Hopkin, P., & Institute of Risk
Management.
(2010). Fundamentals of risk
management:
Chapter 15
Library
Back
Go to
Аа
ili
O
Table 11.1 provides a summary of the main risk classification systems. These
are the COSO, IRM standard, BS 31100 and the FIRM risk scorecard. There are
similarities in most of these systems. It should be noted that identifying risks
as: 1) hazard, control or opportunity; 2) high, medium or low; and 3) short
term, medium term and long term should not be considered to be formal risk
classification systems.
Many organizations struggle to find a suitable risk classification system.
Often, this is because there is insufficient attention paid to the nature of the
risks that are being classified. The bow-tie representation of the risk
management process illustrates that it is possible to classify risks according
to their source, the component of the organization that the event impacts and
the impact and/or consequences of the risk materializing.
Short-, medium- and long-term classification of risks represents the
operational, tactical and strategic risks faced by the organization. The
categories of disruption to organizations described in Table 3.2 uses a
classification system according to the component of the organization that is
impacted. This is the people, premises, processes and products (4Ps)risk
classification system. The FIRM risk scorecard described in Table 11.2
classifies risks according to their impact.
TABLE 11.1 Risk classification systems
Quantifiable Usually
Sometimes Not always Yes
Measurement Gains and Level of
Nature of
Income from
(performance losses from efficiency in publicity and commercial
indicator) internal processes and effectiveness of and market
financial operations marketing activities
control
profile
Performance Procedures Process Perception Presence
gap
Failure of Failure of Failure to Failure to
procedures to processes to
achieve the achieve
control internal operate without desired
required
financial risks disruption perception presence in
the
marketplace
Control
Capex
Process control Marketing Strategic and
mechanisms standards Loss control Advertising business
Internal control Insurance and Reputation and plans
Delegation of risk financing brand protection Opportunity
authority
assessment
Standard or framework cosO ERM IRM standard FIRM risk scorecard
Classification headings Strategic Financial Financial
Operations Strategic Infrastructure
Reporting Operational Reputational
Compliance Hazard Marketplace
TABLE 11.2 Attributes of the FIRM risk scorecard
There are similarities in the way that risks are classified by the different risk
classification systems. However, there are also differences, including the fact
that operational risk is referred to as infrastructure risk in the FIRM risk
scorecard. Coso takes a narrow view of financial risk, with particular
emphasis on reporting. The different systems have been devised in different
circumstances and by different organizations; therefore, the categories will
be similar but not identical. In describing different risk classification
systems, Table 11.1 illustrates that many classification systems offer a
combination of source, event, impact and consequences categories.
British Standard BS 31100 sets out the advantages of having a risk
classification system. These benefits include helping to define the scope of
risk management in the organization, providing a structure and framework
for risk identification, and giving the opportunity to aggregate similar kinds
of risks across the whole organization. ISO 31000 does not suggest a risk
classification system. In summary, examples of the advantages of having a
risk classification system, include:
• Accumulations of risk that could undermine a key dependency or business
objective and make it vulnerable can be more easily identified.
• Responsibility for improved management of each different type of risk can
Description
Financial Infrastructure Reputational Marketplace
Risks that can Risks that will Risks that will Risks that
impact the way impact the level impact desire of will impact
in which money of efficiency and customers to the level of
is managed and dysfunction deal or trade and customer
profitability is within the core level of customer trade or
achieved
processes
retention expenditure
Internal
Internal
External
External
Internal or
external risk
31% Page 135 of 462 • Location 3329 of 11078
Library
Back
Go to
Аа
ili
a
be more easily identified/allocated if risks are classified.
• Decisions and knowledge about the type of control(s) that will be
implemented can be taken on a more structured and informed basis.
Circumstances where the risk appetite of the organization is being
exceeded (or the risk criteria not being implemented) can be more readily
identified.
á
The British Standard states that the number and type of risk categories
employed should be selected to suit the size, purpose, nature, complexity and
context of the organization. The categories should also reflect the maturity of
risk management within the organization. Perhaps the most commonly used
risk classification systems are those offered by the COSO ERM framework and
by the IRM risk management standard.
However, the COSO risk classification system is not always helpful and it
contains several weaknesses. For example, strategic risks may also be present
in operations and in reporting and compliance. Despite these weaknesses, the
COSO framework is in widespread use, because it is the recognized and
recommended approach for compliance with the requirements of the
Sarbanes-Oxley Act.
It is worth noting that the COSO ERM framework (2004) is the broader
version of Coso, and it also includes the requirements of the recently
updated Coso Internal Control framework (2013). The reporting component
of the Coso internal control framework is specifically concerned with the
accuracy of the reporting of financial data and is designed to fulfil the
requirements of section 404 of the Sarbanes-Oxley Act.
The features of the FIRM risk scorecard are set out in Table 11.2. Financial and
infrastructure risks are considered to be internal to the organization, while
reputational and marketplace risks are external. Also, financial and
marketplace risks can be easily quantified in financial terms, whereas
infrastructure and reputational risks are more difficult to quantify.
The inclusion of reputational risks as a separate category of risk in the FIRM
risk scorecard is not universally accepted. It is sometimes argued that damage
to reputation is a consequence of other risks materializing and should not be
considered as a separate risk category. However, if a broader view of risk is
taken, it becomes obvious that reputation is vitally important. This is
particularly important when organizations are seeking to use their brand
name to enter additional markets, or achieve brand stretch' as it is sometimes
called.
In any case, there is a wider argument that all risks are a consequence of
broader business decisions. Adopting a particular strategy, undertaking a
project and/or continuing with established operations all involve risks. If the
organization did not undertake these strategic, tactical or operational
activities, risks would not be present.
PESTLE risk classification system
FIRM risk scorecard
The four headings of the FIRM risk scorecard offer a classification system for
the risks to the key dependencies in the organization. The classification
system also reflects the idea that every organization should be concerned
about its finances, infrastructure, reputation and marketplace success. In
order to give a broader scope to commercial success, the headings of the FIRM
risk scorecard are as follows:
Table 11.3 provides an outline of the PESTLE risk classification system.
PESTLE is an acronym that stands for political, economic, sociological,
technological, legal and ethical risks. In some versions of the approach, the
final E is used to indicate narrower environmental considerations. This risk
classification system is most applicable to the analysis of hazard risks and is
less easy to apply to financial, infrastructure and reputational risks.
The PESTLE risk classification system is often seen as most relevant to the
analysis of external risks. External risk in this context is intended to refer to
the external context that is not wholly within the control of the organization
but where action can be taken to mitigate the risks. It is often suggested that
the PESTLE risk classification system should be used in conjunction with an
analysis of the strengths, weaknesses, opportunities and threats (SWOT)
facing the organization. A SWOT analysis of each of the six PESTLE categories
is recommended by the Orange Book.
The advantage of the PESTLE risk classification system is that it provides a
clear analysis of the issues that should be addressed within the external
context. The PESTLE approach may be most applicable in the public sector,
F Financial;
I Infrastructure;
R Reputational;
M Marketplace.
31% Page 137 of 462 . Location 3388 of 11078
Purchase answer to see full
attachment