly applicable to the management of control risks. Control risks are the most difficult to identify and define, but are often associated with projects. The overall intention of a project is to deliver the desired outcomes on time, within budget and to specification. For example, when a building is being constructed, the nature of the ground conditions may not always be known in detail. As the construction work proceeds, more information will be available about the nature of the ground conditions. This information may be positive news that the ground is stronger than expected and less foundation work is required. Alternatively, it may be discovered that the ground is contaminated or the ground is weaker than expected 26 Introduction to risk management or that other potentially adverse circumstances exist, such as archaeological remains being discovered. Given this uncertainty, these risks should be considered to be control risks and the overall management of the project should take account of the uncertainty associated with these different types of risk. It would be unrealistic for the project manager to assume that only adverse aspects of the ground conditions will be discovered. Likewise, it would be unwise for the project manager to assume that conditions will be better than he has been advised, just because he wants that to be the case. Because control risks cause uncertainty, it may be considered that an organization will have an aversion to these risks. Perhaps, the real aversion is to the potential variability in outcomes. A certain level of deviation from the project plan can be tolerated, but it must not be too great. Tolerance in relation to control risks can be considered to have the same meaning as in the manufacture of engineering components, where the components must be of a certain size, within acceptable tolerance limits. Attitudes to risk Different organizations will have different attitudes to risk. Some organizations may be considered to be risk averse, whilst other organizations will be risk aggressive. To some extent, the attitude of the organization to risk will depend on the sector and the nature and maturity of the marketplace within which it operates, as well as the attitude of the individual board members. Risks cannot be considered outside the context that gave rise to the risks. It may appear that an organization is being risk aggressive, when in fact, the board has decided that there is an opportunity that should not be missed. However, the fact that the opportunity is high risk may not have been fully considered. One of the major contributions from successful risk management is to ensure that strategic decisions that appear to be high risk are actually taken with all of the information available. Improvement in the robustness of decision-making processes is one of the key benefits of risk management. Other key factors that will determine the attitude of the organization to risk include the stage in the maturity cycle, as shown in Figure 2.2. For an organization that is in the start-up phase, a more aggressive attitude to risk is required than for an organization that is enjoying growth or one that is a mature organization in a mature marketplace. Where an organization is operating in a mature marketplace and is suffering from decline, the attitude to risk will be much more risk averse. Impact of risk on organizations 27 It is because the attitude to risk has to be different when an organization is a start-up operation compared with a mature organization, that it is often said that certain high-profile businessmen are very good at entrepreneurial start-up, but are not as successful in running mature businesses. Different attitudes to risk are required at different parts of the business maturity cycle. Chicken farmer Consider the example of a very successful breeder and reseller of chicken in a mature marketplace involving little risk and steady and manageable growth prospects. The CEO saw an opportunity to transform his family’s company. Overturning the family tradition of avoiding debt, he borrowed $500,000 and set about fundamentally changing the operation from a chicken farmer and reseller to a fully automated chicken raising and retail operation. It is not surprising that many great CEOs and founders had a strong propensity for risk – without taking at least some calculated risks, the businesses would not have flourished and more importantly lasted. Some had nothing to lose, but for others, there was a tremendous amount at stake – both personally and professionally. Like vision, an appetite for risk taking is considered almost a prerequisite for success. Knowing when to be a risk taker and opportunistic is critical to being able to successfully take advantage of the times. It can also be disastrous when the context of the times changes sharply. The same act performed too soon or too late or in the wrong scene may make a person a fool rather than a hero. That analysis fully applies to risk taking in business. 28 3 Types of risks Timescale of risk impact Risks can be classified in many ways. Hazard risks can be divided into many types of risks, including risks to property, risks to people and risks to the continuity of the business. There are a range of formal risk classification systems and these will be considered in a later part of this book. Although it should not be considered to be a formal risk classification system, this part considers the value of classifying risks according to the timeframe for the impact of the risk. The classification of risks as long, medium and short-term impact is a very useful means of analysing the risk exposure of an organization. These risks will be related to the strategy, tactics and operations of the organization, respectively. In this context, risks may be considered as related to events, changes in circumstances, actions or decisions. In general terms, long-term risks will impact several years, perhaps up to five years, after the event occurs or the decision is taken. Long-term risks therefore relate to strategic decisions. When a decision is taken to launch a new product, the impact of that decision (and the success of the product itself) may not be fully apparent for some time. Medium-term risks have their impact some time after the event occurs or the decision is taken, and typically this will be about a year later. Medium-term risks are often associated with projects or programmes of work. For example, if a new computer software system is to be installed, then the choice of computer system is a long-term or strategic decision. However, decisions regarding the project to implement the new software will be medium-term decisions with medium-term risk attached. Short-term risks have their impact immediately after the event