Lesson 6

Alternative approaches

Changing face of risk management

As with any management initiative that becomes embedded within the way the organization
operates, a successful risk initiative is bound to develop and becomemore sophisticated.
Developments in the discipline of risk management, especially during the past 10 years,
have been dramatic. Also, the level to which risk management requirements have become
embedded within corporate governance has been extensive. Many new developments of
risk management have appeared during that time. In the 1990s, risk management
practitioners used to talk about integrated or holistic risk management, but now the
universally accepted terminology for the broad application of risk management across the
whole organization is enterprise risk management (ERM). Similarly, operational risk
management (ORM) has been established and developed very substantially during a
shorter time period of perhaps five years.

In many ways, the fact that the risk management discipline continues to develop and adapt
itself to changing circumstances can be seen as beneficial. However, there is a danger that
risk management practitioners will be seen to be delivering an ever-changing and therefore
inconsistent message. That is not to say that risk management should become a static
discipline, but it is important to remember that changing the basis on which risk
management analysis and advice is offered and appearing to be changing the very nature
of the risk management process, will cause confusion and lack of interest amongst the
senior board members. Any review of the changing face of risk management has to
acknowledge the global financial crisis and the role that risk management played in the
development of this situation. As the global financial crisis developed, newspaper and
television reports constantly repeated two messages: ‘risk is bad’ and ‘risk management has
failed’. Neither of these statements is true. It is essential that organizations take appropriate
risks, and the failures that led to the global financial crisis were failures in the application of
risk management, not failures of risk management itself.
105
.Risk awareness should not prevent an organization embarking on a high-risk strategy, but
the decisions will be taken with full awareness of the risks that are involved. Organizations
should continue to look for opportunities and, from time to time, acknowledge that there is a
good opportunity that looks very risky.
.
The global financial crisis does not represent a failure of risk management. It represents a
failure to completely and correctly apply risk management procedures and protocols. When
an organization is risk aggressive, it limits the range of risks that theboard will consider, as
there is limited scope for identifying risks as high likelihood/high impact. In other words,
the universe of risk for that organization is severely restricted and will exclude risks
that should receive the board’s attention.

If the organization is risk aggressive and operates. then very few priority significant risks will
be identified. This will result in the organization creating a ‘closed universe of risk’ for the
board that potentially restricts broader discussion and analysis. However, there is nothing
inherently incorrect about an organization being risk aggressive. If an organization is risk
aggressive, there is an increased need to revisit risk assessments, challenge the scope and
results of risk analysis activities, and ensure that a highly dynamic approach to risk
management is maintained at all times and at all levels in the organization. In addition to the
concerns about risk management raised by the global financial crisis, certain other
challenging issues for risk management exist. The concepts of risk appetite and the upside
of risk are useful ideas, but more development work is required before the definitions and
successful application of these concepts can bring guaranteed benefits.

Managing emerging risks

All organizations are concerned about changes in the external and internal context that give
rise to new challenges, uncertainties and opportunities. These changes can be considered
to be the emerging risks facing the organization. However, consideration of emerging risks
can be difficult unless the organization clearly understands the nature of the emerging risks
that it faces. Emerging risks can be divided into threecategories, as follows:
●● new risks that have emerged in the external environment, but are associated with
the existing strategy of the organization – new risks in known context;
106 ●● existing risks that were already known to the organization, but have developed or
changed circumstances have triggered the risk – known risks in new context;
●● risks that were not previously faced by the organization, because the risks are
associated with changed core processes – new risks in new context.

Several business developments have increased the level of risk faced by

organizations in recent times, including
- moving into new markets,
- embracing new technologies and
- developing increasingly complex supply chains.
Generally, these increasing risks will be under the control of the organization itself.
Additionally, there are many emerging or developing risks that are not within the control of
an individual organization, including:
●● climate change;
●● sovereign debt;
●● national security;
●● changing demographics.

When seeking to manage these emerging risks, an organization should evaluate whether
the risks are to be treated as hazard, control or opportunity risks. Depending on the
activities of the organization, many of these emerging risks may simply be threats to the
organization or represent opportunities for future development. In some cases, the
emerging risks will simply represent additional uncertainties that need to be managed.
Some risk management practitioners refer to the speed of development and change of
risks as the risk velocity. A good example of emerging risk is nanotechnology.

Nanotechnology is used extensively in the medical and, to some extent, cosmetics

industry to improve the effectiveness of cosmetic treatment of skin conditions.
Whether any long-term risks will emerge from the use of nanotechnology has not yet been
fully established. Another good example is that associated with the use of mobile phones.
Mobile phones have become commonplace, but the technology has developed rapidly over
the past 25 years. Mobile phone signals were much more powerful 25 years ago.
Therefore, if any health allegations begin to emerge against the use of mobile phones,
these health effects are likely to be associated with the technology that is no longerused.
This will represent significant challenges in deciding whether any health hazards no longer
exist because the technology has changed, or whether the health hazards are just as
significant and will prove to be equally associated with currenttechnology 107

Increasing importance of resilience

In recent years, there has been an increasing interest in the topic of resilience. Perhaps, the
trend started with government and local or municipal authorities. There was recognition
during the 1990s and 2000s that society, in general, and communities, in particular, had to
become more resilient. This developing awareness initially arose in relation to civil
emergencies, as well as natural catastrophes, such as earthquakes,and extreme weather
events.

The increasing awareness and concern in relation to resilience is clearly demonstrated by

the fact that the replacement for British Standard BS 25999:2006 Part 1 ‘Code of Practice –
Business Continuity Management’ was ISO 22301:2012 ‘Societal Security – Business
Continuity Management Systems – Requirements’. A number of other standards in the ISO
22300 series are being developed and there are moves towards developing resilience
standards in other countries. One of the best established resilience standards is the
Organizational Resilience Standard (ASIS SPC.1-2009) published by the American National
Standards Institute.

This ASIS standard takes an enterprise-wide view of risk management, enabling an

organization to develop a comprehensive strategy to prevent when possible, As
nanotechnology is an emerging field, there is great debate regarding the extent that it will
benefit or pose risks for human health. Nanotechnology’s health impact can be split into
two aspects:

- the potential for medical applications to cure disease, and

- the potential health hazards posed by exposure to nano-materials.

The extremely small size of nano-materials means that they are much more readily taken
up by the human body than larger-sized particles. How these nano-particles behave inside
the organism is one of the big issues that needs to be resolved. The behaviour of
nanoparticles is a function of their size, shape and surface reactivity with the surrounding
tissue. Apart from what happens if non-degradable or slowly degradable nano-particles
accumulate in organs, another concern is their potential interaction with biological
processes inside the body: because of their large surface, nano-particles on exposure to
tissue and fluids will immediately absorb onto their surface some of the macro-molecules
they encounter. The large number of variables influencing toxicity means that it is difficult to
generalize about health risks associated with exposure to nano-materials; each new nano-
material must be assessed individually and all material properties must be taken into
account. Health and environmental issues combine in the workplace of companies engaged
in producing or using nano-materials and in the laboratories engaged in nano-science and
nanotechnology research. It is safe to say that current workplace exposure standards for
dusts cannot beapplied directly to nano-particle dusts. prepare for, mitigate, respond to, and
recover from a disruptive incident. This allows integration with ISO 31000. It is also
compatible with existing ISO management system standards (such as ISO 9001, ISO
14001, ISO 27001 and ISO 28000). The overall approach is that a resilient organization
needs to ‘prevent, protect and prepare in relation to resources and assets and at the same
time be able to ‘respond, recover and review’ when a crisis occurs. When seeking to make
an organization more resilient, it is essential to have a definition of the desired state of
resilience that is being sought. ISO 22300:2012 ‘Societal Security – Terminology’ defines
resilience as the ‘adaptive capacity of an organization in a complex and changing
environment’. This is a useful definition, but resilience is often associated with crisis
management, and this definition does not explicitly address the behaviour of an organization
during a crisis. Perhaps a better definition would be the ‘capacity of an organization to
consistently achieve a desired state following a change in circumstances’. This definition is
more inclusive of the management of a crisis, as well as the ability to successfully respond
to less dramatic or disruptive events. The emergence of resilience is an opportunity for risk
management and business continuity specialists to work together to ensure a more co-
ordinated approach to enterprise risk management, business continuity and crisis
management. There are three behaviours that should be achieved by an organization if it is
to achieve increased resilience:
●● awareness of changes in the external, internal and risk management
environments, so that constant attention to resilience is ensured;
●● ‘prevent, protect and prepare’ in relation to all types of resources, including
assets, networks, relationships and intellectual property;
●● ‘respond, recover and review’ in relation to disruptive events, including the ability
to respond rapidly, review lessons learnt and adapt.

Finally, it is worth noting that another trend in the structure of risk management and
resilience standards appears to be emerging. Several standards are moving towards
the ‘plan–do–check–act’ (PDCA) structure. This approach is entirely consistent with
the plan, implement, measure, learn (PIML) approach to implementing a risk management
initiative. The ASIS standard explicitly follows the PDCA format.
PIML is preferred to PDCA because it is a more comprehensive and analytical approach. In
fact, both the framework and the risk management process described in ISO 31000 are
aligned with the PIML approach, once the ‘mandate and commitment’ for the framework and
the ‘establish the context’ for the process stages (respectively) have been completed. As
the increasing importance of resilience is recognized, advice on achieving resilience is
becoming more widespread.
109

Different approaches

The approach adopted by the Canadian Criteria of Control (CoCo) framework (1995)
produced by the Canadian Institute of Chartered Accountants is based on the idea that the
risk culture of the organization is the most important consideration. If the risk culture is
correct, then the successful management of risks should follow. The CoCo framework
states that:
- A person performs a task, guided by an understanding of its purpose (the
objective to be achieved) and supported by capability (information, resources,
supplies and skills).
- The person will need a sense of commitment to perform the task well over time.
- The person will monitor his or her performance and the external environment to
learn about how to do the task better and about changes to be made.

The same is true of any team or workgroup. In any organization of people, the essence of
control is purpose, commitment, capability and monitoring and learning. The COSO ERM
framework refers to the control environment as the internal environment. This is equivalent
to the control environment that is considered in the CoCo framework. CoCo provides a
structured means of analysing the control environment that enables a quantitative
assessment of the control environment, so that the features for improvements can be
identified. The CoCo framework is considered, although there are different versions of the
CoCo questions, the following are the headings that are normally used in order to evaluate
the risk-aware culture within an organization
using the CoCo approach:
●● purpose, vision and mission;
●● commitment to integrity and ethical values;
●● capability, authority and responsibilities;
●● learning and development of competence.

In addition to the CoCo approach, there are many other risk management and internal
control standards available throughout the world. The scope and intended purpose
Embedding organizational resilience into governance mechanisms should ensure that the
management of the risks to critical infrastructure posed by natural hazards, major accidents
and other malicious damage is considered by the board. The needs of organizational
resilience would thereby inform strategic investment and procurement decisions, risk
management and discussions with supply chain partners. It would enable infrastructure
owners and operators to improve their understanding of the resilience of their infrastructure,
measure the success of the strategy at regular intervals, and make necessary amendments
to secure delivery or to match changing organizational priorities of the standards varies. An
important development in standards is the emergence of the concept of Governance Risk
and Compliance (GRC). The approach underpinning the principle is related to the concept
of the three lines of defense whereby different risk management and internal control
responsibilities are allocated to senior management, specialist risk functions and internal
audit. The overall approach to GRC is based on the separation of functions.

- Senior management is responsible for governance within the organization,

- Specialist risk functions are responsible for risk management activities and
assurance on adequate compliance is provided by internal audit.
- The board is responsible for the governance of risk and disclosure and
- Management is responsible for the risk management design, implementation and
monitoring of the risk management plan.

In addition to risk management standards and corporate governance requirements, there

are a number of specialist standards that apply to risk management. In particular, the IT
sector has produced a number of well-regarded and widely used standards. Perhaps the
best-known of the standards is Control Objectives for Information and Related
Technology (COBIT). COBIT provides good practices across a domain and process
framework and presents activities in a manageable and logical structure. below. The good
practices described in COBIT represent the consensus of experts. They are strongly
focused on control, less on execution. These practices will help optimise IT-enabled
investments, ensure service delivery and provide a measure against which to judge when
things do go wrong. For IT to be successful in delivering against business requirements,
management should put an internal control system or framework in place. The COBIT
control framework contributes to these needs by:
●● making a link to the business requirements;
●● organizing IT activities into a generally accepted process model;
●● identifying the major IT resources to be leveraged;
●● defining the management control objectives to be considered.
The business orientation of COBIT consists of linking business goals to IT goals, providing
metrics and maturity models to measure their achievement, and identifying the associated
responsibilities of business and IT process owners.
Control Objectives for Information and Related Technology (COBIT)
Boards responsibilities in some risk requirements
Risk management responsibility
1 Board is responsible for governance of risk.
2 Board is responsible for determining the levels of risk tolerance and risks it iswilling to take
(risk appetite).
3 Board should be assisted in carrying out its risk responsibilities by the risk committee or
audit committee.
4 Board should delegate to management the responsibility to design, implement and
monitor the risk management plan.
5 Board should ensure that risk assessments are performed on a continual basis.
6 Board should ensure that frameworks and methodologies are implemented to increase the
probability of anticipating unpredictable risks.
7 Board should ensure that management considers and implements appropriate risk
responses.
8 Board should ensure continuous risk monitoring by management.
9 Board should receive assurance regarding the effectiveness of the risk management
process.
10 Board should ensure that there are processes in place to ensure complete, timely,
relevant, accurate and accessible risk disclosure to stakeholders.

Structure of management standards

ISO has produced guidance on the required structure of management system standards.
A number of existing standards havealready been converted, including ISO 14001:2004
‘Environmental Management Systems – Requirements with Guidance for Use’. Also, ISO
22301:2012 ‘Societal Security – Business Continuity Management’ has been migrated to
this new structure.
Major clause numbers and titles of all management system standards will become
identical,. Following the introduction of the management system standards that comply with
Annex SL will be structured with the following clauses:

1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement

It is interesting to note that the structure does not explicitly describe framework and
process as separate items, in the way that these are presented in ISO 31000. Perhaps
this is part of the reason that there are currently (November 2016) no plans to
convert ISO 31000 into the Annex SL format. Nevertheless, the Annex SL structure
enables organizations developing their own approach to enterprise risk management
to devise an approach that is compatible with any other ISO standards implemented
in the organization, including the most popular of all ISO standards – ISO 9001 on
quality management to the plan–implement–measure–learn (PIML) approach. The PIML
approach is similar to the plan–do–check–act (PDCA) terminology used by several
organizations. An important aspect of Annex SL is that the planning stage described in
Clause 6 sets out two sub-clauses:
●● actions to address risks and opportunities;
●● management system, objectives and planning to achieve them.

This means that the requirement to plan and implement actions to address risks and
opportunities is now embedded into ISO 9001 on quality management and will
becomeembedded into other standards as the Annex SL format is progressively introduced.

Future of risk management

The development of international risk management standard ISO 31000 is undoubtedly an
important step forward for risk management practitioners. The emergence of enhanced
corporate governance codes has also added profile to the practice of risk management in
many countries. The effects of the global financial crisis are still being felt and questions are
still being asked of risk management and why it did not contribute more to the avoidance of
this crisis. Other important trends include the development of enhanced reporting
requirements that are being placed on organizations of all types. This is especially true of
organizations that are listed on stock exchanges around the world. Risk management
information systems (RMIS) are becoming more developed and sophisticated and can offer
a significant benefit to organizations that use them. Despite all of these developments and
the undoubted increasing professionalism and competence of risk management
practitioners, there is still scope to ask questions about future developments in risk
management. The emergence of ‘governance, risk and compliance’ (GRC) has been
mentioned and it represents a major step forward in the structure of risk management
activities. The emergence of GRC, together with a better understanding of the benefits of
the three lines of defense, has put organizations in a better position to practice risk
management. Risk management practitioners realize that their discipline makes a major
contribution and they are also aware that risk management activity should be integrated with
other management activities. In some cases, there is every danger that risk management
activities will become integrated with audit activities, and these three lines of defense then
become the two lines of defense. There is a need for organizations to integrate risk activities
throughout the whole
of their organizations, rather than treating risk management activities as a separate
management role that requires separate management information. Perhaps this is one of
the major disadvantages of the use of the risk register in many organizations. The risk
register is a snapshot of risk management activities in the organization, but the risk is that it
is not reviewed on a continuous basis. The risk register is often a static document that does
little to add benefit to the management of the organization. Perhaps the time of the risk
register has passed, and organizations should now be integrating risk assessment, risk
recording and risk action plans within the management information that is used for the day-
to-day management of the organization.

In summary, the challenge for risk managers and risk management is to keep risk
management activities proportionate, aligned, comprehensive, embedded and dynamic
(PACED). However, the challenges of doing this are becoming greater as boards, executive
management, managers and staff become more familiar with the theory and application of
risk management. The challenge is to ensure integration of these activities, without them
becoming so routine that the importance of risk
management is lost. Risk management activities need to be linked to discussion of strategy,
tactics and operations, as well as being linked to discussion of business delivery, budgets
and the business development model.

The publication of ISO 31000 in 2009 opens the possibility that there may be international
standardization of risk management standards in due course. British Standard BS 31100
was originally published in 2008, but was updated in 2011 to provide greater alignment with
ISO 31000. BS 31100 provides greater detail on the risk management framework than ISO
31000 and is a useful addition to the available risk management standards and frameworks.
Management initiatives often come and go. A particular approach becomes fashionable for
a while and then fades away. It is unlikely that this will happen to risk management,
because the requirement to have risk management procedures in place has become
mandatory in many sectors. Also, the global financial crisis
has resulted in a detailed analysis of the benefits that risk management can bring and how
these can be achieved. The brief commentary below illustrates how risk management is
valued around the world and why it is here to stay. Every day, managers and employees
practice risk management by making decisions on what to do, and how and when to do it.
Decisions have to be based on factors like does the organization have the capacity, has the
organization set aside the funds and will this impactother business units.

ERM is not just a passing trend. It is here to stay and is being driven by both governance
issues and the demands of society. Companies, charities and public-sector organizations
have successfully embraced ERM. Risk management does not have to be complex or a
heavy resource user. It can be tailored to meet the needs of the organization in its early
stages and modified as the level of sophistication and comfort with the process grows. It is a
systematic and proactive approach to managing risk. This means that high-risk exposure
areas are understood, managed and controlled to an acceptable level of exposure so that
the organization is properly protected to minimize negative consequences. It allows the
organization to focus on what is important to control versus what is easy to control.

o End -