Saint Josephs University Texas Fertilizer Plant Explosion Event Discription

User Generated

Nynaar

Business Finance

Saint Josephs University

Description

Look and provide a good paper please.

Ask me to clarify.

APA format

Thank you so much!

Unformatted Attachment Preview

Major Incident Case Response Analysis Part 2 Event Description Review Figure 2.3 on page 33 of the text. Use the “Category” section of the Bow Tie Model pictured to provide a description of the disruption (what was the incident) of the incident you selected. Address this disruption as it relates to the following elements from the model: People, Premises, Processes and Products. (2 to 3 pages) My incident topic is: Texas Fertilizer Plant Explosion, 2013 i Fundamentals of Risk Management ii To a safe, secure and sustainable future iii FO UR TH EDI TI ON Fundamentals of Risk Management Understanding, evaluating and implementing effective risk management Paul Hopkin iv Publisher's note Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and authors cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the editor, the publisher or any of the authors. First published in Great Britain and the United States in 2010 by Kogan Page Limited Second edition 2012 Third edition 2014 Fourth edition 2017 Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licences issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned addresses: 2nd Floor, 45 Gee Street London EC1V 3RS United Kingdom www.koganpage.com c/o Martin P Hill Consulting 122 W 27th St, 10th Floor New York, NY 10001 USA 4737/23 Ansari Road Daryaganj New Delhi 110002 India © The Institute of Risk Management, 2010, 2012, 2014, 2017 The right of The Institute of Risk Management to be identified as the author of this work has been asserted by them in accordance with the Copyright, Designs and Patents Act 1988. ISBN E-ISBN 978 0 7494 7961 9 978 0 7494 7962 6 British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library. Library of Congress Cataloging-in-Publication Control Number 2016046147 Typeset by Graphicraft Limited, Hong Kong Print production managed by Jellyfish Printed and bound by CPI Group (UK) Ltd, Croydon, CR0 4YY v CO N T E N T S List of figures xv List of tables xvii Foreword xx Acknowledgements xxi Introduction 1 PA R T O N E Introduction to risk management Learning outcomes for Part One 11 Part One further reading 11 Part One case studies 12 Rank Group: How we manage risk 12 ABIL: Risk management overview 12 BIS: Approach to risk 13 01 Approaches to defining risk 15 Definitions of risk 15 Types of risks 17 Risk description 18 Inherent level of risk 20 Risk classification systems 20 Risk likelihood and magnitude 21 02 Impact of risk on organizations Level of risk 24 Impact of hazard risks 25 Attachment of risks 26 Risk and reward 29 Attitudes to risk 30 Risk and triggers 32 03 Types of risks 35 Timescale of risk impact 35 Four types of risk 36 Embrace opportunity risks 39 24 11 vi Contents Manage uncertainty risks 40 Mitigate hazard risks 41 Minimize compliance risks 43 04 Scope of risk management 45 Origins of risk management 45 Development of risk management 48 Specialist areas of risk management 49 Simple representation of risk management 50 Enterprise risk management 53 Levels of risk management sophistication 54 05 Principles and aims of risk management 57 Principles of risk management 57 Importance of risk management 59 Risk management activities 60 Effective and efficient core processes 61 Implementing risk management 62 Achieving benefits 63 PA R T T W O Approaches to risk management Learning outcomes for Part Two 67 Part Two further reading 67 Part Two case studies: 68 United Utilities: Our risk management framework 68 Birmingham City Council: Scrutiny, accountability and risk management 68 Tsogo Sun: Risk management process 69 06 Risk management standards 71 Scope of risk management standards 71 Risk management process 74 Risk management context 75 COSO ERM cube 76 Features of RM standards 78 Updating of existing standard 79 07 Establishing the context Scope of the context 82 External context 84 82 67 Contents Internal context 85 Risk management context 87 Designing a risk register 88 Using a risk register 92 08 Enterprise risk management 96 Enterprise-wide approach 96 Definitions of ERM 98 ERM in practice 99 ERM and business continuity 100 ERM in energy and finance 101 Future development of ERM 102 09 Alternative approaches 104 Changing face of risk management 104 Managing emerging risks 105 Increasing importance of resilience 107 Different approaches 109 Structure of management standards 111 Future of risk management 113 PA R T T H R E E Risk assessment 115 Learning outcomes for Part Three 115 Part Three further reading 115 Part Three case studies: 116 AA: Risk governance 116 British Land: Our assessment of risk is a cornerstone 116 Guide Dogs NSW/ACT: List of major residual risks 117 10 Risk assessment considerations 119 Importance of risk assessment 119 Approaches to risk assessment 120 Risk assessment techniques 122 Nature of the risk matrix 125 Risk perception 127 Attitude to risk 128 11 Risk classification systems 132 Short-, medium- and long-term risks 132 Nature of risk classification systems 134 vii viii Contents Examples of risk classification systems 135 FIRM risk scorecard 137 PESTLE risk classification system 138 Compliance, hazard, control and opportunity 140 12 Risk analysis and evaluation 143 Application of a risk matrix 143 Inherent and current level of risk 145 Control confidence 147 4Ts of hazard risk response 148 Risk significance 149 Risk capacity 150 13 Loss control 152 Risk likelihood 152 Risk magnitude 153 Hazard risks 154 Loss prevention 156 Damage limitation 157 Cost containment 157 14 Defining the upside of risk 159 Upside of risk 159 Opportunity assessment 162 Riskiness index 163 Upside in strategy 167 Upside in projects 168 Upside in operations 169 PA R T F O U R Risk response 171 Learning outcomes for Part Four 171 Part Four further reading 171 Part Four case studies: 172 Intu Properties: Insurance renewal 172 The Walt Disney Company: Disclosures about market risks 172 Australian Mines Limited: Risk assessment and management 173 15 Tolerate, treat, transfer and terminate The 4Ts of hazard response 175 Tolerate risk 177 175 Contents Treat risk 180 Transfer risk 181 Terminate risk 181 Strategic risk response 182 16 Risk control techniques 186 Types of controls 186 Hazard risk zones 190 Preventive controls 192 Corrective controls 192 Directive controls 193 Detective controls 194 17 Insurance and risk transfer 196 Importance of insurance 196 History of insurance 197 Types of insurance cover 198 Evaluation of insurance needs 200 Purchase of insurance 200 Captive insurance companies 203 18 Business continuity 206 Business continuity management 206 Business continuity standards 208 Successful business continuity 211 Business impact analysis (BIA) 214 Business continuity and ERM 214 Civil emergencies 216 PA R T F I V E Risk strategy 219 Learning outcomes for Part Five 219 Part Five further reading 219 Part Five case studies: 220 AMEC Foster Wheeler: Principal risks and uncertainties 220 BBC: Internal controls assurance 220 Emperor Watch & Jewellery: Risk management 221 19 Core business processes 223 Dynamic business models 223 Types of business processes 226 ix x Contents Strategy and tactics 227 Effective and efficient operations 228 Ensuring compliance 229 Reporting performance 230 20 Reputation and the business model 232 Components of the business model 232 Risk management and the business model 233 Reputation and corporate governance 235 CSR and risk management 235 Supply chain and ethical trading 238 Importance of reputation 240 21 Risk management context 244 Architecture, strategy and protocols 244 Risk architecture 247 Risk management strategy 247 Risk management protocols 248 Risk management manual 249 Risk management documentation 252 22 Risk management responsibilities 257 Allocation of responsibilities 257 Range of responsibilities 258 Statutory responsibilities of management 260 Role of the risk manager 262 Risk architecture in practice 264 Risk committees 267 23 Control of selected hazard risks Cost of risk controls 270 Learning from controls 273 Control of financial risks 275 Control of infrastructure risks 277 Control of reputational risks 281 Control of marketplace risks 283 PA R T S I X Risk culture 285 Learning outcomes for Part Six 285 Part Six further reading 285 270 Contents Part Six case studies: 286 Network Rail: Our approach to risk management 286 Ekurhuleni Metropolitan Municipality (EMM): Risk management 286 Ericsson: Corporate governance report 287 24 Risk-aware culture 289 Styles of risk management 289 Steps to successful risk management 290 Defining risk culture 291 Measuring risk culture 295 Alignment of activities 297 Risk maturity models 299 25 Importance of risk appetite 302 Nature of risk appetite 302 Risk appetite and the risk matrix 304 Risk and uncertainty 306 Risk exposure and risk capacity 308 Risk appetite statements 310 Risk appetite and lifestyle decisions 313 26 Risk training and communication 316 Consistent approach to risk 316 Risk training and risk culture 317 Risk information and communication 319 Shared risk vocabulary 321 Risk information on an intranet 322 Risk management information system (RMIS) 323 27 Risk practitioner competencies 325 Competency frameworks 325 Range of skills 326 Communication skills 328 Relationship skills 331 Analytical skills 332 Management skills 333 PA R T S E V E N Risk governance Learning outcomes for Part Seven 335 Part Seven further reading 335 335 xi xii Contents Part Seven case studies: 336 Severn Trent Water: Our approach to risk 336 Tim Hortons: Sustainability and responsibility 336 DCMS: Capacity to handle risk 337 28 Corporate governance model 339 Corporate governance 339 OECD principles of corporate governance 340 LSE corporate governance framework 342 Corporate governance for a bank 343 Corporate governance for a government agency 344 Evaluation of board performance 347 29 Stakeholder expectations 351 Range of stakeholders 351 Stakeholder dialogue 353 Stakeholders and core processes 354 Stakeholders and strategy 356 Stakeholders and tactics 357 Stakeholders and operations 358 30 Operational risk management 360 Operational risk 360 Definition of operational risk 361 Basel II and Basel III 363 Measurement of operational risk 364 Difficulties of measurement 366 Developments in operational risk 367 31 Project risk management 370 Introduction to project risk management 370 Development of project risk management 371 Uncertainty in projects 372 Project lifecycle 374 Opportunity in projects 377 Project risk analysis and management 378 32 Supply chain management 380 Importance of the supply chain 380 Scope of the supply chain 381 Strategic partnerships 382 Joint ventures 384 Contents Outsourcing of operations 384 Risk and contracts 387 PA R T E I G H T Risk assurance 389 Learning outcomes for Part Eight 389 Part Eight further reading 389 Part Eight case studies: 390 Unilever: Our risk appetite and approach to risk management 390 Colgate Palmolive: Damage to reputation 390 Sainsbury’s and Tesco: Principal risks and uncertainties 391 33 The control environment 393 Nature of control environment 393 Purpose of internal control 394 Control environment 395 Features of the control environment 397 CoCo framework of internal control 399 Good safety culture 401 34 Risk assurance techniques 402 Audit committees 402 Role of risk management 404 Risk assurance 405 Risk management outputs 407 Control risk self-assessment 408 Benefits of risk assurance 409 35 Internal audit activities 411 Scope of internal audit 411 Role of internal audit 412 Undertaking an internal audit 414 Risk management and internal audit 416 Management responsibilities 419 Five lines of assurance 420 36 Reporting on risk management Risk reporting 423 Sarbanes–Oxley Act of 2002 425 Risk reports by US companies 426 Charities’ risk reporting 428 423 xiii xiv Contents Public-sector risk reporting 429 Government report on national security 430 Appendix A: Abbreviations and acronyms Appendix B: Glossary of terms 436 Appendix C: Implementation guide 446 Index 449 433 xv L IS T O F F I G U R E S FIGURE 1.1 FIGURE 2.1 FIGURE 2.2 FIGURE 2.3 FIGURE 4.1 FIGURE 4.2 FIGURE 6.1 FIGURE 6.2 FIGURE 6.3 FIGURE 6.4 FIGURE 7.1 FIGURE 10.1 FIGURE 11.1 FIGURE 11.2 FIGURE 12.1 FIGURE 12.2 FIGURE 13.1 FIGURE 14.1 FIGURE 15.1 FIGURE 15.2 FIGURE 15.3 FIGURE 16.1 FIGURE 16.2 FIGURE 16.3 FIGURE 17.1 FIGURE 18.1 FIGURE 18.2 FIGURE 19.1 FIGURE 20.1 FIGURE 20.2 FIGURE 22.1 FIGURE 22.2 FIGURE 23.1 FIGURE 23.2 FIGURE 23.3 Risk likelihood and magnitude 22 Attachment of risks 27 Risk and reward 29 Disruptive events and the bow-tie 33 8Rs and 4Ts of (hazard) risk management 52 Risk management sophistication 55 IRM risk management process 73 Components of the RM context 75 COSO ERM framework 77 Risk management process from ISO 31000 79 Three components of context 83 Risk attitude matrix 129 Bow-tie representation of risk management 133 Bow-tie and risks to premises 135 Personal risk matrix 144 Inherent, current and target levels of risk 145 Loss control and the bow-tie 156 Risk matrix for opportunities and hazards 163 Risk matrix and the 4Ts of hazard management 177 Risk versus reward in strategy 183 Opportunity risks and risk appetite 184 Types of controls for hazard risks 186 Bow-tie and types of controls 189 Hazard risk zones 191 Role of captive insurance companies 204 Disaster recovery timeline and costs 209 Model for business continuity planning 210 Business development model 225 Components of the business model 233 Mapping the components of reputation 241 Risk architecture for a large corporation 264 Risk architecture for a charity 266 Illustration of control effect 271 Cost-effective controls 272 Learning from controls 273 xvi List of figures FIGURE 23.4 FIGURE 24.1 FIGURE 25.1 FIGURE 25.2 FIGURE 25.3 FIGURE 28.1 FIGURE 28.2 FIGURE 29.1 FIGURE 31.1 FIGURE 31.2 FIGURE 31.3 FIGURE 31.4 FIGURE 33.1 FIGURE 35.1 FIGURE 35.2 FIGURE 36.1 Risk and reward decisions 274 Risk maturity demonstrated on a matrix 300 Risk appetite, exposure and capacity (optimal) 304 Risk and uncertainty 307 Risk appetite, exposure and capacity (vulnerable) 309 LSE corporate governance framework 342 Corporate governance in a government agency 345 Importance of core processes 355 Risk matrix to represent project risks 373 Bow-tie to represent project risks 374 Project lifecycle 375 Decreasing uncertainty during the project 376 Criteria of Control (CoCo) framework 396 Role of internal audit in ERM 413 Governance, risk and compliance 417 Selected UK security threats 431 xvii L IS T O F TA B L E S TABLE 1.1 TABLE 1.2 TABLE 3.1 TABLE 3.2 TABLE 4.1 TABLE 4.2 TABLE 4.3 TABLE 5.1 TABLE 5.2 TABLE 6.1 TABLE 6.2 TABLE 7.1 TABLE 7.2 TABLE 7.3 TABLE 7.4 TABLE 7.5 TABLE 8.1 TABLE 8.2 TABLE 8.3 TABLE 9.1 TABLE 10.1 TABLE 10.2 TABLE 10.3 TABLE 10.4 TABLE 10.5 TABLE 10.6 TABLE 11.1 TABLE 11.2 TABLE 11.3 TABLE 11.4 TABLE 12.1 TABLE 13.1 TABLE 14.1 TABLE 14.2 TABLE 15.1 TABLE 15.2 Definitions of risk 16 Risk description 19 Risks associated with owning a car 37 Categories of operational disruption 42 Definitions of risk management 46 Importance of risk management 47 8Rs and 4Ts of (hazard) risk management 51 Principles of risk management 58 Risk management objectives 59 Risk management standards 72 COSO ERM framework 77 Format for a basic risk register 89 Risk register for a sports club 90 Risk register for a hospital 91 Project risk register 93 Risk register attached to a business plan 94 Features of an enterprise-wide approach 97 Definitions of enterprise risk management 98 Benefits of enterprise risk management 100 Summary of King III risk requirements 111 Top-down risk assessment 121 Bottom-up risk assessment 122 Techniques for risk assessment 123 Advantages and disadvantages of RA techniques 123 Definitions of likelihood 125 Definitions of impact 126 Risk classification systems 135 Attributes of the FIRM risk scorecard 136 PESTLE classification system 139 Personal issues grid 141 Benchmark tests for risk significance 147 Generic key dependencies 155 Defining the upside of risk 160 Riskiness index 164 Description of the 4Ts of hazard response 176 Key dependencies and significant risks 178 xviii List of tables TABLE 16.1 TABLE 16.2 TABLE 17.1 TABLE 17.2 TABLE 18.1 TABLE 20.1 TABLE 20.2 TABLE 20.3 TABLE 21.1 TABLE 21.2 TABLE 21.3 TABLE 21.4 TABLE 22.1 TABLE 22.2 TABLE 22.3 TABLE 24.1 TABLE 24.2 TABLE 24.3 TABLE 24.4 TABLE 25.1 TABLE 25.2 TABLE 25.3 TABLE 25.4 TABLE 26.1 TABLE 26.2 TABLE 26.3 TABLE 27.1 TABLE 27.2 TABLE 27.3 TABLE 28.1 TABLE 28.2 TABLE 28.3 TABLE 29.1 TABLE 29.2 TABLE 30.1 TABLE 30.2 TABLE 30.3 TABLE 31.1 TABLE 32.1 TABLE 32.2 Description of types of hazard controls 187 Examples of the hierarchy of hazard controls 188 Different types of insurance 199 Identifying the necessary insurance 201 Key activities in business continuity planning 211 Scope of issues covered by CSR 236 Components of reputation 240 Threats to reputation 242 Risk management framework 245 Types of RM documentation 249 Risk management manual 250 Risk management protocols 251 Risk management responsibilities 259 Historical role of the insurance risk manager 262 Responsibilities of the RM committee 268 Achieving successful enterprise risk management 290 Implementation barriers and actions 292 Risk-aware culture 293 Four levels of risk maturity 298 Definitions of risk appetite 303 Risk appetite statements 311 Risk appetite for a manufacturing organization 313 Controls for the risks of owning a car 315 Risk management training 318 Risk communication guidelines 320 Risk management information system (RMIS) 323 Risk management technical skills 326 People skills for risk management practitioners 328 Structure of training courses 330 OECD principles of corporate governance 341 Nolan principles of public life 346 Evaluating the effectiveness of the board 349 Data for shareholders 353 Sports club: typical stakeholder expectations 357 ORM principles (Basel II) 363 Operational risk for a bank 365 Operational risk in financial and industrial companies 367 PRAM model for project RM 378 Risks associated with outsourcing 385 Scope of outsourcing contracts 385 List of tables TABLE 33.1 TABLE 33.2 TABLE 34.1 TABLE 34.2 TABLE 35.1 TABLE 35.2 TABLE 36.1 TABLE 36.2 TABLE 36.3 Definitions of internal control 394 Components of the CoCo framework 397 Responsibilities of the audit committee 403 Sources of risk assurance 406 Undertaking an internal audit 415 Allocation of responsibilities 420 Risk management (RM) responsibilities of the board 424 Risk report in a Form 20-F 427 Government risk-reporting principles 430 xix xx F O R E WO R D Importance of enterprise risk management O rganizations face an increasingly challenging and complex environment in which to undertake their activities. Since the third edition of this textbook, the consequences of the global financial crisis have continued to challenge public-, private- and third-sector organizations. To add further complexity, the second decade of the 21st century has been marked by political instability in many parts of the world and the recent decision of the United Kingdom to exit the European Union has added further global uncertainty. It is within this increasingly uncertain environment that organizations are required to deliver higher stakeholder expectations, whilst fulfilling greater corporate governance requirements in relation to ethical and social responsibility. For example, legislation has been introduced in many countries to broaden the scope of requirements regarding management of bribery risk and the avoidance of modern slavery. Given all these developments, the updating of this textbook to place greater emphasis on the importance of enterprise risk management (ERM) to organizational success is very timely. Successful ERM, including the protection of corporate reputation, continues to be a business imperative for all organizations. A successful ERM initiative enhances the ability of an organization to achieve objectives and ensure sustainability, based on transparent and ethical behaviours. The Institute of Risk Management (IRM) has long supported the development of ERM, as a contribution to development and delivery of successful business models and strategy for all types of organizations. The training courses and qualifications offered by the IRM enable risk professionals and others to support their employer and/or clients in achieving maximum benefit from an ERM initiative. Although this textbook has been designed specifically for the IRM International Certificate in Enterprise Risk Management, the contents outline approaches to achieving successful ERM that will support any type of organization in their efforts to deliver corporate objectives and satisfy stakeholder expectations. This textbook is a valuable resource for all organizations and anyone with an interest in risk management. Ian Livsey PhD MBA Ian Livsey is Chief Executive at the Institute of Risk Management, risk management’s leading worldwide professional education, training and knowledge body. Further information about the Institute and the International Certificate is available from the IRM website, www.theirm.org. xxi ACKNOWLEDGEMENTS T he risk management profession and the expertise of risk professionals continues to develop in line with the ever-increasing expectations placed on risk managers and risk consultants. Many more organizations have appointed individuals with the job title chief risk officer (CRO) and this development has increased the need for robust professional qualifications and designations for risk management practitioners. Given the ever-increasing complexity of the business environment, it is not surprising that production of the fourth edition of Fundamentals of Risk Management became necessary, just two years after production of the third edition. The importance and contribution of risk management continues to increase and centres of risk management expertise and excellence continue to thrive in all business sectors, whether private, public or third sector. Lectures, seminars, special interest groups and other group meetings, as well as one-to-one conversations with risk specialists assisted with the updating of this book. It is clear that ideas and experiences related to enterprise risk management are continuing to expand. A wide range of risk management-related standards are currently being drafted and/or updated and the level of knowledge and expertise involved in the production of these risk management standards proved to be a very valuable source of information for the revision of the book. The main challenge in producing the fourth edition of this textbook has been to align the material in the book more closely with the syllabus of the IRM International Certificate in Enterprise Risk Management (ERM). When undertaking this task, I have received considerable help and support from colleagues at the Institute of Risk Management (IRM), as well as many insightful comments from risk professionals working as presenters and lecturers on IRM training and teaching courses. I continue to be grateful to the large number of people who have helped with the development of the ideas presented and discussed in this book. I am sure that developments in risk management will continue apace and keeping abreast of developments and enhancements to risk management theory and practice will remain a challenge for risk management practitioners, all of whom are seeking to bring the benefits of enhanced risk management to their employer and/or client organizations. Paul Hopkin November 2016 xxii Institute of Risk Management About the Institute of Risk Management (IRM) IRM is the leading professional body for risk management. We drive excellence in managing risk to ensure organisations are ready for the opportunities and threats of the future. training, publishing research and guidance, and setting professional What IRM offers Risk Professionals Short Courses. overseas or in-house. We provide a range of one of your organisation. Our wide range of Sprint Sessions. IRM’s entry level International The opportunity to refresh existing knowledge and learn new skills, with practical techniques you can use immediately. Find out more at theirm.org 1 Introduction Risk management in context This book is intended for all who want a comprehensive introduction to the theory and application of risk management. It sets out an integrated introduction to the management of risk in public and private organizations. Studying this book will provide insight into the world of risk management and may also help readers decide whether risk management is a suitable career option for them. Many readers will wish to use this book in order to gain a better understanding of risk and risk management and thereby fulfil the primary responsibilities of their jobs with an enhanced understanding of risk. This book is designed to deliver the syllabus of the International Certificate in Risk Management qualification of the Institute of Risk Management. However, it also acts as an introduction to the discipline of risk management for those interested in the subject but not (yet) undertaking a course of study. An introduction to risk and risk management is provided in Part One and Part Two of this book and administration of risk management is considered in Part Five (Risk strategy). Parts Three and Four describe the application of risk management in terms of risk assessment and risk response. Part Six considers risk culture, Part Seven describes risk governance and Part Eight considers risk assurance and risk reporting. Parts Seven and Eight concentrate on the application of risk management tools and techniques, as well as considering the outputs from the risk management process and the benefits that arise. We all face risks in our everyday lives. Risks arise from personal activities and range from those associated with travel through to the ones associated with personal financial decisions. There are considerable risks present in the domestic component of our lives, and these include fire risks in our homes and financial risks associated with home ownership. Indeed, there are also a whole range of risks associated with domestic and relationship issues, but these are outside the scope of this book. This book is primarily concerned with business and commercial risks and the roles that we fulfil in our job or occupation. However, the task of evaluating risks and deciding how to respond to them is a daily activity, not only at work but also at home and during leisure activities. The importance of context is emphasized throughout the book and Chapter 7 specifically discusses the first stage of the risk management process, which is ‘establish the context’. Further consideration of context is provided by Chapter 21 which describes the risk management context in more detail. 2 Risk management Nature of risk Recent events in the world have brought risk into higher profile. Terrorism, extreme weather events and the global financial crisis represent the extreme risks that are facing society and commerce. These extreme risks exist in addition to the daily, somewhat more mundane, risks mentioned above. Evaluating the range of risk responses available and deciding the most appropriate one in each case is at the heart of risk management. Responding to risks should produce benefits for us as individuals, as well as for the organizations where we work and/or are employed. Within our personal and domestic lives, many of the responses to risk are automatic. Our ways of avoiding fire and road traffic accidents are based on well-established and automatic responses. Fire and accident are the types of risks that can only have negative outcomes, and they are often referred to as hazard risks. Compliance requirements are viewed by many organizations as hazard risks, whereby failure to comply can only be negative. However, other organizations have the view that achieving compliance can bring additional benefits or deliver the ‘upside of risk’. Some other risks have established or required responses that are imposed on us as individuals and/or on organizations as mandatory requirements. For example, in our personal lives, buying insurance for a car is usually a legal requirement, whereas buying insurance for a house is often not, but is good risk management and very sensible. Keeping your car in good mechanical order will reduce the chances of a breakdown. However, even vehicles that are fully serviced and maintained do occasionally break down. Maintaining your car in good mechanical order will reduce the chances of breakdown, but will not eliminate them completely. These types of risks that have a large degree of uncertainty associated with them are often referred to as control risks. The risks associated with owning a car are explored in some detail in the book, because this represents a practical example within the experience of most people. As well as hazard and control risks, there are risks that we take because we desire (and probably expect) a positive return. For example, you will invest money in anticipation that you will make a profit from the investment. Likewise, placing a bet or gambling on the outcome of a sporting event is undertaken in anticipation of receiving positive payback. People participate out of choice in motor sports and other potentially dangerous leisure activities. In these circumstances, the return may not be financial, but can be measured in terms of pride, self-esteem or peer group respect. Undertaking activities involving risks of this type, where a positive return is expected, can be referred to as taking opportunity risks. Risk management Organizations face a very wide range of risks that can impact the outcome of their operations. The desired overall aim may be stated as a mission or a set of corporate objectives. The events that can impact an organization may inhibit what it is seeking Introduction to achieve (hazard risks), enhance that aim (opportunity risks), or create uncertainty about the outcomes (control risks). Risk management needs to offer an integrated approach to the evaluation, control and monitoring of these three types of risk. This book examines the key components of risk management and how it can be applied. Examples are provided that demonstrate the benefits of risk management to organizations in both the public and private sectors. Risk management also has an important part to play in the success of not-for-profit organizations such as charities and (for example) clubs and other membership bodies. The risk management process is well established, although it is presented in a number of different ways and often in differing terminologies. The different terminologies that are used by different risk management practitioners and in different business sectors are explored in this book. In addition to a description of the established risk management standards, a simplified description of risk management that sets out the key stages in the risk management process is also presented to help with understanding. The risk management process cannot take place in isolation. It needs to be supported by a framework within the organization. Once again, the risk management framework is presented and described in different ways in the range of standards, guides and other publications that are available. In all cases, the key components of a successful risk management framework are the communications and reporting structure (architecture), the overall risk management strategy that is set by the organization (strategy) and the set of guidelines and procedures (protocols) that have been established. The importance of the risk architecture, strategy and protocols (RASP) is discussed in detail in this book. The combination of risk management processes, together with a description of the framework in place for supporting the process, constitutes a risk management standard. There are several risk management standards in existence, including the IRM Standard and the recently updated British Standard BS 31100:2011. There is also the American COSO ERM framework. The most high-profile addition to the available risk management standards is the international standard, ISO 31000, published in 2009. The well-established and respected Australian Standard AS 4360 (2004) was withdrawn in 2009 in favour of ISO 31000. AS 4360 was first published in 1995 and ISO 31000 includes many of the features and offers a similar approach to that previously described in AS 4360. Further information on existing standards and other published guides is set out in Chapter 6. Additionally, references are included in each part of this book to provide further material to enable the reader to gain a comprehensive introduction to the subject of risk management. Abbreviations and acronyms are used throughout the book as an aim to learning and understanding. A list of all abbreviations and acronyms is included in Appendix A. Risk management terminology Most risk management publications refer to the benefits of having a common language of risk within the organization. Many organizations manage to achieve this 3 4 Risk management common language and common understanding of risk management processes and protocols at least internally. However, it is usually the case that within a business sector, and sometimes even within individual organizations, the development of a common language of risk can be very challenging. Reference and supporting materials use a great range of terminologies. The different approaches to risk management, the different risk management standards that exist and the wide range of guidance material that is available often use different terms for the same feature or concept. This is regrettable and can be very confusing, but it is inescapable. Attempts are being made to develop a standardized language of risk, and ISO Guide 73 has been developed as the common terminology that should be used in all ISO standards. The terminology set out in ISO Guide 73 is used throughout this book as the default set of definitions wherever possible. However, the use of a standard terminology is not always possible and alternative definitions may be required. Indeed, ISO itself also publish a terminology guide, ISO/IEC Guide 51:1999, entitled ‘Safety Aspects: – Guidelines for Their Inclusion in Standards’, and the definitions in Guide 51 are not fully aligned with those in Guide 73. To assist with the difficult area of terminology, Appendix B sets out the basic terms and definitions that are used in risk management. It also provides cross reference between the different terms in use to describe the same concept. Where appropriate and necessary a table setting out a range of definitions for the same concept is included within the relevant chapter of the book, and these tables are cross-referenced in Appendix B. Benefits of risk management There are a range of reasons why organizations undertake risk management activities. These reasons are summarized in this book as mandatory, assurance, decisionmaking and effective and efficient core processes (MADE2). Mandatory refers to risk management activities designed to ensure that an organization complies with legal and regulatory obligations, as well as customer or client requirements. The board of an organization will require assurance that significant risks have been identified and appropriate controls put in place. In order to ensure that correct business decisions are taken, the organization should undertake risk management activities that provide additional structured information to assist with business decision making. Finally, a key benefit from risk management is to enhance the effectiveness and efficiency of operations within the organization. Additionally, it should help ensure that business processes (including process enhancements by way of tactics, projects and other change initiatives) are also effective and efficient. Finally, the selected strategy also needs to be effective and efficient, in that it is capable of delivering exactly what is required. Risk management inputs are required in relation to strategic decision making, but also in relation to the effective delivery of projects and programmes of work, as well as in relation to the routine operations of the organization. The benefits of risk Introduction management can also be identified in relation to these three timescales of activities within the organization. The outputs from risk management activities can benefit organizations in three timescales and ensure that the organization achieves effective and efficient strategy, tactics and operations. Strategy, tactics and operations are underpinned by the need to achieve compliance. Strategic, tactical, operational and compliance (STOC) core processes and activities encompass the whole range of processes of an organization. These processes are the core processes of the organization and analysis of the core processes provides a comprehensive approach to risk management that is used in several sections of the book. In order to achieve a successful risk management contribution, the intended benefits of any risk management initiative have to be identified. If those benefits have not been identified, then there will be no means of evaluating whether the risk management initiative has been successful. Therefore, good risk management must have a clear set of desired outcomes/benefits. Appropriate attention should be paid to each stage of the risk management process, as well as to details of the design, implementation and monitoring of the framework that supports these risk management activities. Features of risk management Failure to adequately manage the risks faced by an organization can be caused by inadequate risk recognition, insufficient analysis of significant risks and failure to identify suitable risk response activities. Also, failure to set a risk management strategy and to communicate that strategy and the associated responsibilities may result in inadequate management of risks. It is also possible that the risk management procedures or protocols may be flawed, such that these protocols may actually be incapable of delivering the required outcomes. The consequences of failure to adequately manage risk can be disastrous and may result in ineffective and/or inefficient operations, projects that are not completed on time and strategies that are not delivered, or were incorrect in the first place. The hallmarks of successful risk management are considered in this book. In order to be successful, the risk management initiative should be proportionate, aligned, comprehensive, embedded and dynamic (PACED). Proportionate means that the effort put into risk management should be appropriate to the level of risk that the organization faces. Risk management activities should be aligned with other activities within the organization. Activities will also need to be comprehensive, so that any risk management initiative covers all the aspects of the organization and all the risks that it faces. The means of embedding risk management activities within the organization are discussed in this book. Finally, risk management activities should be dynamic and responsive to the changing business environment faced by the organization. As with all management activities and processes in an organization, risk management needs to be adapted and modified to align with the core processes, and organizational culture. In relation to risk management, an organization will first need to specifically respond to statutory obligations and the requirements of regulators. Once they have been satisfied, most organizations can work on the basis that whatever works within 5 6 Risk management the organization and delivers the required benefits, outputs and outcomes is the correct and appropriate approach to ERM for that organization. Book structure The book is presented in eight parts, together with three appendices. Part One provides the introduction to risk management and introduces all of the basic concepts. Part Two considers the alternative approaches to risk management and starts by considering established risk management standards. The importance of establishing the context is then considered in detail, followed by an analysis of the features and benefits of enterprise risk management. Part Three considers the importance of risk assessment as a fundamental requirement of successful risk management. Risk classification and risk analysis tools and techniques are considered in detail in this part. Part Four sets out the options for risk response in detail. Analysis of the various risk control techniques is presented, together with examples of options for the control of selected hazard risks. This part also considers the importance of insurance and risk transfer, as well as business continuity planning. Part Five explores the importance of risk management strategy and considers the vital importance of the risk management policy, as well as exploring the successful implementation of that policy. There is also a consideration of reputation and the business model and the importance of the risk management context. Part Six starts by considering the nature of a risk-aware culture and then goes on to consider the importance of risk appetite. Risk training and communication, together with risk practitioner competencies, are also included in Part Six. Part Six also reflects on the fact that the emergence of risk management as a profession has resulted in more attention being paid to risk management competency frameworks and the importance of people or soft skills. Part Seven considers the importance of risk governance, and this extends to the evaluation of broader corporate governance requirements and the impact of risk on organizations. Also, the analysis of stakeholder expectations and the relationship between risk management and a simple business model are considered. Finally, Part Eight considers risk assurance and risk reporting. The role of the internal audit function, together with the importance of corporate social responsibility and the options for reporting on risk management are all considered. Throughout the book, information is presented in tables and figures to make the information more readily accessible. Extensive use is made of the increasingly common approach of using a bow-tie representation of the risk management process. Appendix A is a full list of the main acronyms and abbreviations used in the book. Appendix B provides a glossary of terms and cross-references the different terminologies used by different risk management practitioners. Appendix C provides a step-by-step implementation guide to enterprise risk management (ERM), as described in Chapter 8. This is based on the plan, implement, measure and learn (PIML) approach which is similar to the plan–do–check–act (PDCA) approach described in several risk-related standards. Appendix C also includes reference to the acronyms Introduction used in the book and sets out the key concepts relevant to each step of the successful implementation of an ERM initiative. Risk management in practice In order to bring the subject of risk management to life, short illustrative examples are used throughout the text. These examples focus on a small number of organizations in order to give some context to the ideas described. Risk management activities cannot be undertaken out of context, and so these organizations provide context to the ideas and concepts that are described. The most often used examples to illustrate a point are a haulage company, a sports club, a theatre, a publisher and the large stock-exchange-listed company that, for the sake of illustration, owns the sports club and the haulage company. Examples are also used of how risk management principles can be applied to the personal risks faced in private life. In addition to these general examples, real-life situations and examples are also used, where a case study is helpful. Each part of the book concludes with a brief extract from the report and accounts of two selected companies to illustrate the main risk management topics covered in the part. Although many of these examples are mainly from the UK, the principles are equally applicable to other parts of the world. Because of the global financial crisis, and the continuing economic difficulties around the world, risk management continues to be a very high-profile topic. Therefore, there are many examples of the application of risk management tools and techniques to difficult business and commercial situations. The book takes advantage of the wealth of information that is available in order to present examples, opinions and commentary on the risk management issues affecting organizations. Throughout the book, boxes are included within the text. These boxes either provide practical examples of the application of the theory being discussed, or they provide opinions and commentary on real situations that have arisen. Additionally, case studies have been included at the beginning of each part of the book and these have been taken from the websites of high-profile organizations or from the published annual reports and accounts that are available in the public domain. Future for risk management As the global financial crisis has unfolded, there is an increasing tendency for news reports to indicate that risk is bad and risk management has failed. In reality, neither of these two statements is correct. Organizations have to address the risks that they face because many of them have to undertake high-risk activities, either because these activities cannot be avoided, or because the activities are undertaken in order to produce a positive outcome for the organization and its stakeholders. The global financial crisis does not demonstrate the failure of risk management, but rather the failure of the management of organizations to successfully address the 7 8 Risk management risks that they faced. Achieving benefits from risk management requires carefully planned implementation of the risk management process in the organization, as well as the design and successful embedding of a suitable and sufficient risk management framework. By setting out an integrated approach to risk management, this book provides a description of the fundamental components of successful management of business/ corporate risks. It describes a wealth of risk management tools and techniques and provides information on successful delivery of an integrated and enterprise-wide approach to risk management. Risk management is changing rapidly, in terms both of the tools and techniques that are applied and the governance structures that are being introduced to ensure successful management of risk. Organizations need to be more cost conscious, and this has resulted in the emergence of approaches such as Governance Risk and Compliance (GRC). GRC represents an approach that is designed to be both effective and cost efficient in terms of the results that are achieved. With many organizations having to introduce cost-cutting and finding the current trading conditions difficult, emerging risks have never been more important. For many organizations, it is a challenge to keep their risk exposure within the risk capacity of the organization. Events can occur that could be devastating for the organization. In these difficult circumstances, organizations need to pay more attention to an analysis of the triggers that could result in significant risks materializing, as well as developing detailed plans to manage any crisis that does arise. The list below offers a summary of the actions that would help to avoid a repeat of the global financial crisis. Many organizations lack a common risk management framework across the enterprise. This has many elements, each of which is required to help avoid similar disasters in the future: ● ● ● ● First, there should be common processes, terminology and practices for managing risks of all kinds. Second, it is essential that risk tolerances be fully understood, communicated and monitored across the enterprise. Third, risk management practices should be incorporated into all key business processes and decisions. And, fourth, management should make risk-related decisions using dedicated high-quality risk information. Changes for the fourth edition Risk management continues to be a dynamic and developing discipline and the changes that were necessary in the production of the fourth edition of this book reflect that fact. Certain types of risk have increased dramatically and the need for a robust ERM to be adopted by organizations has never been greater. Risks that have increased considerably since the third edition of this book include the global phenomenon of youth unemployment, the increasing level of political instability in Introduction the world, the increasing number of incidents associated with climate change, and the increasingly sophisticated levels of cyber-crime. Changes to the textbook include amendments to ensure that the contents remain relevant in an increasingly uncertain world, and increasingly complex business environment. Several chapters required substantial updating to accommodate the developments in risk management over the past two years. In particular, Part Two consolidates the chapters concerned with the different approaches to risk management and includes consideration of risk management standards, outlines the importance of establishing the context and considers ERM in detail in Chapter 8. The opportunity has also been taken to provide more information on establishing the context, by a more detailed analysis of the external and internal context of an organization in Chapter 7, together with discussion of the risk management context in Chapter 21. Also, there has been greater use of case studies in the fourth edition with three different case studies included in each of the eight parts of the book. The case studies have been selected to provide examples of good practice in risk management by various companies around the world. One of the most important considerations in producing the fourth edition was to more closely align the order of the chapters in the textbook with the structure of the Institute of Risk Management (IRM) International Certificate in Enterprise Risk Management (ERM). Accordingly, the first four parts of the fourth edition are concerned with the basic principles of risk and risk management. Parts Five through to Eight are concerned with the practice of risk management and include consideration of risk strategy, culture, governance and assurance. Aligning the structure of the fourth edition with the IRM international certificate has provided a better structured order in which to present the technical content. 9 10 THIS PAGE IS INTENTIONALLY LEFT BLANK 11 PART ONE Introduction to risk management L E A R N I N G O U TCO M E S FO R PA R T O N E ● ● ● ● ● ● ● ● produce a range of established definitions of risk and risk management and describe the usefulness of the various definitions; list the range of characteristics of a risk that need to be identified in order to provide a full risk description and justify the inclusion of each item; summarize the options for the attachment of risks to various attributes of an organization and describe the advantages of each approach; identify the features of the four types of risk that enable them to be identified as compliance, hazard, control and opportunity risks; summarize the origins and development of the discipline of risk management, including the various specialist areas and approaches; explain the characteristics of enterprise risk management (ERM) and the benefits of the ERM approach over traditional risk management; summarize the principles (PACED) and aims of risk management and its importance to strategy, tactics, operations and compliance (STOC); describe the key outputs of risk management in terms of mandatory obligations, assurance, decision making and effective and efficient core processes (MADE2). PA R T O N E F U R T H E R R E A D I N G Bernstein, P (1998) Against the Gods: The Remarkable Story of Risk, www.wiley.com British Standard BS 31100:2011 Risk Management: Code of Practice and Guidance for the Implementation of BS ISO 31000, www.standardsuk.com Institute of Risk Management (2002) A Risk Management Standard, www.theirm.org Institute of Risk Management (2010) A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000, www.theirm.org International Standard ISO 31000:2009 Risk Management: Principles and Guidelines, www.iso.org Pullan, P and Murray-Webster, R (2011) A Short Guide to Facilitating Risk Management, www.gowerpublishing.com 12 Introduction to risk management PA R T O N E C A S E S T U D I E S Rank Group: How we manage risk Rank operates a comprehensive risk management methodology which is closely integrated to its management structure to provide clear oversight and governance of the risks which are considered to be material to its business, and to maintain continual surveillance of its operating environment for emerging risks. The approach endeavours to ensure that a clear risk appetite is set that balances risks and opportunities to contribute to the achievement of the group’s strategic objectives. The board has responsibility for the risk framework and establishing the group’s risk appetite, as well as ensuring that risk controls are built into management’s approach to operations. The audit committee holds the responsibility for assessing the effectiveness of the risk management systems which are in place and undertaking independent review of the risk mitigation plans which have been designed for material risks. Rank’s risk committee meets on a monthly basis with a remit to conduct a thorough review of the risk register and to ensure that management are working effectively to identify and manage risks as they arise and on a continual basis. Working sessions of the committee are held with departmental and divisional management to ensure that risks are being identified in a timely manner and effective action plans put into place. This approach ensures that risk is identified in both a ‘top-down’ and a ‘bottom-up’ manner from the various management levels of the organization to give assurance that risk registers are comprehensive. Group internal audit works in support of the risk committee to help manage risk identification and conduct independent reviews of both the business’s risks and its progress in performing the mitigating action plans agreed for any relevant risks, the status of which is reported to the risk committee monthly. Edited extract from The Rank Group Plc Annual Report and Financial Statements 2015 ABIL: Risk management overview The ABIL risk management strategy is to embed a risk culture and support business units within the group. The key focus is to ensure that business units operate within risk parameters that will lead to sustainable business and enhanced risk management practices. The structure is supported by three pillars: competence, collaboration and independence. In the 2013 financial year, the customer value proposition was enhanced by offering new products such as short-term insurance (funeral) and investments that introduced additional operational and compliance risk. These products are aimed at providing a diversified income stream, lowering the cost of funding and attracting a more diversified customer base. The group risk function has been broadened with regard to systems and people in order to focus on key areas, such as non-compliance with regulatory requirements. This function has been particularly critical in fraud mitigation this year, to assist with early detection and timely resolution. The group risk management approach is an approved enterprise-wide risk management methodology and philosophy to ensure adequate and effective risk management. In addition, the methodology also provides regulatory principles and a risk management approach that ensures the following core principles are adhered to: Introduction to risk management ● clear assignment of responsibilities and accountabilities; ● common enterprise-wide risk management framework and process; ● identification of uncertain future events that may influence achievement of business plans and strategic objectives; and ● integration of risk management activities within the company and across its value chains. ABIL’s risk management objective is to ensure a proactive identification, understanding and assessment of risks, including activities undertaken that result in risks which could impact on business objectives. This is executed through various risk management and governance mechanisms and risk management oversight bodies. Edited extract from African Bank Investments Limited Risk report for the financial year ended 30 September 2013 BIS: Approach to risk Our risk management approach is based on devolved accountability across the departmental groups and our partner organization network, so that risks are assigned to those best placed to manage them, whilst maintaining clear accountability. Risks that can and should be managed at group or partner organization level remain within those entities and are subject to their own risk assurance and scrutiny processes in line with the overall risk management process set by the department. A corporate performance and risk team acts as a central point for advice and guidance on effective risk management. The team co-ordinates the top level risk register, which is the route by which our most significant risks are escalated. Risks for escalation to the top level risk register are proposed at all working levels, but only those risks that could have a significant, cross-cutting impact on the department are included. Following a risk management review by internal audit, we have continued to focus on building skills and capacity within our approach to risk management. This has further enhanced consistency across the department and our partner organizations. A continued emphasis on sharing good practice in risk management, supported by training and development for our staff has improved our agreed processes to risk management. The risk management process has continued to work well in BIS with risks escalated throughout the department and scrutiny provided by our boards, committees and non-executive board members. Work over the next 12 months will focus on further building skills and capacity to fully embed the BIS risk management processes, ensuring a comprehensive understanding amongst the department and our partner organizations. Edited extract from Department for Business Innovation and Skills Annual Report and Accounts 2013–14 13 14 THIS PAGE IS INTENTIONALLY LEFT BLANK 15 01 Approaches to defining risk Definitions of risk The Oxford English Dictionary definition of risk is as follows: ‘a chance or possibility of danger, loss, injury or other adverse consequences’, and the definition of at risk is ‘exposed to danger’. In this context, risk is used to signify negative consequences. However, taking a risk can also result in a positive outcome. A third possibility is that risk is related to uncertainty of outcome. Take the example of owning a motor car. For most people, owning a car is an opportunity to become more mobile and gain the related benefits. However, there are uncertainties in owning a car that are related to maintenance and repair costs. Finally, motor cars can be involved in accidents, so there are obvious negative outcomes that can occur. It is also important to remember the legal obligations associated with car ownership and the rules that must be obeyed when the car is being driven on a road. Definitions of risk can be found from many sources, and some key definitions are set out in Table 1.1. An alternative definition is also provided to illustrate the broad nature of risks that can affect organizations. The Institute of Risk Management (IRM) defines risk as the combination of the probability of an event and its consequence. Consequences can range from positive to negative. This is a widely applicable and practical definition that can be easily applied. The international guide to risk-related definitions is ISO Guide 73, and it defines risk as the ‘effect of uncertainty on objectives’. This definition appears to assume a certain level of knowledge about risk management and it is not easy to apply to everyday life. The meaning and application of this definition will become clearer as the reader progresses through this book. An earlier version of Guide 73 (2002) also notes that an effect may be positive, negative, or a deviation from the expected. These three types of events can be related to risks as opportunity, hazard or uncertainty, and this relates to the example of motor car ownership outlined above. The guide notes that risk is often described by an event, a change in circumstances, a consequence, or a combination of these and how they may affect the achievement of objectives. 16 Introduction to risk management The Institute of Internal Auditors (IIA) defines risk as the uncertainty of an event occurring that could have an impact on the achievement of objectives. The IIA adds that risk is measured in terms of consequences and likelihood. Different disciplines define the term risk in very different ways. The definition used by health and safety professionals is that risk is a combination of likelihood and magnitude, but this may not be sufficient for more general risk management purposes. Given that there are many available definitions for the word risk, it is important that the organization chooses the definition that is most suitable for its own purposes. The definition can be as narrow or as comprehensive as the organization wishes. As a version of a comprehensive definition of the word risk, the author offers the following: An event with the ability to impact (inhibit, enhance or cause doubt about) the effectiveness and efficiency of the core processes of an organization. Risk in an organizational context is usually defined as anything that can impact the fulfilment of corporate objectives. However, corporate objectives are usually not fully stated by most organizations. Where the objectives have been established, they tend to be stated as internal, annual, change objectives. This is particularly true of the personal objectives set for members of staff in the organization, where objectives usually refer to change or developments, rather than the continuing or routine operations of the organization. TA B L E 1. 1 Definitions of risk Organization Definition of risk ISO Guide 73 ISO 31000 Effect of uncertainty on objectives. Note that an effect may be positive, negative, or a deviation from the expected. Also, risk is often described by an event, a change in circumstances or a consequence. Institute of Risk Management (IRM) Risk is the combination of the probability of an event and its consequence. Consequences can range from positive to negative. Orange Book from HM Treasury Uncertainty of outcome, within a range of exposure, arising from a combination of the impact and the probability of potential events. Institute of Internal Auditors The uncertainty of an event occurring that could have an impact on the achievement of the objectives. Risk is measured in terms of consequences and likelihood. Approaches to defining risk It is generally accepted that risk is best defined by concentrating on risks as events, as in the definition of risk provided in ISO 31000 and the definition provided by the Institute of Internal Auditors, set out in Table 1.1. In order for a risk to materialize, an event must occur. Therefore, perhaps a risk can simply be considered to be ‘an unplanned event with unexpected consequences’. Greater clarity is likely to be brought to the risk management process if the focus is on events. For example, consider what could disrupt a theatre performance. The events that could cause disruption include a power cut, the absence of a key actor, or a substantial transport failure or road closures that delay the arrival of the audience, as well as the illness of a significant number of staff. Having identified the events that could disrupt the performance, the management of the theatre needs to decide what to do to reduce the chances of one of these events causing the cancellation of a performance. This analysis by the management of the theatre is an example of risk management in practice. Types of risks Risk may have positive or negative outcomes or may simply result in uncertainty. Therefore, risks may be considered to be related to an opportunity or a loss or the presence of uncertainty for an organization. Every risk has its own characteristics that require particular management or analysis. In this book, risks are divided into four categories: ● ● ● ● compliance (or mandatory) risks; hazard (or pure) risks; control (or uncertainty) risks; opportunity (or speculative) risks. In general terms, organizations will seek to minimize compliance risks, mitigate hazard risks, manage control risks and embrace opportunity risks. However, it is important to note that there is no ‘right’ or ‘wrong’ subdivision of risks. Readers will encounter other subdivisions in other texts and these may be equally appropriate. It is, perhaps, more common to find risks described as two types, pure or speculative. Indeed, there are many debates about risk management terminology. Whatever the theoretical discussions, the most important issue is that an organization adopts the risk classification system that is most suitable for its own circumstances. There are certain risk events that can only result in negative outcomes. These risks are hazard risks or pure risks, and these may be thought of as operational or insurable risks. In general, organizations will have a tolerance of hazard risks, and these need to be managed within the levels that the organization can tolerate. A good example of a hazard risk faced by many organizations is that of theft. There are other risks that give rise to uncertainty about the outcome of a situation. These can be described as control risks and are frequently associated with project management. In general, organizations will have an aversion to control risks. Uncertainties can be associated with the benefits that the project produces, as well as 17 18 Introduction to risk management uncertainty about the delivery of the project on time, within budget and to specification. The management of control risks will often be undertaken in order to ensure that the outcome from the business activities falls within the desired range. The purpose is to reduce the variance between anticipated outcomes and actual results. At the same time, organizations deliberately take risks, especially marketplace or commercial risks, in order to achieve a positive return. These can be considered as opportunity or speculative risks, and an organization will have a specific appetite for investment in such risks. Opportunity risks relate to the relationship between risk and return. The purpose is to take action that involves risk to achieve positive gains. The focus of opportunity risks will be towards investment. The application of risk management tools and techniques to the management of hazard risks is the best and longest-established branch of risk management, and much of this text will concentrate on hazard risks. There is a hierarchy of controls that apply to hazard risks, and this is discussed in Chapter 16. Hazard risks are associated with a source of potential harm or a situation with the potential to undermine objectives in a negative way and hazard risk management is concerned with mitigating the potential impact. Hazard risks are the most common risks associated with operational risk management, including occupational health and safety programmes. Control risks are associated with unknown and unexpected events. They are sometimes referred to as uncertainty risks and they can be extremely difficult to quantify. Control risks are often associated with project management and the implementation of tactics. In these circumstances, it is known that the events will occur, but the precise consequences of those events are difficult to predict and control. Therefore, the approach is based on managing the uncertainty about the potential impacts and consequences of these events There are two main aspects associated with opportunity risks. There are risks/ dangers associated with taking an opportunity, but there are also risks associated with not taking the opportunity. Opportunity risks may not be visible or physically apparent, and they are often financial in nature. Although opportunity risks are taken with the intention of obtaining a positive outcome, this is not guaranteed. Nevertheless, the overall approach is to embrace the opportunity and the associated opportunity risks. Opportunity risks for small businesses include moving a business to a new location, acquiring new property, expanding a business and diversifying into new products. Risk description In order to fully understand a risk, a detailed description is necessary so that a common understanding of the risk can be identified and ownership/responsibilities may be clearly understood. Table 1.2 lists the range of information that must be recorded to fully understand a risk. The list of information set out in Table 1.2 is most applicable to hazard risks and the list will need to be modified to provide a full description of control or opportunity risks. Approaches to defining risk TA B L E 1.2 Risk description Name or title of risk Statement of risk, including scope of risk and details of possible events and dependencies Nature of risk, including details of the risk classification and timescale of potential impact Stakeholders in the risk, both internal and external Risk attitude, appetite, tolerance, limits for the risk and/or risk criteria Likelihood and magnitude of event and consequences should the risk materialize at current /residual level Control standard required, target level of risk or risk criteria Incident and loss experience Existing control mechanisms and activities Responsibility for developing risk strategy and policy Potential for risk improvement and level of confidence in existing controls Risk improvement recommendations and deadlines for implementation Responsibility for implementing improvements Responsibility for auditing risk compliance So that the correct range of information can be collected about each risk, the distinction between compliance, hazard, control and opportunity risks needs to be clearly understood. The example below is intended to distinguish between these four types of risk, so that the information required in order to describe each type of risk can be identified. Range of computer risks In order to understand the distinction between compliance, hazard, control and opportunity risks, the example of the use of computers is helpful. Operating a computer system involves fulfilling certain legal obligations; in particular, data protection requirements and these are the compliance risks. Virus infection is an operational or hazard risk and there will be no benefit to an organization suffering a virus attack on its software programs. When an organization installs or upgrades a software package, control risks will be associated with the upgrade project. The selection of new software is also an opportunity risk, where the intention is to achieve better results by installing the new software, but it is possible that the new software will fail to deliver all of the functionality that was intended and the opportunity benefits will not be delivered. In fact, the failure of the functionality of the new software system may substantially undermine the operations of the organization. 19 20 Introduction to risk management Inherent level of risk It is important to understand the uncontrolled level of all risks that have been identified. This is the level of the risk before any actions have been taken to change the likelihood or magnitude of the risk. Although there are advantages in identifying the inherent level of risk, there are practical difficulties in identifying this with some types of risks. Identifying the inherent level of the risk makes it possible to identify the importance of the control measures in place. The IIA has previously held the view that the assessment of all risks should commence with the identification of the inherent level of the risk. The guidance from the IIA has previously stated that: ‘in the risk assessment, we look at the inherent risks before considering any controls.’ Although there is considerable debate about whether to undertake risk assessment at inherent or current level, the purpose of any risk assessment remains the same. It is to identify what is believed to be the current level of the risk and identify the key controls that are in place to ensure that the current level is actually achieved. Often, a risk matrix is used to show the inherent level of the risk in terms of likelihood and magnitude. The residual or current level of the risk can then be identified, after the control or controls have been put in place. The effort that is required to reduce the risk from its inherent level to its current level can be clearly indicated on the risk matrix. Terminology varies and the inherent level of risk is sometimes referred to as the absolute risk or gross risk. Also, the current level of risk is often referred to as the residual level, net level or the managed level of risk. The example in the box below provides an example of how inherently high-risk activities are reduced to a lower level of risk by the application of sensible and practical risk response options. Crossing the road Crossing a busy road would be inherently dangerous if there were no controls in place and many more accidents would occur. When a risk is inherently dangerous, greater attention is paid to the control measures in place, because the perception of risk is much higher. Pedestrians do not cross the road without looking and drivers are always aware that pedestrians may step into the road. Often, other traffic calming control measures are necessary to reduce the speed of the motorists or increase the risk awareness of both motorists and pedestrians. Risk classification systems Risks can be classified according to the nature of the attributes of the risk, such as timescale for impact, and the nature of the impact and/or likely magnitude of the risk. They can also be classified according to the timescale of impact after the event Approaches to defining risk occurs. The source of the risk can also be used as the basis of classification. In this case, a risk may be classified according to its origin, such as counterparty or credit risk. A further way of classifying risks is to consider the nature of the impact. Some risks can cause detriment to the finances of the organization, whereas others will have an impact on the activities or the infrastructure. Further, risks may have an impact on the reputation of the organization, or on its status and the way it is perceived in the marketplace. Risks may also be classified according to the component or feature of the organization that will be impacted. For example, risks can be classified according to whether they will impact people, premises, processes or products. An important consideration for organizations when deciding their risk classification system is to determine whether the risks will be classified according to the source of the risk, the component impacted or of the consequences of the risk materializing. Individual organizations will decide on the risk classification system that suits them best, depending on the nature of the organization and its activities. Also, many risk management standards and frameworks suggest a specific risk classification system. If the organization adopts one of these standards, then it will tend to follow the classification system recommended. The risk classification system that is selected should be fully relevant to the organization concerned. There is no universal classification system that fulfils the requirements of all organizations. It is likely that each risk will need to be classified in several ways in order to clearly understand its potential impact. However, many classification systems offer common or similar structures, as described in Chapter 11. Risk likelihood and magnitude Risk likelihood and magnitude are best demonstrated using a risk matrix. Risk matrices can be produced in many formats. Whatever format is used for a risk matrix, it is a very valuable tool for the risk management practitioner. The basic style of risk matrix plots the likelihood of an event against the magnitude or impact should the event materialize. Figure 1.1 is an illustration of a simple risk matrix, also referred to as a risk map or heat map. This is a commonly used method of illustrating risk likelihood and the magnitude (or severity) of the event should the risk materialize. The use of the risk matrix to illustrate risk likelihood and magnitude is a fundamentally important risk management tool. The risk matrix can be used to plot the nature of individual risks, so that the organization can decide whether the risk is acceptable and within the risk appetite and/or risk capacity of the organization. Throughout this book, a standard format for presenting a risk matrix has been adopted. The horizontal axis is used to represent likelihood. The term likelihood is used rather than frequency, because the word frequency implies that events will definitely occur and the risk matrix is registering how often these events take place. Likelihood is a broader word that includes frequency, but also refers to the chances of an unlikely event happening. However, in risk management literature, the word ‘probability’ will often be used to describe the likelihood of a risk materializing. 21 22 Introduction to risk management The vertical axis is used to indicate magnitude in Figure 1.1. The word magnitude is used rather than severity, so that the same style of risk matrix can be used to illustrate compliance, hazard, control and opportunity risks. Severity implies that the event is undesirable and is, therefore, related to compliance and hazard risks. The magnitude of the risk may be considered to be its gross or inherent level before controls are applied. Figure 1.1 plots likelihood against the magnitude of an event. However, the more important consideration for risk managers is not the magnitude of the event, but the impact of the event and the consequences that follow. For example, a large fire could occur that completely destroys a warehouse of a distribution and logistics company. Although the magnitude of the event may be large, if sufficient insurance is in place, the impact in terms of financial costs for the company could be minimal, and if the company has produced plans to cope with such an event, the consequences for the overall business may be much less than would otherwise be anticipated. The magnitude of an event may be considered to be the inherent level of the event and the impact can be considered to be the risk-managed level. Because the impact (and the associated consequences) of an event is usually more important than its magnitude (or severity), every risk matrix used in the remainder of this book will plot impact against likelihood, rather than magnitude against likelihood. F I G U R E 1. 1 Risk likelihood and magnitude Magnitude Low likelihood High magnitude High likelihood High magnitude Low likelihood Low magnitude High likelihood Low magnitude Likelihood Approaches to defining risk The risk matrix is used throughout this book to provide a visual representation of risks. It can also be used to indicate the likely risk control mechanisms that can be applied. The risk matrix can also be used to record the inherent, current (or residual) and target levels of the risk. Shading or colour coding is often used on the risk matrix to provide a visual representation of the importance of each risk under consideration. As risks move towards the top right-hand corner of the risk matrix, they become more likely and have a greater impact. Therefore, the risk becomes more important and immediate and effective risk control measures need to be in place. 23 24 02 Impact of risk on organizations Level of risk Following the events in the world financial system during 2008, all organizations are taking a greater interest in risk and risk management. It is increasingly understood that the explicit and structured management of risks brings benefits. By taking a proactive approach to risk and risk management, organizations will be able to achieve the following four areas of improvement: ● ● ● ● Strategy, because the risks associated with different strategic options will be fully analysed and better strategic decisions will be reached. Tactics, because consideration will have been given to selection of the tactics and the risks involved in the alternatives that may be available. Operations, because events that can cause disruption will be identified in advance and actions taken to reduce the likelihood of these events occurring, limit the damage caused by these events and contain the cost of the events. Compliance will be enhanced because the risks associated with failure to achieve compliance with statutory and customer obligations will be recognized. It is no longer acceptable for organizations to find themselves in a position whereby unexpected events cause financial loss, disruption to normal operations, damage to reputation and loss of market presence. Stakeholders now expect that organizations will take full account of the risks that may cause disruption within operations, late delivery of projects or failure to deliver strategy. The exposure presented by an individual risk can be defined in terms of the likelihood of the risk materializing and the impact of the risk when it does materialize. As risk exposure increases, the likely impact will also increase. Guide 73 refers to this measurement of likelihood and impact as being the current or residual ‘level of risk’. This level of risk should be compared with the risk attitude and risk appetite of the organization for risks of that type. The risk appetite will sometimes be described as a set of risk criteria. Throughout this book, the term ‘magnitude’ is used to indicate the size of the event that has occurred or might occur. The term ‘impact’ is used to define how the event affects the finances, operations, reputation and/or marketplace (FIRM) of the organization. This use of terminology is also consistent with the use of impact in Impact of risk on organizations business continuity planning evaluations. This is a measure of the risk at the current level. The term ‘consequences’ is used in this book to indicate the extent to which the event results in failure to achieve effective and efficient strategy, tactics, operations and compliance (STOC). Injury to key player A sports club will wish to reduce the chances of a key player being absent through injury. However, key players do get injured and the club will need to consider the impact of such an event in advance of it happening. If the injury is serious, the player may be absent for a significant length of time. There is likely to be a substantial impact, which will be most obvious on the pitch where the success of the team is likely to be reduced. However, other consequences may also result and these could include the loss of revenue from the sale of shirts and other merchandise with that player’s name and number. Arrangements to reduce the potential for loss of income should also be considered. Impact of hazard risks Hazard risks undermine objectives, and the level of impact of such risks is a measure of their significance. Risk management has its longest history and earliest origins in the management of hazard risks. Hazard risk management is closely related to the management of insurable risks. Remember that a hazard (or pure) risk can only have a negative outcome. Hazard risk management is concerned with issues such as health and safety at work, fire prevention, avoiding damage to property and the consequences of defective products. Hazard risks can cause disruption to normal operations, as well as resulting in increased costs and poor publicity associated with disruptive events. Hazard risks are related to business dependencies, including IT and other supporting services. There is increasing dependence on the IT infrastructure of most organizations and IT systems can be disrupted by computer breakdown or fire in server rooms, as well as virus infection and deliberate hacking or computer attacks. Theft and fraud can also be significant hazard risks for many organizations. This is especially true for organizations handling cash or managing a significant number of financial transactions. Techniques relevant to the avoidance of theft and fraud include adequate security procedures, segregation of financial duties, and authorization and delegation procedures, as well as the vetting of staff prior to employment. It is worth reflecting on terminology, because this is especially important in relation to hazard risks, if an event occurs. If a hazard risk materializes, it may have a very large magnitude, such as the destruction of the main distribution warehouse of an organization. This large magnitude event will have an impact on the organization related to potential financial costs, destruction of infrastructure, damage to reputation and the inability to function in the marketplace. Magnitude represents the gross or inherent level of the risk. 25 26 Introduction to risk management However, the impact of the event will be reduced because of the controls that are in place. Impact represents the net, residual or current level of the risk. These controls reduce the financial impact, the extent of destruction of infrastructure, as well as controls designed to protect reputation and marketplace activities. But, what is also important for the organization is the consequences of the major warehouse fire. These consequences relate to the effect that the fire might have on the strategy, tactics, operations and compliance activities within the organization. It is possible that a major fire will cause significant financial loss that is covered by insurance, so that this large magnitude event has little impact on the finances of the organization. Effective crisis management and business continuity will ensure that the consequences of this major fire from the point of view of customers will be so well managed that customers need not be aware that a major fire has taken place. Finally, the importance of compliance risks should not be underestimated. Compliance risks can be substantial for many organizations, especially those business sectors that are heavily regulated. In some cases, compliance with mandatory requirements, represents a ‘licence to operate’ and failure to achieve the level of compliance activities required by the relevant regulator can have a significant impact on the reputation of the organization and substantial consequences for routine business activities. Attachment of risks Although most standard definitions of risk refer to risks as being attached to corporate objectives, Figure 2.1 provides an illustration of the options for the attachment of risks. Risks are shown in the diagram as being capable of impacting the key dependencies that deliver the core processes of the organization. Corporate objectives and stakeholder expectations help define the core processes of the organization. These core processes are key components of the existing nature and future enhancement of the business model and can relate to operations, tactics and corporate strategy, as well as compliance activities, as considered further in Chapter 19. The intention of Figure 2.1 is to demonstrate that significant risks can be attached to features of the organization other than corporate objectives. Significant risks can be identified by considering the key dependencies of the organization, the corporate objectives and/or the stakeholder expectations, as well as by analysis of the core processes of the organization. For example, the failure of Northern Rock occurred because the wholesale money markets, on which the bank depended, stopped functioning. Another way of viewing the concept of attachment of risks is to consider that the features shown in Figure 2.1 offer alternative starting points for undertaking a risk assessment. For example, a risk assessment can be undertaken by asking ‘what do stakeholders expect of us?’ and ‘what risks could impact the delivery of those stakeholder expectations?’ In the build-up to the recent financial crisis, banks and other financial institutions established operational and strategic objectives. By analysing these objectives and identifying the risks that could prevent the achievement of them, risk management made a contribution to the achievement of the high-risk objectives that ultimately led to the failure of the organizations. This example illustrates that attaching risks to Impact of risk on organizations F I G U R E 2 .1 Attachment of risks Mission statement Strategic or business plan (and annual budget) Corporate objectives Stakeholder expectations Core processes Key dependencies Significant risks Support or deliver Impact or attach attributes other than objectives is not only possible but may well have been desirable in these circumstances. It is clearly the case that risks are greater in circumstances of change. Therefore, linking risks to change objectives is not unreasonable, but the analysis of each objective in turn may not lead to robust risk recognition/identification. In any case, business objectives are usually stated at too high a level for the successful attachment of risks. 27 28 Introduction to risk management To be useful to the organization, the corporate objectives should be presented as a full statement of the short-, medium- and long-term aims of the organization. Internal, annual, change objectives are usually inadequate, because they may fail to fully identify the operational (or efficiency), change (or competition) and strategic (or leadership) requirements of the organization. The most important disadvantage associated with the ‘objectives-driven’ approach to risk and risk management is the danger of considering risks out of the context that gave rise to them. Risks that are analysed in a way that is separated from the situation that led to them will not be capable of rigorous and informed evaluation. It can be argued that a more robust analysis can be achieved when a ‘dependencies-driven’ approach to risk management is adopted. It remains the case that many organizations continue to use an analysis of corporate objectives as a means of identifying risks, because some benefits do arise from this approach. For example, using this ‘objectives-driven’ approach facilitates the analysis of risks in relation to the positive and uncertain aspects of the events that may occur, as well as facilitating the analysis of the negative and compliance aspects. If the decision is taken to attach risks to the objectives of the organization, it is important that these objectives have been fully and completely developed. Not only do the objectives need to be challenged to ensure that they are full and complete, but the assumptions that underpin the objectives should also receive careful and critical attention. Core processes are discussed in Chapter 19 and may be considered as the highlevel processes that drive the organization. In the example of a sports club, one of the key processes is the operational process of ‘delivering successful results on the pitch’. Risks may be attached to this core process, as well as being attached to objectives and/or key dependencies. Core processes can be classified as strategic, tactical, operational and compliance (STOC). In all cases, the core processes need to be effective and efficient. Mature (or sophisticated) risk management activities can then be designed to enhance the effectiveness and efficiency of core processes. Although risks can be attached to other features of the organization, the standard approach is to attach risks to corporate objectives. One of the standard definitions of risk is that it is something that can impact (undermine, enhance or cause doubt about) the achievement of corporate objectives. This is a useful definition, but it does not provide the only starting point for identifying significant risks. Attachment of risks to key dependencies and, especially, stakeholder expectations is becoming more common. The importance of stakeholders and their expectations is considered in more detail in Chapter 29. The use of key dependencies to identify risks can be a straightforward exercise. The organization will need to ask what are the features or components of the organization and its external context that are key to success. This will result in the identification of the strengths, weaknesses, opportunities and threats facing the organization. This is often referred to as a SWOT analysis. Having identified the key dependencies, as set out in Table 13.1, the organization can then consider the risks that will impact these dependencies. This approach is discussed in more detail with practical examples of risks provided in Table 13.1 and Table 15.2. Impact of risk on organizations Risk and reward Another feature of risk and risk management is that many risks are taken by organizations in order to achieve a reward. Figure 2.2 illustrates the relationship between the level of risk and the anticipated size of reward. A business will launch a new product because it believes that greater profit is available from the successful marketing of that product. In launching a new product, the organization will put resources at risk because it has decided that a certain amount of risk taking is appropriate. The value at risk represents the risk appetite of the organization with respect to the activity that it is undertaking. When an organization puts value at risk in this way, it should do so with the full knowledge of the risk exposure and it should be satisfied that the risk exposure is within the appetite of the organization. Even more important, it should ensure that it has sufficient resources to cover the risk exposure. In other words, the risk exposure should be quantified, the appetite to take that level of risk should be confirmed, and the capacity of the organization to withstand any foreseeable adverse consequences should be clearly established. Not all business activities will offer the same return for the same level of risk taken. Start-up operations are usually high risk and the initial expected return may be low. Figure 2.2 demonstrates the probable risk versus reward development for a new organization or a new product. The activity will commence in the bottom right-hand corner as a start-up operation, which is high risk and low return. F I G U R E 2 .2 Risk and reward Potential reward Mature operation Growth Decline Start-up operation Level of risk 29 30 Introduction to risk management As the business develops, it is likely to move to a higher return for the same level of risk. This is the growth phase for the business or product. As the investment matures, the reward may remain high, but the risks should reduce. Eventually, an organization will become fully mature and move towards the low-risk and low-return quadrant. The normal expectation in very mature markets is that the organization or product will be in decline. The particular risks that the organization faces will need to be identified by management or by the organization. Appropriate risk management techniques will then need to be applied to the risks that have been identified. The nature of these risk responses and the nature of their impact is considered in Part Four of this book. The above discussion about risk and reward applies to opportunity risks. However, it must always be the case that risk management effort produces rewards. In the case of hazard risks, it is likely that the reward for increased risk management effort will be fewer disruptive events. In the case of project risks, the reward for increased risk management effort will be that the project is more likely to be delivered on time, within budget and to specification/quality. For opportunity risks, the risk versus reward analysis should result in fewer unsuccessful new products and a higher level of profit or (at worst) a lower level of loss for all new activities or new products. In all cases, profit or enhanced level of service is the reward for taking risk. The concept of the risk versus reward analysis in relation to strategic risks is considered in more detail in Figure 15.2. Risk versus reward In a Formula 1 Grand Prix, the Ferrari team decided to send a driver out on wet-weather tyres, before the rain had actually started. Wet-weather tyres wear out very quickly in dry conditions and make the car much slower. If the rain had started immediately, this would have proved to be a very good decision. In fact, the rain did not start for four or five laps, by which time the driver had been overtaken by most other drivers and his set of wet-weather tyres were ruined in the dry conditions. He had to return to the pits for a further set of new tyres more suited to the race conditions. In this case, a high-risk strategy was adopted in anticipation of significant rewards. However, the desired rewards were not achieved and significant disadvantage resulted. Attitudes to risk Different organizations will have different attitudes to risk. Some organizations may be considered to be risk averse, whilst others will be risk aggressive. To some extent, the attitude of the organization to risk will depend on the sector and the nature and maturity of the marketplace within which it operates, as well as the attitude of the individual board members. Impact of ...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached. Please let me know if you have any questions or need revisions.

1
Texas Fertilizer Plant Explosion

Texas Fertilizer Plant Explosion
Name
Course
Institution
Date

2
Texas Fertilizer Plant Explosion

Texas Fertilizer Plant Explosion, 2013
The ammonium nitrate explosion that occurred on 17th April 2013 at the storage and
distribution facility of the West Fertilizer Company in Texas was intentional and a form of a
criminal act according to federal officials. According to the Bureau of Alcohol, Tobacco,
Firearms, and Explosives, the explosion occurred when emergency services were responding to a
fire at the plant. The fire is believed to have been started intentionally. The explosion was fatal as
it led to the death of 15 people at the facility; more than 160 individuals were injured and led to
the destruction of more than 150 buildings. The explosion wiped away hundreds of homes and
flattened the farming community of almost 2800 people who desperately flew for their lives. For
the people of Texas, the event is still unfolding as rescue teams continue to search for people
who went missing (Mannan, M. S. (2016). Some against the fertilizer plant is still ongoing while
some cases were settled out of court. The evidence is considered to be one of the most
destructive events that have ever been investigated by the U.S Chemical Safety and Hazard
Investigation Board.
The occurrence of the explosion resulted in massive disruption in the fertilizer company.
The disruption can be better explained by the bow-tie model. The model helps in identifying and
managing risks. The left side of the model represents the sources of a hard and classification may
differ among organizations. The right-hand side represents the impact of the hazard in the event
of its occurrence. At the center shows different categories of disruptions which may have an
impact on the day to day operations of an organization. The categories of disruption are
premises, people, processes, and products.

3
Texas Fertilizer Plant Explosion

Disruption of the people had a significant impact on the organization. As a result of the
explosion, 15 people lost their lives and more than 160 others were injured/. In addition to this,
the people who were leaving around the factory were forced to move away as their homes were
turned into rubbles. The death of employees at the facility meant the organization had lost people
who were offering skills and knowledge. Those who were injured could also not carry out their
normal duties as they could have been admitted or incapacitated. The organization was
significantly affected as there were no employees to sustain its productivity levels. Also, the firm
had to incur additional costs covering medical bills as compensation for people who were
affected. All this could make the company strain financially.
There was also disruption of processes as a result of the explosion at the company
premises. The explosion could have led to the destruction of the hardware and software systems
of the company (Aqlan, F. (2020). As a result, the company might have lost important
information regarding its transactions. The loss of important data in the company makes it
challenging to carry out transactions. The communication network at the company could also
have been disrupted as a result of the explosion resulting in communication challenges in the
company. The explosion could also make the organizational systems vulnerable to hacking and
computer virus which poses a great threat to the organization data. The organizational processes
were generally brought down as a result of the explosion. Hence, the firm will have to incur high
costs to ensure the processes are back to normal.
The occurrence of the explosion also resulted in the disruption of products. The explosion
resulted in the displacement of people who were leaving near the factory. The majority of...


Anonymous
Very useful material for studying!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags