Major Incident Case Response Analysis Part 2 Event Description
Review Figure 2.3 on page 33 of the text. Use the “Category” section of
the Bow Tie Model pictured to provide a description of the disruption
(what was the incident) of the incident you selected. Address this
disruption as it relates to the following elements from the model: People,
Premises, Processes and Products. (2 to 3 pages)
My incident topic is:
Texas Fertilizer Plant Explosion, 2013
i
Fundamentals of
Risk Management
ii
To a safe, secure and sustainable future
iii
FO UR TH EDI TI ON
Fundamentals of
Risk Management
Understanding, evaluating
and implementing effective
risk management
Paul Hopkin
iv
Publisher's note
Every possible effort has been made to ensure that the information contained in this book is accurate
at the time of going to press, and the publishers and authors cannot accept responsibility for any
errors or omissions, however caused. No responsibility for loss or damage occasioned to any person
acting, or refraining from action, as a result of the material in this publication can be accepted by
the editor, the publisher or any of the authors.
First published in Great Britain and the United States in 2010 by Kogan Page Limited
Second edition 2012
Third edition 2014
Fourth edition 2017
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted
under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of
reprographic reproduction in accordance with the terms and licences issued by the CLA. Enquiries concerning
reproduction outside these terms should be sent to the publishers at the undermentioned addresses:
2nd Floor, 45 Gee Street
London EC1V 3RS
United Kingdom
www.koganpage.com
c/o Martin P Hill Consulting
122 W 27th St, 10th Floor
New York, NY 10001
USA
4737/23 Ansari Road
Daryaganj
New Delhi 110002
India
© The Institute of Risk Management, 2010, 2012, 2014, 2017
The right of The Institute of Risk Management to be identified as the author of this work has been asserted
by them in accordance with the Copyright, Designs and Patents Act 1988.
ISBN
E-ISBN
978 0 7494 7961 9
978 0 7494 7962 6
British Library Cataloguing-in-Publication Data
A CIP record for this book is available from the British Library.
Library of Congress Cataloging-in-Publication Control Number
2016046147
Typeset by Graphicraft Limited, Hong Kong
Print production managed by Jellyfish
Printed and bound by CPI Group (UK) Ltd, Croydon, CR0 4YY
v
CO N T E N T S
List of figures xv
List of tables xvii
Foreword xx
Acknowledgements xxi
Introduction
1
PA R T O N E Introduction to risk management
Learning outcomes for Part One 11
Part One further reading 11
Part One case studies 12
Rank Group: How we manage risk 12
ABIL: Risk management overview 12
BIS: Approach to risk 13
01
Approaches to defining risk
15
Definitions of risk 15
Types of risks 17
Risk description 18
Inherent level of risk 20
Risk classification systems 20
Risk likelihood and magnitude 21
02
Impact of risk on organizations
Level of risk 24
Impact of hazard risks 25
Attachment of risks 26
Risk and reward 29
Attitudes to risk 30
Risk and triggers 32
03
Types of risks
35
Timescale of risk impact 35
Four types of risk 36
Embrace opportunity risks 39
24
11
vi
Contents
Manage uncertainty risks 40
Mitigate hazard risks 41
Minimize compliance risks 43
04
Scope of risk management
45
Origins of risk management 45
Development of risk management 48
Specialist areas of risk management 49
Simple representation of risk management 50
Enterprise risk management 53
Levels of risk management sophistication 54
05
Principles and aims of risk management
57
Principles of risk management 57
Importance of risk management 59
Risk management activities 60
Effective and efficient core processes 61
Implementing risk management 62
Achieving benefits 63
PA R T T W O Approaches to risk management
Learning outcomes for Part Two 67
Part Two further reading 67
Part Two case studies: 68
United Utilities: Our risk management framework 68
Birmingham City Council: Scrutiny, accountability and risk
management 68
Tsogo Sun: Risk management process 69
06
Risk management standards
71
Scope of risk management standards 71
Risk management process 74
Risk management context 75
COSO ERM cube 76
Features of RM standards 78
Updating of existing standard 79
07
Establishing the context
Scope of the context 82
External context 84
82
67
Contents
Internal context 85
Risk management context 87
Designing a risk register 88
Using a risk register 92
08
Enterprise risk management
96
Enterprise-wide approach 96
Definitions of ERM 98
ERM in practice 99
ERM and business continuity 100
ERM in energy and finance 101
Future development of ERM 102
09
Alternative approaches
104
Changing face of risk management 104
Managing emerging risks 105
Increasing importance of resilience 107
Different approaches 109
Structure of management standards 111
Future of risk management 113
PA R T T H R E E Risk assessment
115
Learning outcomes for Part Three 115
Part Three further reading 115
Part Three case studies: 116
AA: Risk governance 116
British Land: Our assessment of risk is a cornerstone 116
Guide Dogs NSW/ACT: List of major residual risks 117
10
Risk assessment considerations
119
Importance of risk assessment 119
Approaches to risk assessment 120
Risk assessment techniques 122
Nature of the risk matrix 125
Risk perception 127
Attitude to risk 128
11
Risk classification systems
132
Short-, medium- and long-term risks 132
Nature of risk classification systems 134
vii
viii
Contents
Examples of risk classification systems 135
FIRM risk scorecard 137
PESTLE risk classification system 138
Compliance, hazard, control and opportunity 140
12
Risk analysis and evaluation
143
Application of a risk matrix 143
Inherent and current level of risk 145
Control confidence 147
4Ts of hazard risk response 148
Risk significance 149
Risk capacity 150
13
Loss control
152
Risk likelihood 152
Risk magnitude 153
Hazard risks 154
Loss prevention 156
Damage limitation 157
Cost containment 157
14
Defining the upside of risk
159
Upside of risk 159
Opportunity assessment 162
Riskiness index 163
Upside in strategy 167
Upside in projects 168
Upside in operations 169
PA R T F O U R Risk response
171
Learning outcomes for Part Four 171
Part Four further reading 171
Part Four case studies: 172
Intu Properties: Insurance renewal 172
The Walt Disney Company: Disclosures about market risks 172
Australian Mines Limited: Risk assessment and management 173
15
Tolerate, treat, transfer and terminate
The 4Ts of hazard response 175
Tolerate risk 177
175
Contents
Treat risk 180
Transfer risk 181
Terminate risk 181
Strategic risk response 182
16
Risk control techniques
186
Types of controls 186
Hazard risk zones 190
Preventive controls 192
Corrective controls 192
Directive controls 193
Detective controls 194
17
Insurance and risk transfer
196
Importance of insurance 196
History of insurance 197
Types of insurance cover 198
Evaluation of insurance needs 200
Purchase of insurance 200
Captive insurance companies 203
18
Business continuity
206
Business continuity management 206
Business continuity standards 208
Successful business continuity 211
Business impact analysis (BIA) 214
Business continuity and ERM 214
Civil emergencies 216
PA R T F I V E Risk strategy
219
Learning outcomes for Part Five 219
Part Five further reading 219
Part Five case studies: 220
AMEC Foster Wheeler: Principal risks and uncertainties 220
BBC: Internal controls assurance 220
Emperor Watch & Jewellery: Risk management 221
19
Core business processes
223
Dynamic business models 223
Types of business processes 226
ix
x
Contents
Strategy and tactics 227
Effective and efficient operations 228
Ensuring compliance 229
Reporting performance 230
20
Reputation and the business model
232
Components of the business model 232
Risk management and the business model 233
Reputation and corporate governance 235
CSR and risk management 235
Supply chain and ethical trading 238
Importance of reputation 240
21
Risk management context
244
Architecture, strategy and protocols 244
Risk architecture 247
Risk management strategy 247
Risk management protocols 248
Risk management manual 249
Risk management documentation 252
22
Risk management responsibilities
257
Allocation of responsibilities 257
Range of responsibilities 258
Statutory responsibilities of management 260
Role of the risk manager 262
Risk architecture in practice 264
Risk committees 267
23
Control of selected hazard risks
Cost of risk controls 270
Learning from controls 273
Control of financial risks 275
Control of infrastructure risks 277
Control of reputational risks 281
Control of marketplace risks 283
PA R T S I X Risk culture
285
Learning outcomes for Part Six 285
Part Six further reading 285
270
Contents
Part Six case studies: 286
Network Rail: Our approach to risk management 286
Ekurhuleni Metropolitan Municipality (EMM): Risk management 286
Ericsson: Corporate governance report 287
24
Risk-aware culture
289
Styles of risk management 289
Steps to successful risk management 290
Defining risk culture 291
Measuring risk culture 295
Alignment of activities 297
Risk maturity models 299
25
Importance of risk appetite
302
Nature of risk appetite 302
Risk appetite and the risk matrix 304
Risk and uncertainty 306
Risk exposure and risk capacity 308
Risk appetite statements 310
Risk appetite and lifestyle decisions 313
26
Risk training and communication
316
Consistent approach to risk 316
Risk training and risk culture 317
Risk information and communication 319
Shared risk vocabulary 321
Risk information on an intranet 322
Risk management information system (RMIS) 323
27
Risk practitioner competencies
325
Competency frameworks 325
Range of skills 326
Communication skills 328
Relationship skills 331
Analytical skills 332
Management skills 333
PA R T S E V E N Risk governance
Learning outcomes for Part Seven 335
Part Seven further reading 335
335
xi
xii
Contents
Part Seven case studies: 336
Severn Trent Water: Our approach to risk 336
Tim Hortons: Sustainability and responsibility 336
DCMS: Capacity to handle risk 337
28
Corporate governance model
339
Corporate governance 339
OECD principles of corporate governance 340
LSE corporate governance framework 342
Corporate governance for a bank 343
Corporate governance for a government agency 344
Evaluation of board performance 347
29
Stakeholder expectations
351
Range of stakeholders 351
Stakeholder dialogue 353
Stakeholders and core processes 354
Stakeholders and strategy 356
Stakeholders and tactics 357
Stakeholders and operations 358
30
Operational risk management
360
Operational risk 360
Definition of operational risk 361
Basel II and Basel III 363
Measurement of operational risk 364
Difficulties of measurement 366
Developments in operational risk 367
31
Project risk management
370
Introduction to project risk management 370
Development of project risk management 371
Uncertainty in projects 372
Project lifecycle 374
Opportunity in projects 377
Project risk analysis and management 378
32
Supply chain management
380
Importance of the supply chain 380
Scope of the supply chain 381
Strategic partnerships 382
Joint ventures 384
Contents
Outsourcing of operations 384
Risk and contracts 387
PA R T E I G H T Risk assurance
389
Learning outcomes for Part Eight 389
Part Eight further reading 389
Part Eight case studies: 390
Unilever: Our risk appetite and approach to risk management 390
Colgate Palmolive: Damage to reputation 390
Sainsbury’s and Tesco: Principal risks and uncertainties 391
33
The control environment
393
Nature of control environment 393
Purpose of internal control 394
Control environment 395
Features of the control environment 397
CoCo framework of internal control 399
Good safety culture 401
34
Risk assurance techniques
402
Audit committees 402
Role of risk management 404
Risk assurance 405
Risk management outputs 407
Control risk self-assessment 408
Benefits of risk assurance 409
35
Internal audit activities
411
Scope of internal audit 411
Role of internal audit 412
Undertaking an internal audit 414
Risk management and internal audit 416
Management responsibilities 419
Five lines of assurance 420
36
Reporting on risk management
Risk reporting 423
Sarbanes–Oxley Act of 2002 425
Risk reports by US companies 426
Charities’ risk reporting 428
423
xiii
xiv
Contents
Public-sector risk reporting 429
Government report on national security 430
Appendix A: Abbreviations and acronyms
Appendix B: Glossary of terms 436
Appendix C: Implementation guide 446
Index 449
433
xv
L IS T O F F I G U R E S
FIGURE 1.1
FIGURE 2.1
FIGURE 2.2
FIGURE 2.3
FIGURE 4.1
FIGURE 4.2
FIGURE 6.1
FIGURE 6.2
FIGURE 6.3
FIGURE 6.4
FIGURE 7.1
FIGURE 10.1
FIGURE 11.1
FIGURE 11.2
FIGURE 12.1
FIGURE 12.2
FIGURE 13.1
FIGURE 14.1
FIGURE 15.1
FIGURE 15.2
FIGURE 15.3
FIGURE 16.1
FIGURE 16.2
FIGURE 16.3
FIGURE 17.1
FIGURE 18.1
FIGURE 18.2
FIGURE 19.1
FIGURE 20.1
FIGURE 20.2
FIGURE 22.1
FIGURE 22.2
FIGURE 23.1
FIGURE 23.2
FIGURE 23.3
Risk likelihood and magnitude 22
Attachment of risks 27
Risk and reward 29
Disruptive events and the bow-tie 33
8Rs and 4Ts of (hazard) risk management 52
Risk management sophistication 55
IRM risk management process 73
Components of the RM context 75
COSO ERM framework 77
Risk management process from ISO 31000 79
Three components of context 83
Risk attitude matrix 129
Bow-tie representation of risk management 133
Bow-tie and risks to premises 135
Personal risk matrix 144
Inherent, current and target levels of risk 145
Loss control and the bow-tie 156
Risk matrix for opportunities and hazards 163
Risk matrix and the 4Ts of hazard management 177
Risk versus reward in strategy 183
Opportunity risks and risk appetite 184
Types of controls for hazard risks 186
Bow-tie and types of controls 189
Hazard risk zones 191
Role of captive insurance companies 204
Disaster recovery timeline and costs 209
Model for business continuity planning 210
Business development model 225
Components of the business model 233
Mapping the components of reputation 241
Risk architecture for a large corporation 264
Risk architecture for a charity 266
Illustration of control effect 271
Cost-effective controls 272
Learning from controls 273
xvi
List of figures
FIGURE 23.4
FIGURE 24.1
FIGURE 25.1
FIGURE 25.2
FIGURE 25.3
FIGURE 28.1
FIGURE 28.2
FIGURE 29.1
FIGURE 31.1
FIGURE 31.2
FIGURE 31.3
FIGURE 31.4
FIGURE 33.1
FIGURE 35.1
FIGURE 35.2
FIGURE 36.1
Risk and reward decisions 274
Risk maturity demonstrated on a matrix 300
Risk appetite, exposure and capacity (optimal) 304
Risk and uncertainty 307
Risk appetite, exposure and capacity (vulnerable) 309
LSE corporate governance framework 342
Corporate governance in a government agency 345
Importance of core processes 355
Risk matrix to represent project risks 373
Bow-tie to represent project risks 374
Project lifecycle 375
Decreasing uncertainty during the project 376
Criteria of Control (CoCo) framework 396
Role of internal audit in ERM 413
Governance, risk and compliance 417
Selected UK security threats 431
xvii
L IS T O F TA B L E S
TABLE 1.1
TABLE 1.2
TABLE 3.1
TABLE 3.2
TABLE 4.1
TABLE 4.2
TABLE 4.3
TABLE 5.1
TABLE 5.2
TABLE 6.1
TABLE 6.2
TABLE 7.1
TABLE 7.2
TABLE 7.3
TABLE 7.4
TABLE 7.5
TABLE 8.1
TABLE 8.2
TABLE 8.3
TABLE 9.1
TABLE 10.1
TABLE 10.2
TABLE 10.3
TABLE 10.4
TABLE 10.5
TABLE 10.6
TABLE 11.1
TABLE 11.2
TABLE 11.3
TABLE 11.4
TABLE 12.1
TABLE 13.1
TABLE 14.1
TABLE 14.2
TABLE 15.1
TABLE 15.2
Definitions of risk 16
Risk description 19
Risks associated with owning a car 37
Categories of operational disruption 42
Definitions of risk management 46
Importance of risk management 47
8Rs and 4Ts of (hazard) risk management 51
Principles of risk management 58
Risk management objectives 59
Risk management standards 72
COSO ERM framework 77
Format for a basic risk register 89
Risk register for a sports club 90
Risk register for a hospital 91
Project risk register 93
Risk register attached to a business plan 94
Features of an enterprise-wide approach 97
Definitions of enterprise risk management 98
Benefits of enterprise risk management 100
Summary of King III risk requirements 111
Top-down risk assessment 121
Bottom-up risk assessment 122
Techniques for risk assessment 123
Advantages and disadvantages of RA techniques 123
Definitions of likelihood 125
Definitions of impact 126
Risk classification systems 135
Attributes of the FIRM risk scorecard 136
PESTLE classification system 139
Personal issues grid 141
Benchmark tests for risk significance 147
Generic key dependencies 155
Defining the upside of risk 160
Riskiness index 164
Description of the 4Ts of hazard response 176
Key dependencies and significant risks 178
xviii
List of tables
TABLE 16.1
TABLE 16.2
TABLE 17.1
TABLE 17.2
TABLE 18.1
TABLE 20.1
TABLE 20.2
TABLE 20.3
TABLE 21.1
TABLE 21.2
TABLE 21.3
TABLE 21.4
TABLE 22.1
TABLE 22.2
TABLE 22.3
TABLE 24.1
TABLE 24.2
TABLE 24.3
TABLE 24.4
TABLE 25.1
TABLE 25.2
TABLE 25.3
TABLE 25.4
TABLE 26.1
TABLE 26.2
TABLE 26.3
TABLE 27.1
TABLE 27.2
TABLE 27.3
TABLE 28.1
TABLE 28.2
TABLE 28.3
TABLE 29.1
TABLE 29.2
TABLE 30.1
TABLE 30.2
TABLE 30.3
TABLE 31.1
TABLE 32.1
TABLE 32.2
Description of types of hazard controls 187
Examples of the hierarchy of hazard controls 188
Different types of insurance 199
Identifying the necessary insurance 201
Key activities in business continuity planning 211
Scope of issues covered by CSR 236
Components of reputation 240
Threats to reputation 242
Risk management framework 245
Types of RM documentation 249
Risk management manual 250
Risk management protocols 251
Risk management responsibilities 259
Historical role of the insurance risk manager 262
Responsibilities of the RM committee 268
Achieving successful enterprise risk management 290
Implementation barriers and actions 292
Risk-aware culture 293
Four levels of risk maturity 298
Definitions of risk appetite 303
Risk appetite statements 311
Risk appetite for a manufacturing organization 313
Controls for the risks of owning a car 315
Risk management training 318
Risk communication guidelines 320
Risk management information system (RMIS) 323
Risk management technical skills 326
People skills for risk management practitioners 328
Structure of training courses 330
OECD principles of corporate governance 341
Nolan principles of public life 346
Evaluating the effectiveness of the board 349
Data for shareholders 353
Sports club: typical stakeholder expectations 357
ORM principles (Basel II) 363
Operational risk for a bank 365
Operational risk in financial and industrial companies 367
PRAM model for project RM 378
Risks associated with outsourcing 385
Scope of outsourcing contracts 385
List of tables
TABLE 33.1
TABLE 33.2
TABLE 34.1
TABLE 34.2
TABLE 35.1
TABLE 35.2
TABLE 36.1
TABLE 36.2
TABLE 36.3
Definitions of internal control 394
Components of the CoCo framework 397
Responsibilities of the audit committee 403
Sources of risk assurance 406
Undertaking an internal audit 415
Allocation of responsibilities 420
Risk management (RM) responsibilities of the board 424
Risk report in a Form 20-F 427
Government risk-reporting principles 430
xix
xx
F O R E WO R D
Importance of enterprise risk
management
O
rganizations face an increasingly challenging and complex environment in
which to undertake their activities. Since the third edition of this textbook, the
consequences of the global financial crisis have continued to challenge public-,
private- and third-sector organizations. To add further complexity, the second
decade of the 21st century has been marked by political instability in many parts of
the world and the recent decision of the United Kingdom to exit the European Union
has added further global uncertainty.
It is within this increasingly uncertain environment that organizations are
required to deliver higher stakeholder expectations, whilst fulfilling greater corporate
governance requirements in relation to ethical and social responsibility. For example,
legislation has been introduced in many countries to broaden the scope of requirements regarding management of bribery risk and the avoidance of modern slavery.
Given all these developments, the updating of this textbook to place greater
emphasis on the importance of enterprise risk management (ERM) to organizational
success is very timely. Successful ERM, including the protection of corporate reputation, continues to be a business imperative for all organizations. A successful ERM
initiative enhances the ability of an organization to achieve objectives and ensure
sustainability, based on transparent and ethical behaviours.
The Institute of Risk Management (IRM) has long supported the development of
ERM, as a contribution to development and delivery of successful business models
and strategy for all types of organizations. The training courses and qualifications
offered by the IRM enable risk professionals and others to support their employer
and/or clients in achieving maximum benefit from an ERM initiative.
Although this textbook has been designed specifically for the IRM International
Certificate in Enterprise Risk Management, the contents outline approaches to
achieving successful ERM that will support any type of organization in their efforts
to deliver corporate objectives and satisfy stakeholder expectations. This textbook
is a valuable resource for all organizations and anyone with an interest in risk
management.
Ian Livsey PhD MBA
Ian Livsey is Chief Executive at the Institute of Risk Management, risk management’s leading worldwide professional education, training and knowledge body.
Further information about the Institute and the International Certificate is available
from the IRM website, www.theirm.org.
xxi
ACKNOWLEDGEMENTS
T
he risk management profession and the expertise of risk professionals continues
to develop in line with the ever-increasing expectations placed on risk managers
and risk consultants. Many more organizations have appointed individuals with the
job title chief risk officer (CRO) and this development has increased the need for
robust professional qualifications and designations for risk management practitioners.
Given the ever-increasing complexity of the business environment, it is not
surprising that production of the fourth edition of Fundamentals of Risk Management
became necessary, just two years after production of the third edition. The importance
and contribution of risk management continues to increase and centres of risk
management expertise and excellence continue to thrive in all business sectors,
whether private, public or third sector.
Lectures, seminars, special interest groups and other group meetings, as well as
one-to-one conversations with risk specialists assisted with the updating of this
book. It is clear that ideas and experiences related to enterprise risk management are
continuing to expand. A wide range of risk management-related standards are
currently being drafted and/or updated and the level of knowledge and expertise
involved in the production of these risk management standards proved to be a very
valuable source of information for the revision of the book.
The main challenge in producing the fourth edition of this textbook has been to
align the material in the book more closely with the syllabus of the IRM International
Certificate in Enterprise Risk Management (ERM). When undertaking this task, I
have received considerable help and support from colleagues at the Institute of Risk
Management (IRM), as well as many insightful comments from risk professionals
working as presenters and lecturers on IRM training and teaching courses.
I continue to be grateful to the large number of people who have helped with the
development of the ideas presented and discussed in this book. I am sure that
developments in risk management will continue apace and keeping abreast of developments and enhancements to risk management theory and practice will remain a
challenge for risk management practitioners, all of whom are seeking to bring the
benefits of enhanced risk management to their employer and/or client organizations.
Paul Hopkin
November 2016
xxii
Institute of Risk Management
About the Institute of Risk Management (IRM)
IRM is the leading professional body for risk management. We drive
excellence in managing risk to ensure organisations are ready for the
opportunities and threats of the future.
training, publishing research and guidance, and setting professional
What IRM offers Risk Professionals
Short Courses.
overseas or in-house. We provide a range of one
of your organisation.
Our wide range of
Sprint Sessions.
IRM’s entry level International
The opportunity to refresh
existing knowledge and
learn new skills, with
practical techniques you
can use immediately.
Find out more at
theirm.org
1
Introduction
Risk management in context
This book is intended for all who want a comprehensive introduction to the theory
and application of risk management. It sets out an integrated introduction to the
management of risk in public and private organizations. Studying this book will
provide insight into the world of risk management and may also help readers decide
whether risk management is a suitable career option for them.
Many readers will wish to use this book in order to gain a better understanding
of risk and risk management and thereby fulfil the primary responsibilities of their
jobs with an enhanced understanding of risk. This book is designed to deliver the
syllabus of the International Certificate in Risk Management qualification of the
Institute of Risk Management. However, it also acts as an introduction to the discipline of risk management for those interested in the subject but not (yet) undertaking
a course of study.
An introduction to risk and risk management is provided in Part One and Part
Two of this book and administration of risk management is considered in Part Five
(Risk strategy). Parts Three and Four describe the application of risk management in
terms of risk assessment and risk response. Part Six considers risk culture, Part Seven
describes risk governance and Part Eight considers risk assurance and risk reporting.
Parts Seven and Eight concentrate on the application of risk management tools and
techniques, as well as considering the outputs from the risk management process and
the benefits that arise.
We all face risks in our everyday lives. Risks arise from personal activities and
range from those associated with travel through to the ones associated with personal
financial decisions. There are considerable risks present in the domestic component
of our lives, and these include fire risks in our homes and financial risks associated
with home ownership. Indeed, there are also a whole range of risks associated with
domestic and relationship issues, but these are outside the scope of this book.
This book is primarily concerned with business and commercial risks and the
roles that we fulfil in our job or occupation. However, the task of evaluating risks
and deciding how to respond to them is a daily activity, not only at work but also at
home and during leisure activities.
The importance of context is emphasized throughout the book and Chapter 7
specifically discusses the first stage of the risk management process, which is ‘establish the context’. Further consideration of context is provided by Chapter 21 which
describes the risk management context in more detail.
2
Risk management
Nature of risk
Recent events in the world have brought risk into higher profile. Terrorism, extreme
weather events and the global financial crisis represent the extreme risks that are
facing society and commerce. These extreme risks exist in addition to the daily,
somewhat more mundane, risks mentioned above.
Evaluating the range of risk responses available and deciding the most appropriate
one in each case is at the heart of risk management. Responding to risks should
produce benefits for us as individuals, as well as for the organizations where we
work and/or are employed.
Within our personal and domestic lives, many of the responses to risk are automatic.
Our ways of avoiding fire and road traffic accidents are based on well-established
and automatic responses. Fire and accident are the types of risks that can only have
negative outcomes, and they are often referred to as hazard risks. Compliance
requirements are viewed by many organizations as hazard risks, whereby failure
to comply can only be negative. However, other organizations have the view that
achieving compliance can bring additional benefits or deliver the ‘upside of risk’.
Some other risks have established or required responses that are imposed on us as
individuals and/or on organizations as mandatory requirements. For example, in our
personal lives, buying insurance for a car is usually a legal requirement, whereas buying
insurance for a house is often not, but is good risk management and very sensible.
Keeping your car in good mechanical order will reduce the chances of a breakdown. However, even vehicles that are fully serviced and maintained do occasionally
break down. Maintaining your car in good mechanical order will reduce the chances
of breakdown, but will not eliminate them completely. These types of risks that have
a large degree of uncertainty associated with them are often referred to as control
risks. The risks associated with owning a car are explored in some detail in the book,
because this represents a practical example within the experience of most people.
As well as hazard and control risks, there are risks that we take because we desire
(and probably expect) a positive return. For example, you will invest money in anticipation that you will make a profit from the investment. Likewise, placing a bet or
gambling on the outcome of a sporting event is undertaken in anticipation of receiving positive payback.
People participate out of choice in motor sports and other potentially dangerous
leisure activities. In these circumstances, the return may not be financial, but can be
measured in terms of pride, self-esteem or peer group respect. Undertaking activities
involving risks of this type, where a positive return is expected, can be referred to as
taking opportunity risks.
Risk management
Organizations face a very wide range of risks that can impact the outcome of their
operations. The desired overall aim may be stated as a mission or a set of corporate
objectives. The events that can impact an organization may inhibit what it is seeking
Introduction
to achieve (hazard risks), enhance that aim (opportunity risks), or create uncertainty
about the outcomes (control risks).
Risk management needs to offer an integrated approach to the evaluation, control
and monitoring of these three types of risk. This book examines the key components
of risk management and how it can be applied. Examples are provided that demonstrate
the benefits of risk management to organizations in both the public and private sectors.
Risk management also has an important part to play in the success of not-for-profit
organizations such as charities and (for example) clubs and other membership
bodies.
The risk management process is well established, although it is presented in a
number of different ways and often in differing terminologies. The different terminologies that are used by different risk management practitioners and in different
business sectors are explored in this book. In addition to a description of the established risk management standards, a simplified description of risk management that
sets out the key stages in the risk management process is also presented to help with
understanding.
The risk management process cannot take place in isolation. It needs to be supported by a framework within the organization. Once again, the risk management
framework is presented and described in different ways in the range of standards,
guides and other publications that are available. In all cases, the key components of
a successful risk management framework are the communications and reporting
structure (architecture), the overall risk management strategy that is set by the
organization (strategy) and the set of guidelines and procedures (protocols) that have
been established. The importance of the risk architecture, strategy and protocols
(RASP) is discussed in detail in this book.
The combination of risk management processes, together with a description of
the framework in place for supporting the process, constitutes a risk management
standard. There are several risk management standards in existence, including the
IRM Standard and the recently updated British Standard BS 31100:2011. There is
also the American COSO ERM framework. The most high-profile addition to the
available risk management standards is the international standard, ISO 31000,
published in 2009. The well-established and respected Australian Standard AS 4360
(2004) was withdrawn in 2009 in favour of ISO 31000. AS 4360 was first published
in 1995 and ISO 31000 includes many of the features and offers a similar approach
to that previously described in AS 4360.
Further information on existing standards and other published guides is set out
in Chapter 6. Additionally, references are included in each part of this book to
provide further material to enable the reader to gain a comprehensive introduction
to the subject of risk management. Abbreviations and acronyms are used throughout
the book as an aim to learning and understanding. A list of all abbreviations and
acronyms is included in Appendix A.
Risk management terminology
Most risk management publications refer to the benefits of having a common
language of risk within the organization. Many organizations manage to achieve this
3
4
Risk management
common language and common understanding of risk management processes and
protocols at least internally. However, it is usually the case that within a business
sector, and sometimes even within individual organizations, the development of
a common language of risk can be very challenging.
Reference and supporting materials use a great range of terminologies. The different
approaches to risk management, the different risk management standards that exist
and the wide range of guidance material that is available often use different terms
for the same feature or concept. This is regrettable and can be very confusing, but it
is inescapable.
Attempts are being made to develop a standardized language of risk, and ISO
Guide 73 has been developed as the common terminology that should be used in
all ISO standards. The terminology set out in ISO Guide 73 is used throughout this
book as the default set of definitions wherever possible. However, the use of a standard
terminology is not always possible and alternative definitions may be required.
Indeed, ISO itself also publish a terminology guide, ISO/IEC Guide 51:1999, entitled
‘Safety Aspects: – Guidelines for Their Inclusion in Standards’, and the definitions in
Guide 51 are not fully aligned with those in Guide 73.
To assist with the difficult area of terminology, Appendix B sets out the basic terms
and definitions that are used in risk management. It also provides cross reference
between the different terms in use to describe the same concept. Where appropriate and
necessary a table setting out a range of definitions for the same concept is included
within the relevant chapter of the book, and these tables are cross-referenced in
Appendix B.
Benefits of risk management
There are a range of reasons why organizations undertake risk management activities. These reasons are summarized in this book as mandatory, assurance, decisionmaking and effective and efficient core processes (MADE2). Mandatory refers to
risk management activities designed to ensure that an organization complies with
legal and regulatory obligations, as well as customer or client requirements.
The board of an organization will require assurance that significant risks have
been identified and appropriate controls put in place. In order to ensure that correct
business decisions are taken, the organization should undertake risk management
activities that provide additional structured information to assist with business
decision making.
Finally, a key benefit from risk management is to enhance the effectiveness and
efficiency of operations within the organization. Additionally, it should help ensure
that business processes (including process enhancements by way of tactics, projects
and other change initiatives) are also effective and efficient. Finally, the selected strategy
also needs to be effective and efficient, in that it is capable of delivering exactly what
is required.
Risk management inputs are required in relation to strategic decision making,
but also in relation to the effective delivery of projects and programmes of work, as
well as in relation to the routine operations of the organization. The benefits of risk
Introduction
management can also be identified in relation to these three timescales of activities
within the organization. The outputs from risk management activities can benefit
organizations in three timescales and ensure that the organization achieves effective
and efficient strategy, tactics and operations.
Strategy, tactics and operations are underpinned by the need to achieve compliance.
Strategic, tactical, operational and compliance (STOC) core processes and activities
encompass the whole range of processes of an organization. These processes are the
core processes of the organization and analysis of the core processes provides a comprehensive approach to risk management that is used in several sections of the book.
In order to achieve a successful risk management contribution, the intended benefits
of any risk management initiative have to be identified. If those benefits have not
been identified, then there will be no means of evaluating whether the risk management initiative has been successful. Therefore, good risk management must have a clear
set of desired outcomes/benefits. Appropriate attention should be paid to each stage
of the risk management process, as well as to details of the design, implementation
and monitoring of the framework that supports these risk management activities.
Features of risk management
Failure to adequately manage the risks faced by an organization can be caused by
inadequate risk recognition, insufficient analysis of significant risks and failure to
identify suitable risk response activities. Also, failure to set a risk management
strategy and to communicate that strategy and the associated responsibilities may
result in inadequate management of risks. It is also possible that the risk management procedures or protocols may be flawed, such that these protocols may actually
be incapable of delivering the required outcomes.
The consequences of failure to adequately manage risk can be disastrous and may
result in ineffective and/or inefficient operations, projects that are not completed
on time and strategies that are not delivered, or were incorrect in the first place. The
hallmarks of successful risk management are considered in this book. In order to
be successful, the risk management initiative should be proportionate, aligned, comprehensive, embedded and dynamic (PACED).
Proportionate means that the effort put into risk management should be appropriate to the level of risk that the organization faces. Risk management activities
should be aligned with other activities within the organization. Activities will also
need to be comprehensive, so that any risk management initiative covers all the
aspects of the organization and all the risks that it faces. The means of embedding
risk management activities within the organization are discussed in this book. Finally,
risk management activities should be dynamic and responsive to the changing business
environment faced by the organization.
As with all management activities and processes in an organization, risk management
needs to be adapted and modified to align with the core processes, and organizational
culture. In relation to risk management, an organization will first need to specifically
respond to statutory obligations and the requirements of regulators. Once they have
been satisfied, most organizations can work on the basis that whatever works within
5
6
Risk management
the organization and delivers the required benefits, outputs and outcomes is the correct
and appropriate approach to ERM for that organization.
Book structure
The book is presented in eight parts, together with three appendices. Part One provides the introduction to risk management and introduces all of the basic concepts.
Part Two considers the alternative approaches to risk management and starts by considering established risk management standards. The importance of establishing the
context is then considered in detail, followed by an analysis of the features and
benefits of enterprise risk management.
Part Three considers the importance of risk assessment as a fundamental requirement
of successful risk management. Risk classification and risk analysis tools and
techniques are considered in detail in this part. Part Four sets out the options for risk
response in detail. Analysis of the various risk control techniques is presented,
together with examples of options for the control of selected hazard risks. This
part also considers the importance of insurance and risk transfer, as well as business
continuity planning.
Part Five explores the importance of risk management strategy and considers the
vital importance of the risk management policy, as well as exploring the successful
implementation of that policy. There is also a consideration of reputation and the
business model and the importance of the risk management context. Part Six starts
by considering the nature of a risk-aware culture and then goes on to consider the
importance of risk appetite. Risk training and communication, together with risk
practitioner competencies, are also included in Part Six. Part Six also reflects on the
fact that the emergence of risk management as a profession has resulted in more
attention being paid to risk management competency frameworks and the importance
of people or soft skills.
Part Seven considers the importance of risk governance, and this extends to the
evaluation of broader corporate governance requirements and the impact of risk on
organizations. Also, the analysis of stakeholder expectations and the relationship
between risk management and a simple business model are considered. Finally, Part
Eight considers risk assurance and risk reporting. The role of the internal audit function, together with the importance of corporate social responsibility and the options
for reporting on risk management are all considered. Throughout the book, information
is presented in tables and figures to make the information more readily accessible.
Extensive use is made of the increasingly common approach of using a bow-tie
representation of the risk management process.
Appendix A is a full list of the main acronyms and abbreviations used in the book.
Appendix B provides a glossary of terms and cross-references the different terminologies used by different risk management practitioners. Appendix C provides a
step-by-step implementation guide to enterprise risk management (ERM), as described
in Chapter 8. This is based on the plan, implement, measure and learn (PIML)
approach which is similar to the plan–do–check–act (PDCA) approach described in
several risk-related standards. Appendix C also includes reference to the acronyms
Introduction
used in the book and sets out the key concepts relevant to each step of the successful
implementation of an ERM initiative.
Risk management in practice
In order to bring the subject of risk management to life, short illustrative examples
are used throughout the text. These examples focus on a small number of organizations in order to give some context to the ideas described. Risk management activities
cannot be undertaken out of context, and so these organizations provide context to
the ideas and concepts that are described.
The most often used examples to illustrate a point are a haulage company, a sports
club, a theatre, a publisher and the large stock-exchange-listed company that, for the
sake of illustration, owns the sports club and the haulage company. Examples are
also used of how risk management principles can be applied to the personal risks
faced in private life.
In addition to these general examples, real-life situations and examples are also
used, where a case study is helpful. Each part of the book concludes with a brief
extract from the report and accounts of two selected companies to illustrate the main
risk management topics covered in the part. Although many of these examples are
mainly from the UK, the principles are equally applicable to other parts of the world.
Because of the global financial crisis, and the continuing economic difficulties
around the world, risk management continues to be a very high-profile topic.
Therefore, there are many examples of the application of risk management tools
and techniques to difficult business and commercial situations. The book takes
advantage of the wealth of information that is available in order to present examples,
opinions and commentary on the risk management issues affecting organizations.
Throughout the book, boxes are included within the text. These boxes either
provide practical examples of the application of the theory being discussed, or they
provide opinions and commentary on real situations that have arisen. Additionally,
case studies have been included at the beginning of each part of the book and these
have been taken from the websites of high-profile organizations or from the published
annual reports and accounts that are available in the public domain.
Future for risk management
As the global financial crisis has unfolded, there is an increasing tendency for news
reports to indicate that risk is bad and risk management has failed. In reality, neither
of these two statements is correct. Organizations have to address the risks that they
face because many of them have to undertake high-risk activities, either because
these activities cannot be avoided, or because the activities are undertaken in order
to produce a positive outcome for the organization and its stakeholders.
The global financial crisis does not demonstrate the failure of risk management,
but rather the failure of the management of organizations to successfully address the
7
8
Risk management
risks that they faced. Achieving benefits from risk management requires carefully
planned implementation of the risk management process in the organization, as well
as the design and successful embedding of a suitable and sufficient risk management
framework.
By setting out an integrated approach to risk management, this book provides a
description of the fundamental components of successful management of business/
corporate risks. It describes a wealth of risk management tools and techniques
and provides information on successful delivery of an integrated and enterprise-wide
approach to risk management.
Risk management is changing rapidly, in terms both of the tools and techniques
that are applied and the governance structures that are being introduced to ensure
successful management of risk. Organizations need to be more cost conscious, and
this has resulted in the emergence of approaches such as Governance Risk and
Compliance (GRC). GRC represents an approach that is designed to be both effective
and cost efficient in terms of the results that are achieved.
With many organizations having to introduce cost-cutting and finding the current
trading conditions difficult, emerging risks have never been more important. For
many organizations, it is a challenge to keep their risk exposure within the risk
capacity of the organization. Events can occur that could be devastating for the
organization. In these difficult circumstances, organizations need to pay more attention to an analysis of the triggers that could result in significant risks materializing,
as well as developing detailed plans to manage any crisis that does arise.
The list below offers a summary of the actions that would help to avoid a repeat
of the global financial crisis. Many organizations lack a common risk management
framework across the enterprise. This has many elements, each of which is required
to help avoid similar disasters in the future:
●
●
●
●
First, there should be common processes, terminology and practices for
managing risks of all kinds.
Second, it is essential that risk tolerances be fully understood, communicated
and monitored across the enterprise.
Third, risk management practices should be incorporated into all key business
processes and decisions.
And, fourth, management should make risk-related decisions using dedicated
high-quality risk information.
Changes for the fourth edition
Risk management continues to be a dynamic and developing discipline and the
changes that were necessary in the production of the fourth edition of this book
reflect that fact. Certain types of risk have increased dramatically and the need for a
robust ERM to be adopted by organizations has never been greater. Risks that have
increased considerably since the third edition of this book include the global
phenomenon of youth unemployment, the increasing level of political instability in
Introduction
the world, the increasing number of incidents associated with climate change, and
the increasingly sophisticated levels of cyber-crime.
Changes to the textbook include amendments to ensure that the contents remain
relevant in an increasingly uncertain world, and increasingly complex business
environment. Several chapters required substantial updating to accommodate the
developments in risk management over the past two years. In particular, Part Two
consolidates the chapters concerned with the different approaches to risk management
and includes consideration of risk management standards, outlines the importance
of establishing the context and considers ERM in detail in Chapter 8.
The opportunity has also been taken to provide more information on establishing
the context, by a more detailed analysis of the external and internal context of an
organization in Chapter 7, together with discussion of the risk management context
in Chapter 21. Also, there has been greater use of case studies in the fourth edition
with three different case studies included in each of the eight parts of the book. The
case studies have been selected to provide examples of good practice in risk management
by various companies around the world.
One of the most important considerations in producing the fourth edition was to
more closely align the order of the chapters in the textbook with the structure of the
Institute of Risk Management (IRM) International Certificate in Enterprise Risk
Management (ERM). Accordingly, the first four parts of the fourth edition are
concerned with the basic principles of risk and risk management. Parts Five through
to Eight are concerned with the practice of risk management and include consideration
of risk strategy, culture, governance and assurance. Aligning the structure of the
fourth edition with the IRM international certificate has provided a better structured
order in which to present the technical content.
9
10
THIS PAGE IS INTENTIONALLY LEFT BLANK
11
PART ONE
Introduction to risk
management
L E A R N I N G O U TCO M E S FO R PA R T O N E
●
●
●
●
●
●
●
●
produce a range of established definitions of risk and risk management and
describe the usefulness of the various definitions;
list the range of characteristics of a risk that need to be identified in order to
provide a full risk description and justify the inclusion of each item;
summarize the options for the attachment of risks to various attributes of an
organization and describe the advantages of each approach;
identify the features of the four types of risk that enable them to be identified as
compliance, hazard, control and opportunity risks;
summarize the origins and development of the discipline of risk management,
including the various specialist areas and approaches;
explain the characteristics of enterprise risk management (ERM) and the benefits
of the ERM approach over traditional risk management;
summarize the principles (PACED) and aims of risk management and its
importance to strategy, tactics, operations and compliance (STOC);
describe the key outputs of risk management in terms of mandatory obligations,
assurance, decision making and effective and efficient core processes (MADE2).
PA R T O N E F U R T H E R R E A D I N G
Bernstein, P (1998) Against the Gods: The Remarkable Story of Risk,
www.wiley.com
British Standard BS 31100:2011 Risk Management: Code of Practice and
Guidance for the Implementation of BS ISO 31000, www.standardsuk.com
Institute of Risk Management (2002) A Risk Management Standard,
www.theirm.org
Institute of Risk Management (2010) A Structured Approach to Enterprise
Risk Management (ERM) and the Requirements of ISO 31000, www.theirm.org
International Standard ISO 31000:2009 Risk Management: Principles and
Guidelines, www.iso.org
Pullan, P and Murray-Webster, R (2011) A Short Guide to Facilitating
Risk Management, www.gowerpublishing.com
12
Introduction to risk management
PA R T O N E C A S E S T U D I E S
Rank Group: How we manage risk
Rank operates a comprehensive risk management methodology which is closely integrated to its
management structure to provide clear oversight and governance of the risks which are considered
to be material to its business, and to maintain continual surveillance of its operating environment for
emerging risks. The approach endeavours to ensure that a clear risk appetite is set that balances
risks and opportunities to contribute to the achievement of the group’s strategic objectives.
The board has responsibility for the risk framework and establishing the group’s risk appetite, as
well as ensuring that risk controls are built into management’s approach to operations. The audit
committee holds the responsibility for assessing the effectiveness of the risk management systems
which are in place and undertaking independent review of the risk mitigation plans which have been
designed for material risks.
Rank’s risk committee meets on a monthly basis with a remit to conduct a thorough review of the
risk register and to ensure that management are working effectively to identify and manage risks as
they arise and on a continual basis. Working sessions of the committee are held with departmental
and divisional management to ensure that risks are being identified in a timely manner and effective
action plans put into place. This approach ensures that risk is identified in both a ‘top-down’ and a
‘bottom-up’ manner from the various management levels of the organization to give assurance that
risk registers are comprehensive.
Group internal audit works in support of the risk committee to help manage risk identification and
conduct independent reviews of both the business’s risks and its progress in performing the mitigating
action plans agreed for any relevant risks, the status of which is reported to the risk committee monthly.
Edited extract from The Rank Group Plc
Annual Report and Financial Statements 2015
ABIL: Risk management overview
The ABIL risk management strategy is to embed a risk culture and support business units within the
group. The key focus is to ensure that business units operate within risk parameters that will lead to
sustainable business and enhanced risk management practices. The structure is supported by three
pillars: competence, collaboration and independence.
In the 2013 financial year, the customer value proposition was enhanced by offering new products
such as short-term insurance (funeral) and investments that introduced additional operational and
compliance risk. These products are aimed at providing a diversified income stream, lowering the
cost of funding and attracting a more diversified customer base. The group risk function has been
broadened with regard to systems and people in order to focus on key areas, such as non-compliance
with regulatory requirements. This function has been particularly critical in fraud mitigation this year,
to assist with early detection and timely resolution.
The group risk management approach is an approved enterprise-wide risk management
methodology and philosophy to ensure adequate and effective risk management. In addition, the
methodology also provides regulatory principles and a risk management approach that ensures the
following core principles are adhered to:
Introduction to risk management
●
clear assignment of responsibilities and accountabilities;
●
common enterprise-wide risk management framework and process;
●
identification of uncertain future events that may influence achievement of business plans and
strategic objectives; and
●
integration of risk management activities within the company and across its value chains.
ABIL’s risk management objective is to ensure a proactive identification, understanding and
assessment of risks, including activities undertaken that result in risks which could impact on
business objectives. This is executed through various risk management and governance mechanisms
and risk management oversight bodies.
Edited extract from African Bank Investments Limited
Risk report for the financial year ended 30 September 2013
BIS: Approach to risk
Our risk management approach is based on devolved accountability across the departmental groups
and our partner organization network, so that risks are assigned to those best placed to manage
them, whilst maintaining clear accountability. Risks that can and should be managed at group or
partner organization level remain within those entities and are subject to their own risk assurance
and scrutiny processes in line with the overall risk management process set by the department.
A corporate performance and risk team acts as a central point for advice and guidance on
effective risk management. The team co-ordinates the top level risk register, which is the route by
which our most significant risks are escalated. Risks for escalation to the top level risk register are
proposed at all working levels, but only those risks that could have a significant, cross-cutting impact
on the department are included.
Following a risk management review by internal audit, we have continued to focus on building
skills and capacity within our approach to risk management. This has further enhanced consistency
across the department and our partner organizations. A continued emphasis on sharing good practice
in risk management, supported by training and development for our staff has improved our agreed
processes to risk management.
The risk management process has continued to work well in BIS with risks escalated throughout
the department and scrutiny provided by our boards, committees and non-executive board members.
Work over the next 12 months will focus on further building skills and capacity to fully embed the BIS
risk management processes, ensuring a comprehensive understanding amongst the department and
our partner organizations.
Edited extract from Department for Business Innovation and Skills
Annual Report and Accounts 2013–14
13
14
THIS PAGE IS INTENTIONALLY LEFT BLANK
15
01
Approaches to
defining risk
Definitions of risk
The Oxford English Dictionary definition of risk is as follows: ‘a chance or possibility
of danger, loss, injury or other adverse consequences’, and the definition of at risk is
‘exposed to danger’. In this context, risk is used to signify negative consequences.
However, taking a risk can also result in a positive outcome. A third possibility is
that risk is related to uncertainty of outcome.
Take the example of owning a motor car. For most people, owning a car is an
opportunity to become more mobile and gain the related benefits. However, there are
uncertainties in owning a car that are related to maintenance and repair costs. Finally,
motor cars can be involved in accidents, so there are obvious negative outcomes
that can occur. It is also important to remember the legal obligations associated
with car ownership and the rules that must be obeyed when the car is being driven
on a road.
Definitions of risk can be found from many sources, and some key definitions are
set out in Table 1.1. An alternative definition is also provided to illustrate the broad
nature of risks that can affect organizations. The Institute of Risk Management (IRM)
defines risk as the combination of the probability of an event and its consequence.
Consequences can range from positive to negative. This is a widely applicable and
practical definition that can be easily applied.
The international guide to risk-related definitions is ISO Guide 73, and it defines
risk as the ‘effect of uncertainty on objectives’. This definition appears to assume a
certain level of knowledge about risk management and it is not easy to apply to
everyday life. The meaning and application of this definition will become clearer as
the reader progresses through this book.
An earlier version of Guide 73 (2002) also notes that an effect may be positive,
negative, or a deviation from the expected. These three types of events can be related
to risks as opportunity, hazard or uncertainty, and this relates to the example of
motor car ownership outlined above. The guide notes that risk is often described by
an event, a change in circumstances, a consequence, or a combination of these and
how they may affect the achievement of objectives.
16
Introduction to risk management
The Institute of Internal Auditors (IIA) defines risk as the uncertainty of an event
occurring that could have an impact on the achievement of objectives. The IIA adds
that risk is measured in terms of consequences and likelihood. Different disciplines
define the term risk in very different ways. The definition used by health and safety
professionals is that risk is a combination of likelihood and magnitude, but this may
not be sufficient for more general risk management purposes.
Given that there are many available definitions for the word risk, it is important
that the organization chooses the definition that is most suitable for its own purposes. The definition can be as narrow or as comprehensive as the organization
wishes. As a version of a comprehensive definition of the word risk, the author offers
the following:
An event with the ability to impact (inhibit, enhance or cause doubt about) the
effectiveness and efficiency of the core processes of an organization.
Risk in an organizational context is usually defined as anything that can impact
the fulfilment of corporate objectives. However, corporate objectives are usually
not fully stated by most organizations. Where the objectives have been established,
they tend to be stated as internal, annual, change objectives. This is particularly
true of the personal objectives set for members of staff in the organization, where
objectives usually refer to change or developments, rather than the continuing or
routine operations of the organization.
TA B L E 1. 1
Definitions of risk
Organization
Definition of risk
ISO Guide 73
ISO 31000
Effect of uncertainty on objectives. Note that
an effect may be positive, negative, or
a deviation from the expected. Also, risk is
often described by an event, a change in
circumstances or a consequence.
Institute of Risk Management
(IRM)
Risk is the combination of the probability of
an event and its consequence. Consequences
can range from positive to negative.
Orange Book from HM Treasury
Uncertainty of outcome, within a range of
exposure, arising from a combination of the
impact and the probability of potential events.
Institute of Internal Auditors
The uncertainty of an event occurring that
could have an impact on the achievement of
the objectives. Risk is measured in terms of
consequences and likelihood.
Approaches to defining risk
It is generally accepted that risk is best defined by concentrating on risks as events,
as in the definition of risk provided in ISO 31000 and the definition provided by the
Institute of Internal Auditors, set out in Table 1.1. In order for a risk to materialize,
an event must occur. Therefore, perhaps a risk can simply be considered to be
‘an unplanned event with unexpected consequences’. Greater clarity is likely to be
brought to the risk management process if the focus is on events. For example,
consider what could disrupt a theatre performance.
The events that could cause disruption include a power cut, the absence of a key
actor, or a substantial transport failure or road closures that delay the arrival of
the audience, as well as the illness of a significant number of staff. Having identified
the events that could disrupt the performance, the management of the theatre
needs to decide what to do to reduce the chances of one of these events causing the
cancellation of a performance. This analysis by the management of the theatre is
an example of risk management in practice.
Types of risks
Risk may have positive or negative outcomes or may simply result in uncertainty.
Therefore, risks may be considered to be related to an opportunity or a loss or the
presence of uncertainty for an organization. Every risk has its own characteristics
that require particular management or analysis. In this book, risks are divided into
four categories:
●
●
●
●
compliance (or mandatory) risks;
hazard (or pure) risks;
control (or uncertainty) risks;
opportunity (or speculative) risks.
In general terms, organizations will seek to minimize compliance risks, mitigate
hazard risks, manage control risks and embrace opportunity risks. However, it is
important to note that there is no ‘right’ or ‘wrong’ subdivision of risks. Readers will
encounter other subdivisions in other texts and these may be equally appropriate. It
is, perhaps, more common to find risks described as two types, pure or speculative.
Indeed, there are many debates about risk management terminology. Whatever the
theoretical discussions, the most important issue is that an organization adopts the
risk classification system that is most suitable for its own circumstances.
There are certain risk events that can only result in negative outcomes. These
risks are hazard risks or pure risks, and these may be thought of as operational or
insurable risks. In general, organizations will have a tolerance of hazard risks, and
these need to be managed within the levels that the organization can tolerate. A good
example of a hazard risk faced by many organizations is that of theft.
There are other risks that give rise to uncertainty about the outcome of a situation.
These can be described as control risks and are frequently associated with project
management. In general, organizations will have an aversion to control risks. Uncertainties can be associated with the benefits that the project produces, as well as
17
18
Introduction to risk management
uncertainty about the delivery of the project on time, within budget and to specification. The management of control risks will often be undertaken in order to ensure
that the outcome from the business activities falls within the desired range. The
purpose is to reduce the variance between anticipated outcomes and actual results.
At the same time, organizations deliberately take risks, especially marketplace or
commercial risks, in order to achieve a positive return. These can be considered as
opportunity or speculative risks, and an organization will have a specific appetite for
investment in such risks. Opportunity risks relate to the relationship between risk
and return. The purpose is to take action that involves risk to achieve positive gains.
The focus of opportunity risks will be towards investment.
The application of risk management tools and techniques to the management of
hazard risks is the best and longest-established branch of risk management, and
much of this text will concentrate on hazard risks. There is a hierarchy of controls
that apply to hazard risks, and this is discussed in Chapter 16. Hazard risks are
associated with a source of potential harm or a situation with the potential to
undermine objectives in a negative way and hazard risk management is concerned
with mitigating the potential impact. Hazard risks are the most common risks associated with operational risk management, including occupational health and safety
programmes.
Control risks are associated with unknown and unexpected events. They are
sometimes referred to as uncertainty risks and they can be extremely difficult to
quantify. Control risks are often associated with project management and the implementation of tactics. In these circumstances, it is known that the events will occur,
but the precise consequences of those events are difficult to predict and control.
Therefore, the approach is based on managing the uncertainty about the potential
impacts and consequences of these events
There are two main aspects associated with opportunity risks. There are risks/
dangers associated with taking an opportunity, but there are also risks associated
with not taking the opportunity. Opportunity risks may not be visible or physically
apparent, and they are often financial in nature. Although opportunity risks are
taken with the intention of obtaining a positive outcome, this is not guaranteed.
Nevertheless, the overall approach is to embrace the opportunity and the associated
opportunity risks. Opportunity risks for small businesses include moving a business
to a new location, acquiring new property, expanding a business and diversifying
into new products.
Risk description
In order to fully understand a risk, a detailed description is necessary so that a
common understanding of the risk can be identified and ownership/responsibilities
may be clearly understood. Table 1.2 lists the range of information that must be
recorded to fully understand a risk. The list of information set out in Table 1.2 is
most applicable to hazard risks and the list will need to be modified to provide a full
description of control or opportunity risks.
Approaches to defining risk
TA B L E 1.2
Risk description
Name or title of risk
Statement of risk, including scope of risk and details of possible events and
dependencies
Nature of risk, including details of the risk classification and timescale of potential impact
Stakeholders in the risk, both internal and external
Risk attitude, appetite, tolerance, limits for the risk and/or risk criteria
Likelihood and magnitude of event and consequences should the risk materialize at
current /residual level
Control standard required, target level of risk or risk criteria
Incident and loss experience
Existing control mechanisms and activities
Responsibility for developing risk strategy and policy
Potential for risk improvement and level of confidence in existing controls
Risk improvement recommendations and deadlines for implementation
Responsibility for implementing improvements
Responsibility for auditing risk compliance
So that the correct range of information can be collected about each risk, the
distinction between compliance, hazard, control and opportunity risks needs to be
clearly understood. The example below is intended to distinguish between these four
types of risk, so that the information required in order to describe each type of risk
can be identified.
Range of computer risks
In order to understand the distinction between compliance, hazard, control and opportunity
risks, the example of the use of computers is helpful. Operating a computer system involves
fulfilling certain legal obligations; in particular, data protection requirements and these are the
compliance risks. Virus infection is an operational or hazard risk and there will be no benefit to
an organization suffering a virus attack on its software programs. When an organization installs
or upgrades a software package, control risks will be associated with the upgrade project.
The selection of new software is also an opportunity risk, where the intention is to achieve
better results by installing the new software, but it is possible that the new software will fail
to deliver all of the functionality that was intended and the opportunity benefits will not be
delivered. In fact, the failure of the functionality of the new software system may substantially
undermine the operations of the organization.
19
20
Introduction to risk management
Inherent level of risk
It is important to understand the uncontrolled level of all risks that have been
identified. This is the level of the risk before any actions have been taken to change
the likelihood or magnitude of the risk. Although there are advantages in identifying
the inherent level of risk, there are practical difficulties in identifying this with some
types of risks.
Identifying the inherent level of the risk makes it possible to identify the importance of the control measures in place. The IIA has previously held the view that
the assessment of all risks should commence with the identification of the inherent
level of the risk. The guidance from the IIA has previously stated that: ‘in the risk
assessment, we look at the inherent risks before considering any controls.’ Although
there is considerable debate about whether to undertake risk assessment at inherent
or current level, the purpose of any risk assessment remains the same. It is to identify
what is believed to be the current level of the risk and identify the key controls that
are in place to ensure that the current level is actually achieved.
Often, a risk matrix is used to show the inherent level of the risk in terms of
likelihood and magnitude. The residual or current level of the risk can then be
identified, after the control or controls have been put in place. The effort that is
required to reduce the risk from its inherent level to its current level can be clearly
indicated on the risk matrix.
Terminology varies and the inherent level of risk is sometimes referred to as the
absolute risk or gross risk. Also, the current level of risk is often referred to as the
residual level, net level or the managed level of risk. The example in the box below
provides an example of how inherently high-risk activities are reduced to a lower
level of risk by the application of sensible and practical risk response options.
Crossing the road
Crossing a busy road would be inherently dangerous if there were no controls in place and
many more accidents would occur. When a risk is inherently dangerous, greater attention
is paid to the control measures in place, because the perception of risk is much higher.
Pedestrians do not cross the road without looking and drivers are always aware that pedestrians
may step into the road. Often, other traffic calming control measures are necessary to reduce
the speed of the motorists or increase the risk awareness of both motorists and pedestrians.
Risk classification systems
Risks can be classified according to the nature of the attributes of the risk, such as
timescale for impact, and the nature of the impact and/or likely magnitude of the
risk. They can also be classified according to the timescale of impact after the event
Approaches to defining risk
occurs. The source of the risk can also be used as the basis of classification. In this
case, a risk may be classified according to its origin, such as counterparty or credit risk.
A further way of classifying risks is to consider the nature of the impact. Some
risks can cause detriment to the finances of the organization, whereas others will have
an impact on the activities or the infrastructure. Further, risks may have an impact
on the reputation of the organization, or on its status and the way it is perceived in
the marketplace.
Risks may also be classified according to the component or feature of the organization that will be impacted. For example, risks can be classified according to
whether they will impact people, premises, processes or products. An important
consideration for organizations when deciding their risk classification system is to
determine whether the risks will be classified according to the source of the risk, the
component impacted or of the consequences of the risk materializing.
Individual organizations will decide on the risk classification system that suits
them best, depending on the nature of the organization and its activities. Also, many
risk management standards and frameworks suggest a specific risk classification
system. If the organization adopts one of these standards, then it will tend to follow
the classification system recommended.
The risk classification system that is selected should be fully relevant to the
organization concerned. There is no universal classification system that fulfils the
requirements of all organizations. It is likely that each risk will need to be classified
in several ways in order to clearly understand its potential impact. However, many
classification systems offer common or similar structures, as described in Chapter 11.
Risk likelihood and magnitude
Risk likelihood and magnitude are best demonstrated using a risk matrix. Risk
matrices can be produced in many formats. Whatever format is used for a risk
matrix, it is a very valuable tool for the risk management practitioner. The basic style
of risk matrix plots the likelihood of an event against the magnitude or impact
should the event materialize.
Figure 1.1 is an illustration of a simple risk matrix, also referred to as a risk map
or heat map. This is a commonly used method of illustrating risk likelihood and the
magnitude (or severity) of the event should the risk materialize. The use of the risk
matrix to illustrate risk likelihood and magnitude is a fundamentally important
risk management tool. The risk matrix can be used to plot the nature of individual
risks, so that the organization can decide whether the risk is acceptable and within
the risk appetite and/or risk capacity of the organization.
Throughout this book, a standard format for presenting a risk matrix has been
adopted. The horizontal axis is used to represent likelihood. The term likelihood
is used rather than frequency, because the word frequency implies that events will
definitely occur and the risk matrix is registering how often these events take place.
Likelihood is a broader word that includes frequency, but also refers to the chances
of an unlikely event happening. However, in risk management literature, the word
‘probability’ will often be used to describe the likelihood of a risk materializing.
21
22
Introduction to risk management
The vertical axis is used to indicate magnitude in Figure 1.1. The word magnitude
is used rather than severity, so that the same style of risk matrix can be used to
illustrate compliance, hazard, control and opportunity risks. Severity implies that the
event is undesirable and is, therefore, related to compliance and hazard risks. The
magnitude of the risk may be considered to be its gross or inherent level before
controls are applied.
Figure 1.1 plots likelihood against the magnitude of an event. However, the more
important consideration for risk managers is not the magnitude of the event, but the
impact of the event and the consequences that follow. For example, a large fire could
occur that completely destroys a warehouse of a distribution and logistics company.
Although the magnitude of the event may be large, if sufficient insurance is in place,
the impact in terms of financial costs for the company could be minimal, and if the
company has produced plans to cope with such an event, the consequences for the
overall business may be much less than would otherwise be anticipated.
The magnitude of an event may be considered to be the inherent level of the
event and the impact can be considered to be the risk-managed level. Because the
impact (and the associated consequences) of an event is usually more important than
its magnitude (or severity), every risk matrix used in the remainder of this book will
plot impact against likelihood, rather than magnitude against likelihood.
F I G U R E 1. 1
Risk likelihood and magnitude
Magnitude
Low likelihood
High magnitude
High likelihood
High magnitude
Low likelihood
Low magnitude
High likelihood
Low magnitude
Likelihood
Approaches to defining risk
The risk matrix is used throughout this book to provide a visual representation of
risks. It can also be used to indicate the likely risk control mechanisms that can be
applied. The risk matrix can also be used to record the inherent, current (or residual)
and target levels of the risk.
Shading or colour coding is often used on the risk matrix to provide a visual
representation of the importance of each risk under consideration. As risks move
towards the top right-hand corner of the risk matrix, they become more likely and have
a greater impact. Therefore, the risk becomes more important and immediate and
effective risk control measures need to be in place.
23
24
02
Impact of risk on
organizations
Level of risk
Following the events in the world financial system during 2008, all organizations are
taking a greater interest in risk and risk management. It is increasingly understood
that the explicit and structured management of risks brings benefits. By taking a proactive approach to risk and risk management, organizations will be able to achieve the
following four areas of improvement:
●
●
●
●
Strategy, because the risks associated with different strategic options will be
fully analysed and better strategic decisions will be reached.
Tactics, because consideration will have been given to selection of the tactics
and the risks involved in the alternatives that may be available.
Operations, because events that can cause disruption will be identified in
advance and actions taken to reduce the likelihood of these events occurring,
limit the damage caused by these events and contain the cost of the events.
Compliance will be enhanced because the risks associated with failure to
achieve compliance with statutory and customer obligations will be recognized.
It is no longer acceptable for organizations to find themselves in a position whereby
unexpected events cause financial loss, disruption to normal operations, damage to
reputation and loss of market presence. Stakeholders now expect that organizations
will take full account of the risks that may cause disruption within operations, late
delivery of projects or failure to deliver strategy.
The exposure presented by an individual risk can be defined in terms of the likelihood of the risk materializing and the impact of the risk when it does materialize.
As risk exposure increases, the likely impact will also increase. Guide 73 refers to this
measurement of likelihood and impact as being the current or residual ‘level of risk’.
This level of risk should be compared with the risk attitude and risk appetite of the
organization for risks of that type. The risk appetite will sometimes be described as
a set of risk criteria.
Throughout this book, the term ‘magnitude’ is used to indicate the size of the event
that has occurred or might occur. The term ‘impact’ is used to define how the
event affects the finances, operations, reputation and/or marketplace (FIRM) of the
organization. This use of terminology is also consistent with the use of impact in
Impact of risk on organizations
business continuity planning evaluations. This is a measure of the risk at the current
level. The term ‘consequences’ is used in this book to indicate the extent to which the
event results in failure to achieve effective and efficient strategy, tactics, operations
and compliance (STOC).
Injury to key player
A sports club will wish to reduce the chances of a key player being absent through injury.
However, key players do get injured and the club will need to consider the impact of such
an event in advance of it happening. If the injury is serious, the player may be absent for
a significant length of time. There is likely to be a substantial impact, which will be most
obvious on the pitch where the success of the team is likely to be reduced.
However, other consequences may also result and these could include the loss of revenue
from the sale of shirts and other merchandise with that player’s name and number. Arrangements
to reduce the potential for loss of income should also be considered.
Impact of hazard risks
Hazard risks undermine objectives, and the level of impact of such risks is a measure
of their significance. Risk management has its longest history and earliest origins in
the management of hazard risks. Hazard risk management is closely related to the
management of insurable risks. Remember that a hazard (or pure) risk can only have
a negative outcome.
Hazard risk management is concerned with issues such as health and safety at
work, fire prevention, avoiding damage to property and the consequences of defective products. Hazard risks can cause disruption to normal operations, as well as
resulting in increased costs and poor publicity associated with disruptive events.
Hazard risks are related to business dependencies, including IT and other supporting services. There is increasing dependence on the IT infrastructure of most organizations and IT systems can be disrupted by computer breakdown or fire in server
rooms, as well as virus infection and deliberate hacking or computer attacks.
Theft and fraud can also be significant hazard risks for many organizations. This
is especially true for organizations handling cash or managing a significant number
of financial transactions. Techniques relevant to the avoidance of theft and fraud
include adequate security procedures, segregation of financial duties, and authorization and delegation procedures, as well as the vetting of staff prior to employment.
It is worth reflecting on terminology, because this is especially important in
relation to hazard risks, if an event occurs. If a hazard risk materializes, it may have
a very large magnitude, such as the destruction of the main distribution warehouse
of an organization. This large magnitude event will have an impact on the organization related to potential financial costs, destruction of infrastructure, damage to
reputation and the inability to function in the marketplace. Magnitude represents
the gross or inherent level of the risk.
25
26
Introduction to risk management
However, the impact of the event will be reduced because of the controls that are
in place. Impact represents the net, residual or current level of the risk. These controls reduce the financial impact, the extent of destruction of infrastructure, as well
as controls designed to protect reputation and marketplace activities. But, what is
also important for the organization is the consequences of the major warehouse fire.
These consequences relate to the effect that the fire might have on the strategy,
tactics, operations and compliance activities within the organization.
It is possible that a major fire will cause significant financial loss that is covered
by insurance, so that this large magnitude event has little impact on the finances of
the organization. Effective crisis management and business continuity will ensure
that the consequences of this major fire from the point of view of customers will be
so well managed that customers need not be aware that a major fire has taken place.
Finally, the importance of compliance risks should not be underestimated.
Compliance risks can be substantial for many organizations, especially those business sectors that are heavily regulated. In some cases, compliance with mandatory
requirements, represents a ‘licence to operate’ and failure to achieve the level of
compliance activities required by the relevant regulator can have a significant impact
on the reputation of the organization and substantial consequences for routine
business activities.
Attachment of risks
Although most standard definitions of risk refer to risks as being attached to corporate objectives, Figure 2.1 provides an illustration of the options for the attachment
of risks. Risks are shown in the diagram as being capable of impacting the key dependencies that deliver the core processes of the organization. Corporate objectives and
stakeholder expectations help define the core processes of the organization. These core
processes are key components of the existing nature and future enhancement of the
business model and can relate to operations, tactics and corporate strategy, as well as
compliance activities, as considered further in Chapter 19.
The intention of Figure 2.1 is to demonstrate that significant risks can be
attached to features of the organization other than corporate objectives. Significant
risks can be identified by considering the key dependencies of the organization, the
corporate objectives and/or the stakeholder expectations, as well as by analysis of
the core processes of the organization. For example, the failure of Northern Rock
occurred because the wholesale money markets, on which the bank depended,
stopped functioning. Another way of viewing the concept of attachment of risks is to
consider that the features shown in Figure 2.1 offer alternative starting points for
undertaking a risk assessment. For example, a risk assessment can be undertaken by
asking ‘what do stakeholders expect of us?’ and ‘what risks could impact the delivery
of those stakeholder expectations?’
In the build-up to the recent financial crisis, banks and other financial institutions
established operational and strategic objectives. By analysing these objectives and
identifying the risks that could prevent the achievement of them, risk management
made a contribution to the achievement of the high-risk objectives that ultimately
led to the failure of the organizations. This example illustrates that attaching risks to
Impact of risk on organizations
F I G U R E 2 .1
Attachment of risks
Mission statement
Strategic or business
plan (and annual budget)
Corporate
objectives
Stakeholder
expectations
Core processes
Key dependencies
Significant risks
Support
or deliver
Impact or
attach
attributes other than objectives is not only possible but may well have been desirable
in these circumstances.
It is clearly the case that risks are greater in circumstances of change. Therefore,
linking risks to change objectives is not unreasonable, but the analysis of each objective in turn may not lead to robust risk recognition/identification. In any case, business
objectives are usually stated at too high a level for the successful attachment of risks.
27
28
Introduction to risk management
To be useful to the organization, the corporate objectives should be presented as
a full statement of the short-, medium- and long-term aims of the organization.
Internal, annual, change objectives are usually inadequate, because they may fail to
fully identify the operational (or efficiency), change (or competition) and strategic
(or leadership) requirements of the organization.
The most important disadvantage associated with the ‘objectives-driven’ approach to risk and risk management is the danger of considering risks out of the
context that gave rise to them. Risks that are analysed in a way that is separated
from the situation that led to them will not be capable of rigorous and informed
evaluation. It can be argued that a more robust analysis can be achieved when a
‘dependencies-driven’ approach to risk management is adopted.
It remains the case that many organizations continue to use an analysis of corporate objectives as a means of identifying risks, because some benefits do arise from
this approach. For example, using this ‘objectives-driven’ approach facilitates the
analysis of risks in relation to the positive and uncertain aspects of the events that
may occur, as well as facilitating the analysis of the negative and compliance aspects.
If the decision is taken to attach risks to the objectives of the organization, it is
important that these objectives have been fully and completely developed. Not only
do the objectives need to be challenged to ensure that they are full and complete, but
the assumptions that underpin the objectives should also receive careful and critical
attention.
Core processes are discussed in Chapter 19 and may be considered as the highlevel processes that drive the organization. In the example of a sports club, one of
the key processes is the operational process of ‘delivering successful results on the
pitch’. Risks may be attached to this core process, as well as being attached to objectives and/or key dependencies. Core processes can be classified as strategic, tactical,
operational and compliance (STOC). In all cases, the core processes need to be effective and efficient. Mature (or sophisticated) risk management activities can then be
designed to enhance the effectiveness and efficiency of core processes.
Although risks can be attached to other features of the organization, the standard
approach is to attach risks to corporate objectives. One of the standard definitions
of risk is that it is something that can impact (undermine, enhance or cause doubt
about) the achievement of corporate objectives. This is a useful definition, but it does
not provide the only starting point for identifying significant risks.
Attachment of risks to key dependencies and, especially, stakeholder expectations
is becoming more common. The importance of stakeholders and their expectations
is considered in more detail in Chapter 29. The use of key dependencies to identify
risks can be a straightforward exercise. The organization will need to ask what are
the features or components of the organization and its external context that are key
to success. This will result in the identification of the strengths, weaknesses, opportunities and threats facing the organization. This is often referred to as a SWOT
analysis. Having identified the key dependencies, as set out in Table 13.1, the
organization can then consider the risks that will impact these dependencies. This
approach is discussed in more detail with practical examples of risks provided in
Table 13.1 and Table 15.2.
Impact of risk on organizations
Risk and reward
Another feature of risk and risk management is that many risks are taken by organizations in order to achieve a reward. Figure 2.2 illustrates the relationship between
the level of risk and the anticipated size of reward. A business will launch a new
product because it believes that greater profit is available from the successful marketing of that product. In launching a new product, the organization will put resources
at risk because it has decided that a certain amount of risk taking is appropriate.
The value at risk represents the risk appetite of the organization with respect to the
activity that it is undertaking.
When an organization puts value at risk in this way, it should do so with the full
knowledge of the risk exposure and it should be satisfied that the risk exposure is
within the appetite of the organization. Even more important, it should ensure that
it has sufficient resources to cover the risk exposure. In other words, the risk exposure should be quantified, the appetite to take that level of risk should be confirmed,
and the capacity of the organization to withstand any foreseeable adverse consequences should be clearly established.
Not all business activities will offer the same return for the same level of risk
taken. Start-up operations are usually high risk and the initial expected return may
be low. Figure 2.2 demonstrates the probable risk versus reward development for
a new organization or a new product. The activity will commence in the bottom
right-hand corner as a start-up operation, which is high risk and low return.
F I G U R E 2 .2
Risk and reward
Potential
reward
Mature operation
Growth
Decline
Start-up operation
Level of risk
29
30
Introduction to risk management
As the business develops, it is likely to move to a higher return for the same level of
risk. This is the growth phase for the business or product. As the investment matures,
the reward may remain high, but the risks should reduce. Eventually, an organization
will become fully mature and move towards the low-risk and low-return quadrant.
The normal expectation in very mature markets is that the organization or product
will be in decline.
The particular risks that the organization faces will need to be identified by
management or by the organization. Appropriate risk management techniques will
then need to be applied to the risks that have been identified. The nature of these risk
responses and the nature of their impact is considered in Part Four of this book.
The above discussion about risk and reward applies to opportunity risks. However,
it must always be the case that risk management effort produces rewards. In the case
of hazard risks, it is likely that the reward for increased risk management effort
will be fewer disruptive events. In the case of project risks, the reward for increased
risk management effort will be that the project is more likely to be delivered on
time, within budget and to specification/quality.
For opportunity risks, the risk versus reward analysis should result in fewer unsuccessful new products and a higher level of profit or (at worst) a lower level of loss for
all new activities or new products. In all cases, profit or enhanced level of service is
the reward for taking risk. The concept of the risk versus reward analysis in relation
to strategic risks is considered in more detail in Figure 15.2.
Risk versus reward
In a Formula 1 Grand Prix, the Ferrari team decided to send a driver out on wet-weather
tyres, before the rain had actually started. Wet-weather tyres wear out very quickly in dry
conditions and make the car much slower. If the rain had started immediately, this would
have proved to be a very good decision.
In fact, the rain did not start for four or five laps, by which time the driver had been
overtaken by most other drivers and his set of wet-weather tyres were ruined in the dry
conditions. He had to return to the pits for a further set of new tyres more suited to the race
conditions. In this case, a high-risk strategy was adopted in anticipation of significant
rewards. However, the desired rewards were not achieved and significant disadvantage
resulted.
Attitudes to risk
Different organizations will have different attitudes to risk. Some organizations may
be considered to be risk averse, whilst others will be risk aggressive. To some extent,
the attitude of the organization to risk will depend on the sector and the nature and
maturity of the marketplace within which it operates, as well as the attitude of the
individual board members.
Impact of ...
Purchase answer to see full
attachment