occurs. Accidents at work, traffic accidents, fire and theft are all short-term risks that have an immediate impact and immediate consequences as soon as the event has occurred. These short-term risks cause immediate disruption to normal efficient operations and are probably the easiest types of risks to identify and manage. Types of risk 29 Insurable risks are quite often short-term risks, although the exact timing and magnitude/ impact of the insured events is uncertain. In other words, insurance is designed to provide protection against risks that have immediate consequences. In the case of insurable risks, the nature and consequences of the event may be understood, but the timing of the event is unpredictable. In fact, whether the event will occur at all is not known at the time the insurance policy is taken out. By way of example, consider the operation of a new computer software system in more detail. The organization will install the new software in anticipation of gaining efficiency and greater functionality. The decision to install new software and the choice of the software involves opportunity risks. The installation will require a project, and certain risks will be involved in the project. The risks associated with the project are control risks. After the new software has been installed, it will be exposed to hazard risks. It may not deliver all of the functionality required and the software may be exposed to various risks and virus infection. These are the hazard risks associated with this new software system. Hazard, control and opportunity risks We have already seen in Chapter 1 that risks can be divided into three categories: Definitions of these three types of risk are also given in Appendix A. They are: • hazard risks; • control risks; • opportunity risks. A common language of risk is required throughout the organization if the contribution of risk management is to be maximized. The use of a common language will also enable the organization to develop an agreed perception of risk. Part of developing this common language and perception of risk is to agree a risk classification system or series of such systems. For example, consider people reviewing their financial position and the risks they currently face regarding finances. It may be that the key financial dependencies relate to achieving adequate income and managing expenditure. The review should include an analysis of the risks to job security and pension arrangements, as well as property ownership and other investments. This part of the analysis will provide information on the risks to income and the nature of those risks (opportunity risks). Regarding expenditure, the review will consider spending pattern to determine whether cost cutting is necessary (hazard risks). It will also consider leisure time activities, including holiday arrangements and hobbies, and there will be some uncertainties regarding expenditure and the costs of these activities (control risks). 30 Introduction to risk management Hazard risks are the risks that can only inhibit achievement of the corporate mission. Typically, these are insurable type risks or perils, and will include fire, storm, flood, injury and so on. The discipline of risk management has strong origins in the management and control of hazard risks. Normal efficient operations may be disrupted by loss, damage, breakdown, theft and other threats associated with a wide range of dependencies, as shown in Table 3.1, and these may include (for example): • people; • premises; • assets; • suppliers; • information technology (IT); • communications. Control risks are risks that cause doubt about the ability to achieve the mission of the organization. Internal financial control protocols are a good example of a response to a control risk. If the control protocols are removed, there is no way of being certain about what will happen. Control risks are the most difficult type of risk to describe, but later Parts of this book will assist with understanding. Control risks are associated with uncertainty, and examples include the potential for legal non-compliance and losses caused by fraud. They are usually dependent on the successful management of people and successful implementation of control protocols. Although most organizations ensure that control risks are carefully managed, they may, nevertheless, remain potentially significant. Opportunity risks are the risks that are (usually) deliberately sought by the organization. These risks arise because the organization is seeking to enhance the achievement of the mission, although they might inhibit the organization if the outcome is adverse. This is the most important type of risk for the future long-term success of any organization. Many organizations are willing to invest in high-risk business strategies in anticipation of a high profit or return. These organizations may be considered to have a large appetite for opportunity investment. Often, the same organization will have the opposite approach to hazard risks and have a small hazard tolerance. This may be appropriate, because the attitude of the organization may be that it does not want hazard-related risks consuming corporate resources, when it is putting so much value at risk investing in opportunities. Types of risk Table 3.1 31 Categories of disruption Category Examples of disruption People Lack of people skills and / or resources Unexpected absence of key personnel Ill-health, accident or injury to people Premises Inadequate or insufficient premises Denial of access to premises Damage to or contamination of premises Assets Accidental damage to physical assets Breakdown of plant or equipment Theft or loss of physical assets Suppliers Disruption caused by failure of supplier Delivery of defective goods or components Failure of outsourced services and facilities Information technology (IT) Failure of IT hardware systems Disruption by hacker or computer virus Inefficient operation of computer software Communications Inadequate management of information Failure of internal or external communications Transport failure or disruption Hazard tolerance As discussed earlier in this part, organizations face exposure to a wide range of risks. These risks will be hazard risks, control risks and opportunity risks. Organizations need to tolerate a hazard risk exposure, accept exposure to control risks and invest in opportunity risks. In the case of health and safety risks, it is generally accepted that organizations should be intolerant of these risks and should take all appropriate actions to eliminate them. In practice, this is not possible and organizations will manage safety risks to the lowest level that is cost-effective and in compliance with the law. For example, an automatic braking system fitted to trains to stop them passing through red lights is technically feasible. However, this may represent an unreasonable investment for the train operating company. The consequences of trains going through red lights may be regarded as the risk exposure or hazard tolerance of the organization but the cost of introducing the automatic braking system may be considered to be prohibitively high. 32 Introduction to risk management A less emotive example is related to theft. Most organizations will suffer a low level of petty theft and this may be tolerable. For example, businesses based in an office environment will suffer some theft of stationery, including paper, envelopes and pens. The cost of eliminating this petty theft may be very large and so it becomes cost-effective for the organization to accept that these losses will occur. The approach to theft in shops may be very different in different retail sectors, as illustrated by the example below. Security standards An example can be seen in the operation of a security-conscious jewellery shop. Customers are allowed into the shop one at a time. They are recorded on CCTV as they wait to enter. Items are held securely, and customers are invited to ask to see specific items under the suspicious gaze of the shop assistants. Of course, some customers are put off, but equally the shops suffer negligible rates of shoplifting. Contrast this with a supermarket, where there are no barriers on entry and customers are allowed to handle all of the items. There is CCTV monitoring the shops, and there are likely to be store detectives patrolling – but the object of the security is to deter rather than to prevent shoplifting. Shoplifting does occur, but at rates that are acceptable to the shop owners. Conversely, few potential customers are put off visiting the shop because of the measures. Management of hazard risks The range of hazard risks that can affect an organization needs to be identified by the organization. Hazard risks can result in unplanned disruption for the organization. Disruptive events cause inefficiency and are to be avoided, unless they are part of, for example, planned maintenance or testing of emergency procedures. The desired state in relation to hazard risk management is that there should be no unplanned disruption or inefficiency from any of the reasons shown in Table 3.1. Table 3.1 provides a list of the events that can cause unplanned disruption or inefficiency. These events are divided into several categories, such as people, property, assets, suppliers, information technology and communications. For each category of hazard risks, the organization needs to evaluate the types of incidents that could occur, the sources of those incidents and their likely impact on normal efficient operations. Management of hazard risks involves analysis and management of three aspects of the hazard risk. This will be discussed in more detail in a later Part of this book. In summary, the organi- Types of risk 33 zation should look at the necessary actions to prevent the loss occurring, limit the damage that the event could cause and contain the cost of recovering from the event. Hazard management is traditionally the approach adopted by the insurance world. Organizations will have a tolerance of hazard risks. The approach should be based on reducing the likelihood and magnitude/impact of hazard losses. Insurance represents the mechanism for limiting the financial cost of losses. When an organization considers the level of insurance that it will purchase, the hazard tolerance of the organization needs to be fully analysed. Organizations may be willing to accept a certain cost of motor accidents as a financial cost that will be funded from the day-to-day profit and loss of the organization. This will only be tolerable up to a certain level and the organization will need to determine what level is acceptable. Insurance should then be purchased to cover losses that are likely to exceed that level. Uncertainty acceptance When undertaking projects and implementing change, an organization has to accept a level of uncertainty. Uncertainty or control risks are an inevitable part of undertaking a project. A contingency fund to allow for the unexpected will need to be part of a project budget, as well as contingent time built into project schedules. When looking to develop appropriate responses to control risks, the organization must make necessary resources available to identify the controls, implement the controls and respond to the consequences of any control risk materializing. The nature of control risks and the appropriate responses depend on the level of uncertainty and the nature of the risk. Uncertainty represents a deviation from the required or expected outcome. When an organization is undertaking a project, such as a process enhancement, the project has to be delivered on time, within budget and to specification. Also, the enhancement has to deliver the benefits that were required. Deviation from the anticipated benefits of a project represents uncertainties that can only be accepted within a certain range. Control management is the basis of the approach to risk management adopted by internal auditors and accountants. The UK Turnbull Report will be mentioned later in this book, and it concentrates on internal control with little reference to risk assessment. Control management is concerned with reducing the uncertainty associated with significant risks and reducing the variability of outcomes. There are dangers if the organization becomes too concerned with control management. The organization should not become obsessed with control risks, because it is sometimes suggested that over-focus on internal control and control management suppresses the entrepreneurial effort. 34 Introduction to risk management Opportunity investment Some risks are taken deliberately by organizations in order to achieve their mission. These risks are often marketplace or commercial risks that have been taken in the expectation of achieving a positive return. These opportunity risks can otherwise be referred to as commercial, speculative or business risks. Opportunity risks are the type of risk with potential to enhance (although they can also inhibit) the achievement of the mission of the organization. These risks are the ones associated with taking advantage of business opportunities. All organizations have some appetite for seizing opportunities and are willing to invest in them. There will always be a desire for the organization to have efficient operations, effective processes and efficacious strategy. Opportunity risks are normally associated with the development of new or amended strategies, although opportunities can also arise from enhancing the efficiency of operations and implementing change initiatives. Every organization will need to decide what appetite it has for seizing new opportunities and the level of investment that is appropriate. For example, an organization may realize that there is a requirement in the market for a new product that its expertise would allow it to develop and supply. However, if the organization does not have the resources to develop the new product, then it may be unable to implement that strategy and it would be unwise for the organization to embark on such a potentially high-risk course of action. It will be for the management of the company to decide whether they have an appetite for seizing the perceived opportunity. Just because the organization has that appetite, it does not mean that it is the correct thing to do. The board of the company should therefore be aware of the fact that, although they may have an appetite for seizing the opportunity, the organization might not have the risk capacity to support that course of action. Opportunity management is the approach that seeks to maximize the benefits of taking entrepreneurial risks. Organizations will have an appetite for investing in opportunity risks. There is a clear link between opportunity management and strategic planning. The desire is to maximize the likelihood of a significant positive outcome from investments in business opportunities. The example below related to personal lifestyle decisions considers risk factors by classifying them as controllable and uncontrollable. Although the example relates to personal health risk factors, consideration of whether business risks are within the control of the organization or not is an important component of successful business risk management. Types of risk Heart disease risk factors Controllable risk factors for heart disease and stroke are those that can be changed through diet, physical activity and no tobacco use. These risk factors are in contrast to those that are uncontrolled, such as age, gender, race or genetic traits. Having one or more uncontrollable risk factors does not mean a person will have a heart attack or stroke; however, with proper attention to those risk factors that are controllable, one may reduce the impact of those risk factors that cannot be controlled or changed. Controllable risk factors for heart disease or stroke include high blood pressure, high blood cholesterol, type-2 diabetes and obesity. Healthy lifestyle habits, such as developing good eating habits, increasing physical activity and abstaining from tobacco use, are effective steps in both preventing and improving the controllable risk factors. 35 36 4 Development of risk management Origins of risk management Risk management has a variety of origins and is practised by a wide range of professionals. One of the early developments in risk management was in the United States out of the insurance management function. The practice of risk management became more widespread and better co-ordinated because the cost of insurance in the 1950s had become prohibitive and the extent of coverage limited. Organizations realized that purchasing insurance was insufficient, if there was also inadequate attention to the protection of property and people. Insurance buyers therefore became concerned with the quality of property protection, the standards of health and safety, product liability issues and other risk control concerns. This combined approach to risk financing and risk control developed in Europe during the 1970s and the concept of total cost of risk became important. As this approach became established, it also became obvious that there were many risks facing organizations that were not insurable. The tools and techniques of risk management were then applied to other disciplines, as discussed later in this chapter. The maturity of the risk management discipline is now such that the links with insurance are much less strong. Insurance is now seen as one of the risk control techniques, but it is only applicable to a portion of hazard risks. Risks related to finance, commercial, marketplace and reputational issues are recognized as being hugely important, but outside the historical scope of insurance. The range of different approaches to risk management is illustrated by the definitions of risk management as set out in Table 4.1. Development of risk management Table 4.1 37 Definitions of risk management Organization Definition of risk management ISO Guide 73 BS 31100 Coordinated activities to direct and control an organization with regard to risk Institute of Risk Management Process which aims to help organizations understand, (IRM) evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure HM Treasury All the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress London School of Economics Selection of those risks a business should take and those which should be avoided or mitigated, followed by action to avoid or reduce risk Business Continuity Institute Culture, processes and structures that are put in place to effectively manage potential opportunities and adverse effects The increasing importance of risk management can be explained by the list of issues set out in Table 4.2. Many of these issues demonstrate that the application of risk management has moved a long way from the origins in the insurance world. Nevertheless, the insurance origins of risk management remain vitally important and are still the part of the approach to hazard management. This chapter considers the nature of risk management and the established stages that build into the risk management process. Historically, the term...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Risk Classification
I.
II.

Introduction
Risk Classification

III.

Firm Model of Risk Classification

IV.

PESTLE And Firm Contribution to Organizational Risk Management

V.

The Appropriate Model of Risk Classification


Running head: RISK CLASSIFICATION

1

Risk Classification
Institution Affiliation
Date

RISK CLASSIFICATION

2
Risk Classification

Risk classification refers to the categorization of risks according to their probability,
magnitude, and cost of occurrence. Organizations needs to identify various risks they face in
order to develop measures of mitigating those risks. By doing this, the organization is able to
survive or absolutely avoid the risks when they occur.
Firm Model of Risk Classification
The firm model or the flexible firm involves dividing an organization’s staff according to
their skill set. The larger number involves the temporary and lower skilled workforce referred to
as the peripheral group. The smaller number of permanent and skilled workers referred to as the
core grou...


Anonymous
Goes above and beyond expectations!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags