Biblioieca

ULACIT

mentals of
Risk
Management w 5th Edition

Understanding,evaiuating
and implementing effective /
risk management /'A

KoganPage
. -.♦r
''tid

—-V
 Introduction to risk management

Risks cannot be considered outside the context that gave rise to them. It may ap
pear that an organization is being risk aggressive, when in fact, the board has de
cided that there is an opportunity that should not be missed. However, the fact that
the opportunity entails high risk may not have been fully considered.
One of the major contributions from successful risk management is to ensure that
strategic decisions that appear to be high risk are actually taken with all of the infor
mation available. Improvement in the robustness of decision-making activities is one
of the key benefits of risk management. Attitude to risk is a complex subject and is
closely related to the risk appetite of the organization, but they are not the same.
Risk attitude indicates the long-term view of the organization to risk and risk ap
petite indicates the short-term willingness to take risk. This is similar to the dif
ference between the long-term or established attitude of an individual towards the
food they eat and their appetite for food at a particular moment in time.
Other key factors that will determine the attitude of the organization to risk in
clude the stage in the maturity cycle, as shown in Figure 2.2. For an organization that
is in the start-up phase, a more aggressive attitude to risk is required than for an
organization that is enjoying growth or one that is a mature organization in a ma
ture marketplace. Where an organization is operating in a mature marketplace and
is suffering from decline, the attitude to risk will be much more risk averse.
It is because the attitude to risk has to be different when an organization is a start
up operation rather than a mature organization, that it is often said that certain
high-profile businessmen are very good at entrepreneurial start-up but are not as
successful in running mature businesses. Different attitudes to risk are required at
different parts of the business maturity cycle shown in Figure 2.2.
The referendum in the UK on continued membership of the European Union (EU)
in June 2016 resulted in a vote in favour of British exit (Brexit). The UK government
has to activate the procedure for the UK to leave the EU. The text box below pro
vides an outline of the most commonly discussed options available to the UK gov
ernment. Overall, the challenge for the UK government is to ensure the continued
success of the UK economy based on a Brexit strategy and tactics that will ensure the
continued resilience of the UK.

Brexit: What departure options exist for the UK

Key benefits for businesses that arise from EU membership include:

• the existence of a single market: there are no tariffs or other barriers to trade;

• the freedom to provide services and freedom of establishment;

• 'passporting'that allows financial services to be traded across the EU;

• visa-free migration of people within the EU;

• access to EU free-trade agreements with 53 countries around the world.
After the Brexit vote, the UK government now has to decide which of these agreements to
retain. Broadly,there are three models that the UK could target.
 Impact of risk on organizations

The Norwegian model

Norway is a member of the European Economic Area, but not the EL). It has full access to the
single market, but must adopt EU standards and regulations and is unable to impose
immigration restrictions. Also, Norway must contribute towards the EU budget.

The Swiss model

Switzerland has had some success in building a two-way deal with the EU, which essentially
allows it to access certain selected parts of the European market in return for accepting EU
legislation in relevant areas as well as making contributions to the EU budget.

The Canadian model

Canada has recently(May 2017) ratified the most far-reaching trade deal with Europe that
has ever been created, and it is possible that the UK could aim to replicate this sort of
relationship. Such an agreement might not allow the continued passporting of financial
services.

All these models struggle to reconcile the central issue of regulatory control. Using these
three models as a base,the UK now has to evaluate how Brexit will create risks and
opportunities for business.

Risk and triggers

Risk is sometimes defined as uncertainty of outcomes. This is a somewhat techni
cal, hut nevertheless useful, definition and it is particularly applicable to the man
agement of control risks. Control risks are the most difficult to identify and define,
but are often associated with projects. The overall intention of a project is to de
liver the desired outcomes on time, within budget and to specification, quality or
performance.
For example, when a building is being constructed, the nature of the ground con
ditions may not always be known in detail. As the construction work proceeds, more
information will be available about the nature of the conditions. This information
may be positive news that the ground is stronger than expected and less foundation
work is required. Alternatively, it may be discovered that the ground is contaminated
or is weaker than expected or that there are other potentially adverse circumstances,
such as archaeological remains being discovered.
Given this uncertainty,these risks should be considered to be control risks and the
overall management of the project should take account of the uncertainty associated
with these different types of risk. It would he unrealistic for the project manager to
assume that only adverse aspects of the ground conditions will be discovered. Like
wise, it would be unwise for the project manager to assume that conditions will be
better than expected, just because s/he wants that to be the case.
Because control risks cause uncertainty, it may be considered that an organization
will have an aversion to them. Perhaps,the real aversion is to the potential variability
 Scope of risk management

Figure 4.2 Risk management sophistication

Contribution

PERFORM

Opportunity
management
•Invest

• Enhance
•Success
CONFORM • Embrace

Achievement of
Control
benefits
management

REFORM

Hazard
comoliance
management

•Tolerate
• Inhibit
• Failure
• Mitigate
NFQRM
Fearful of
Compliance rements

management
•Avoid
• Undernrilne

Sophistication
 Risk management standards

free download of the executive summary of COSO ERM cube. The approach
adopted by the COSO ERM cube suggests that enterprise risk management is not
strictly a serial set of activities, where one component affects only the next. It is con
sidered to be a multidirectional, iterative process in which almost any component
can and does influence all other components.
In the COSO ERM cube, there is a direct relationship between objectives,
which are what an entity strives to achieve, and enterprise risk management com
ponents, which represent what is needed to achieve them. The relationship is de
picted in a three-dimensional matrix, in the form of a cube, and this is reproduced
as Eigure 6.3.
The COSO ERM cube is a very influential risk management framework and it
consists of eight interrelated components. These are derived from the way manage
ment runs an enterprise and are integrated with the management process. A brief
description of the components of the COSO ERM cube is set out in Table 6.2.
The description of the COSO ERM cube includes the statement that:'within the
context of the established mission or vision of an organization, management estab
lishes strategic objectives, selects strategy and sets aligned objectives cascading through
the enterprise.' COSO has recently published additional guidance on ERM and how it
can be integrated with strategy and performance and this guidance is reviewed in

Figure 6.3 COSO ERM cube

ntema Environment

SOURCE COSO Enterprise Risk Management: Integrated Framework, © 2004, Committee of Sponsoring
Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.
 Approaches to risk management

Figure 7.1 Three components of context

External context

Internal context

Architectur^ Strategy

RM
process

Protocols

Internal context

External context

Shows the risk management context

is acceptable. The risk management context should also provide a means of establish
ing the overall total risk exposure so that this can be compared with the risk appe
tite of the organization and the capacity of the organization to withstand risk.
The internal context is about the culture of the organization, the resources that
are available, receiving outputs from the risk management process and ensuring that
these influence behaviours, and supporting and providing governance of risk and
risk management. The internal context concerns objectives, the capacity and capa
bilities of the organization, as well as the business core processes that are in place.
An important consideration regarding the internal context is how the organization
makes decisions.
The external context is about stakeholder expectations, industry regulations and
regulators, the behaviour of competitors and the general economic environment
Risk assessment

Damage limitation
Damage limitation in relation to fire hazards is well established. Although sprinkler
systems are often considered to be a loss prevention measure,they are in fact the major
control measure for ensuring that only limited damage occurs when a fire breaks out.
Other damage limitation factors related to fire include the use of fire segregation within
buildings, the use of fire shutters, and having well-rehearsed arrangements in place to
remove,segregate or otherwise protect valuable items. After the fire at Windsor Castle
in 1992,arrangements were quickly put in place for valuable artwork to be removed
from areas of the castle that had not (up to that time) been affected by the fire.
Accidents at work still occur, despite the considerable attention paid to health and
safety standards and other loss prevention activities. Provision of adequate first aid
arrangements is an obvious damage limitation activity and suitable first aid facilities
are provided by most organizations. For some high-risk factory occupancies, emer
gency treatment arrangements and even medical facilities are provided on site.
In some cases, these medical facilities will include specialist treatment facilities
related to the particular hazards on site. An example is the provision of cyanide an
tidotes in factories where chromium-plating activities take place using cyanide-
plating solutions. A simpler example is the provision of emergency eye-wash bottles
in locations where hazardous chemicals are handled.
The Deepwater Horizon oil spill in the Gulf of Mexico in 2010 provides many risk
management lessons. One of the key issues was that the oil spill took some weeks to
stop. Loss prevention measures were in place to prevent the oil spill starting and cost
containment steps were taken to manage the cost of clean-up, recovery and business
continuity. It is, perhaps, the case that the damage limitation measures were not as
robust as may have been required. Because the oil leak lasted some weeks, there was
opportunity for damage limitation measures to be introduced. However, it does not
appear that these measures had been sufficiently planned in advance.

Cost containment
When a hazard risk materializes despite the efforts put into loss prevention and the
efforts that have been put into damage limitation, there may well still be a need to
contain the cost of the event. For example,among the activities for minimizing costs
associated with serious fires are detailed arrangements for salvage and arrangements
for decontamination of specialist items that have suffered water or smoke damage.
Cost containment in relation to a fire will also include arrangements for specialist
recovery services.The actions that will be taken to ensure that post-incident costs are
minimized should all be set out in business continuity, disaster recovery and crisis
management plans, as appropriate. The topics of business continuity planning and
disaster recovery planning are considered in more detail in Chapter 1 8.
A further consideration relevant to cost containment after an incident is what
insurance companies refer to as'increased cost of operation'. Most material damage/
business interruption insurance policies will allow for payment of increased cost of
operation. This may arise when an organization has to sub-contract certain
 Loss control

production activities, or has to undertake manufacturing work at another one of its

factories, which may be located some distance away.
If a manufacturer discovers that faulty goods have been released into the market
place, a number of actions become necessary.The organization should have developed
plans in advance of the event for notifying customers of the fact that faulty goods are
in the marketplace and how to identify them. The box below considers the impor
tance of product recall in these circumstances.

Product recall risk management

Any company or organization that manufactures, assembles, processes, wholesales or
retails products could be financially impacted by the direct or indirect costs of a product
recall. Direct costs can include wages for staff who have to implement the recall plan. Other
direct costs include communications and this could entail purchasing airtime on radio and
television and notices in newspapers or industry publications.
Indirect costs can include lost production time for staff who must focus on the recall
process, as well as the hiring of temporary employees to ensure continued production.
However,the greatest indirect cost is the impact that adverse publicity could have on market
share. A product recall should be designed to:

• protect the customer from bodily injury or property damage;

• remove the product from the market and from production;
• comply with specific regulatory requirements;
• protect the assets of the company.
Risk assessment

Figure 14.1 Risk matrix for opportunities and hazards

Upside Risk Likelihood Downside Risk

1 :2
High High Medium Medium .InilScJf;! .
Probable

1 :10
High ivfeslium Low Mei^ifim IkLyint
Possible

1 :100
Medium Low Low Medium
Unlikely

Major Moderate Minor Minor Moderate Major

Consequence

Multiple Objective Objective Objective- Slippage Failure to Extinction

objectives delivered delivered driven and meet an of
exceeded significantly slightly (customer, minor objective organization
beneficially early, early, better people, deviation
better, or society
or cheaper cheaper or key
performance)

Riskiness index
The risk profile of an organization can be represented in many ways. The most
common method used is to prepare a risk register that contains details of the
significant risks that it faces. However, a disadvantage of the risk register is that it is
usually a qualitative evaluation of individual risks. Organizations need to develop a
means of measuring, evaluating and quantifying the total risk exposure of the or
ganization.
One of the features of the enterprise risk management approach is to develop a
consolidated view of the risk exposure of the organization. The approach based on
calculating the total risk exposure of an organization is similar to the approach
taken to the measurement and quantification of risk in operational risk management.
This section introduces the idea of a 'riskiness index'. The idea is to present a
semi-quantitative approach that takes a snapshot of the overall level of risk embedded
in the organization. The overall level of risk will take account of the strategy currently
being followed by the organization, the projects that are in progress, and the nature
of the routine operations being undertaken. This approach can offer an opportunity
to benchmark risk management performance and track changes over time.
Table 14.2 presents a set of questions that can be used to develop a riskiness index
for an organization. The table uses the structure of the FIRM risk scorecard as a means
of categorizing risks. By using the riskiness index, an organization should be able to
identify the level of risk faced by its finances, infrastructure, reputation and the level
of risk that it faces in the marketplace.
 Core business processes

Figure 19.1 Business development model

1. Strategy 3. Tactics
(where the organization wants to be) (how the organization will get there)

• Effective and efficient strategy • Effective and efficient processes

• Review strategic options • Programme design and planning
• Strategic plan • Project management

2. Operations
(where the organization is now)
Effective and efficient operations
No disruption or failure
Annual budget and business objectives

1
^ 5. Results of operations
ji (how well the organization is doing)

it
Support Impact or
or deliver attach

events will represent risks that could materialize. The other component of this business
development model is the reporting of the results of operations.
Actions and events can be good, bad or routine, and enable the organization to
monitor what progress is being made against the business strategy, tactics, operations
and compliance. These actions and events impact the organization and its ability to
sustain effective, efficient and compliant business operations and core processes.
Although compliance core processes are not specifically mentioned, they represent
the means by which the organization will enstne that it fulfills its legal and contractual
obligations. Compliance core processes should underpin all the activities of the or
ganization and will be similar in nature to operational core processes.
Identification of strategy will require an approach based on opportunity
management. Delivery of tactics, often by way of projects, will require attention to
uncertainties and management of control risks will be important. Delivery of effec
tive and efficient operations will require particular attention to the successful man
agement of hazard risks.
 Reputation and the business model

Figure 20.1 Components of the business model

C';iESstbWi(i? : iResbgrces
Custonner segments and targets Data, capabilities and assets
Marketing and sales activities Partnerships and networks
Customer servicing and support Organizational structure
Distribution routes and channels Activities and core processes

Offering
Alignment of available resources and capabilities to deliver the
intended customer value proposition and related benefits

Resilience
Pedple, commitment, purpose, capability, culture, leadership and governance
Ethos, organizational activities and values, standards, ethics and reputation '
^ Exisenditure based on development, infrastructure, sales and support cos^^^

strategic position that the organization wishes to achieve. Tactics for implementing
that strategy will need to be devised, as identified in Figure 19.1.
Business models can be quite complex and have a large number of dependencies,
including suppliers and outsourced facilities. The weaknesses and inefficiencies in the
existing business model need to be identified and analysis of the business model rep
resents an additional way of undertaking a risk assessment. The importance of resil
ience within the business model is considered in the next section. Other factors that
are important in the business model are related to reputation and etliical trading. A
particular consideration for many organizations is corporate social responsibility
within the supply chain. Analysis of the business model will enable an organization
to assess the supply chain and identify embedded risks, including ethical risks that
could damage the reputation of the organization.

Risk management and the business model

Each component of the business model can be subjected to a risk assessment. The
business model represents how the organization fulfils its vision and mission state
ment, as well as its aims and objectives. Although the offering is at the heart of the
business model, the starting point is often an assessment of the customer segment at
which the offering will be targeted. Risks are associated with identifying and secur
ing customers and providing customer service and support. Distribution routes and
channels are very important in the provision of the customer offering.
The offering itself is important and is at the heart of the business model. It is im
portant that the offering draws on available resources and capabilities to deliver the
 Risk culture

Figure 25.3 Risk appetite, exposure and capacity (vulnerable)

Impact

Actual risk
1
exposure

Ultimate risk
capacity

Likelihood

S Critical zone 1
\ Risk exposure
O Concerned zone V

n Cautious zone V Risk capacity

O Comfort zone

There can be no doubt that the topic of risk appetite will receive more attention in
future, and risk management practitioners need to get a better understanding of
what this concept means and bow it can be applied. The riskiness index described in
Chapter 14 takes a somewhat different approach.
Organizations, just like individuals, do not actively seek risk. An individual may
be described as a risk taker, but the reality will be that such a person enjoys activities
that have a high level of risk attached. It is the activity that appeals to the individual
in the first instance, not the actual risk. People may be identified as risk takers
because they have a high-risk hobby or pastime. That does not mean that the risk
taking for this individual will extend to crossing a busy road without looking.
In other words, risk taking has to be seen within the context of the activity and the
intended rewards.
 Risk culture

Risk information and communication

Component 7 of the COSO ERM cube considers the importance of risk information
and communication. Risk communication starts with the identification of the stake
holders that have an interest in the particular risk under consideration. Once the
stakeholders have been identified, the nature of the risk information that needs to be
communicated must be decided. Finally, the purpose of communicating risk infor
mation to each group of stakeholders should be analysed.
Stakeholders will already have a perception of risks, so risk communication
should be provided against the background of that existing perception. The guide
lines relevant to risk communication set out in Table 26.2 should be followed. These
guidelines seek to establish rules for communicating risk issues to a broad range of
stakeholders.
Clearly, these rules become more important when the communication about
risk is with external bodies. Nevertheless, they provide a useful set of guidelines for
risk communication with internal as well as external stakeholders. Internal stake
holders have additional reasons for being provided with risk information. There
will normally be an expectation by the organization that managers and staff will
play a role in the future management of the risk, whereas this may not always be
the case for external stakeholders.
The provision of risk training should be aligned with other training activities within
the organization. As with all other types of training, the content of the training must
be consistent with the requirements of the job. Training on risk matters will be required
in a number of circumstances, including when new risks have appeared or existing

Table 26.2 Risk communication guidelines

Know the stakeholders, by identifying both external and internal stakeholders and finding
out their interests and concerns

Simplify the language and presentation, although not the content if complex issues need
to be communicated

Be objective in the information provided and differentiate between opinions and facts
Communicate clearly and honestly, taking account of the level of understanding of the
audience

Deal with uncertainty and discuss situations where not all information is available and
indicate what can be done to overcome these problems
Be cautious when putting risks in perspective, although comparing an unfamiliar risk with
a familiar one can be helpful
Develop key messages that are clear, concise and to the point, with no more than three
messages communicated at any one time
Be prepared to answer questions and agree to provide further information if it is not
currently available
 tCS HlSil Risk training and communication
risks have changed significantly. Training will also he required when an individual
takes a new job or assumes additional responsibilities. Also, risk training will be
important after an incident has occurred and new or enhanced procedures are
introduced.
An important part of risk information and communication is ensuring that there
are adequate arrangements in place for 'whistlehlowers'. Although members of staff
and other individuals may collect confidential information about an organization
that would not normally be disclosed, there need to be arrangements in place for
staff and other stakeholders to raise concerns, if they have reasonable grounds for
believing there has been serious malpractice. The text box below provides an extract
from the University of Cambridge whistleblowing policy.

Whistleblowing investigation process

The person to whom the disclosure Is made will normally conslderthe information and
decide whether there is a prima facie case to answer. He or she will decide whether an
investigation should be conducted and what form it should take. This will depend on the
nature of the matter raised and may be:

• investigated internally;
• referred to the external auditors;
• the subject of independent enquiry.

Following investigation, some matters will need to be referred to the relevant outside body,
including the police or funding council. If the person to whom the disclosure is made decides
not to proceed with an investigation, the decision will be explained as fully as possible to the
individual who raised the concern. It is then open to the individual to make the disclosure
again eitherto another person orto the chair of the audit committee.

University of Cambridge

Shared risk vocabulary

Part of communicating successfully on risk matters is the development of a common
language of risk. Appendix B provides the vocabulary that is used in this book, as
well as making reference to the definitions used in ISO Guide 73, which provides
internationally recognized terms related to risk management. However, it is some
times necessary for an organization to develop its own risk vocabulary, for aspects
that may be particular and unique to it. A common understanding of risk based on
the use of terminology within the organization is more important than arguments
about precisely what a term means to different risk management practitioners.
In fact, as part of aligning risk management effort and embedding risk consider
ations into routine operations, it may be appropriate for the risk manager to use the
terminology already in place in an organization. Even if the vocabulary of the organ-
Risk culture

ization conflicts with strict risk management definitions, communication will be more
successful if the established vocabulary is used.
In this book, a standard vocabulary has been used in order to assist with the
introduction and explanation of concepts relevant to risk management. Sometimes,
this vocabulary contradicts ISO Guide 73, but it has been used to aid communica
tion and understanding. The subject of a risk vocabulary and agreeing definitions
can take a great deal of time and effort, and compromise is usually required.
A common language and agreed definitions are important so that all parties to
a discussion have the same understanding of the terminology being used. This is
illustrated by the summary in the box below.

Common language of risk

The first reason an organization needs a risk language is to underpin its risk culture.
Everyone in the organization has a role in an effective risk management process. Most
organizations have many layers (eg executives, line managers and employees) and 'silos'
(eg technology,treasury, operations, quality management and compliance). A common
language is needed to cut through the layers and break down the silos. Conversely,
without a common language, the risk managementteam will spend too much time
resolving communication issues atthe expense of their primary responsibilities.

Risk Information on an intranet

Risk information can be made available to stakeholders by a variety of means. Many
organizations produce brief guides and leaflets for stakeholders to communicate
the current risk issues and concerns. The appropriate means of communication will
vary according to the nature of the stakeholder and the nature and complexity of the
message to be communicated.
Formal means of risk communication exist where the organization has to report
to financial stakeholders. When risk communication is required,a range of communi
cation techniques can be used. A formal report to the stock exchange or to other
financial stakeholders may be backed up by an informal video, slide presentation
and/or a telephone conference call, as appropriate.
There is often an additional means of risk communication available to organiza
tions. Many organizations have developed an intranet for use by staff and this can be
used to cover risk and risk management information. For many large organizations,
it is common for the intranet to be used to communicate health and safety informa
tion and business continuity plans.
Information can be provided on the intranet about the generic risk assessments
that have been undertaken and the control measures that have been identified.
The intranet can also be used to communicate urgent risk information, as well as
providing updates on risk assessments, control measures and the current level of any
particular risk.
 Risk culture

used to pool risk exposure information and report accidents or other events that
may lead to an insurance claim.
As well as information-recording RMIS systems, there are a number of software
products that support risk management. These include software packages that can
undertake various analytical activities and systems that can undertake risk analysis
and dependency-modelling reviews.
It is generally accepted that the application of a RMIS software tool to an enter
prise risk management(ERM)initiative can be very helpful. However,the disadvantage
that is often encountered is that entering a substantial amount of risk data onto a
computer database can be very time-consuming. Nevertheless, the benefits of having
the data available for detailed analysis can make the effort worthwhile.
Risk information needs to be shared throughout an organization to enhance risk
awareness and ensure improved risk performance. It is almost always the case that
individuals within an organization will have the best understanding of the risks, as
well as detailed practical knowledge of the actions that should be taken to mitigate
risk events. Communication is also important to share information about incidents
that have occurred, including lessons that were learnt and the actions that were
taken to ensure that the event is not repeated.
An analysis of the advantages and disadvantages of RMIS is set out in the box
below. In general, an RMIS becomes more valuable when the risks are complex or
the amount of data that needs to be recorded is substantial.

Risk management information system (RMIS)

Without more advanced RMIS technology, risk managers are limited to recording the
exposure data and loss experience of the company relevant to the ERM initiative, using
techniques like modelling and scenario simulations.
It is possible that the cost of developing a robust, ERM-supportive RMIS will exceed
the benefits. The costs are immediate and tangible; the benefit is difficult to estimate or
demonstrate. Risk managers already struggle to explain the value of a loss that is prevented
orfinanced. Even if the risk reduction is significant, it is a potential future benefit, not an
assured, immediate expense reduction.
Whetherthe risk assessments from RMIS are likely to lead to enough marginal benefits
to offset the cost of data tracking and analysis depends on the risk profile of the company.
Large firms stand to gain the most from RMIS, but as the costs of the computing tools
needed to collect data and perform the sophisticated modelling continue to decrease, the
benefits grow for all organizations.
Ultimately, RMIS may pay for itself by enabling an organization to avoid or effectively
finance that one catastrophic loss that would otherwise slash the financial results of
the company.
Risk culture

Table 27.1 Risk management technical ski l ls

Skills associated with planning risk nnanagement strategy

Evaluate status Evaluate the organizational context and objectives

and map the external and internal risk context

Develop strategy Develop risk strategy and risk managennent policy and
develop the common language of risk

Skills associated with implennenting a risk nnanagement architecture

Design architecture Design and implement risk nnanagement architecture,

roles and responsibilities

Develop processes Develop and implement the risk management processes,

procedures and protocols

Build awareness Build a culture of risk awareness aligned with other

management activities

Skills associated with measuring risk management performance

Facilitate Facilitate the identification, analysis and evaluation of risks,

assessments and design record-keeping procedures

Evaluate controls Evaluate existing performance and evaluate efficiency and

effectiveness of existing controls

Improve controls Facilitate the design and implementation of necessary and

cost-effective control improvements

Skills associated with learning from risk management experience

Evaluate framework Evaluate risk management strategy, policies and processes,

and introduce improvements

Design reports Develop understanding of reporting requirements, design

reporting formats and produce appropriate reports

management technical skills can be set out as a competency framework, in the way
described in Table 27.1.
The range of business skills that will be required will vary according to the type
of organization. In general, they will include skills related to accounting, finance,
legal affairs, human resources, marketing, operations and information technology.
The importance of people skills has increased considerably as communication
within and between organizations has changed. People skills are often referred to as
soft skills. Technical skills are usually considered to be associated with intellectual
intelligence, whereas soft or people skills are associated with emotional intelligence.
To be successful, the risk practitioner needs a combination of both types of intelli
gence and both sets of skills.
 Risk governance

Figure 29.1 Importance of core processes

Mission statement

Strategic or
Internal External
business plan
evaluation evaluation
(and annual budget)

Corporate objectives Stakeholder expectations

i
Core processes

Strategic

Compliance Tactical

Operational

T Processes to deliver
Influence and enhance the
business model

relation to the expectations that each stakeholder places on each core process. An
important aspect of managing an organization is balancing the various stakeholder
expectations. There are dangers inherent in achieving this balance, and a risk identi
fication procedure based on analysis of stakeholder expectations is the most robust
way of ensuring that these dangers are recognized, analysed and minimized.
The analysis of stakeholder expectations is also one of the fundamental require
ments of the business process re-engineering (BPR) approach. The stakeholders in
the current and future activities of the organization can be identified. The expect
ations of each stakeholder in relation to each stated objective and the corporate
 Risk governance

aside to guard against the types of financial and operational risks they face. Basel III
requirements have been developed, although it is not anticipated that Basel III will
come fully into force until 2019.

Definition of operational risk

Operational risks faced by banks and other financial institutions represent essen
tially the same types of disruptive hazard risks that are faced by other organizations,
although the definition may be broader and the terminology slightly different. The
specific point in the case of operational risk for financial institutions is that the level
of operational risk needs to be quantified, because the level of risk has to be covered
by available capital within the institution. This leads to an imperative for the bank
to reduce the level of operational risk to the lowest level that is cost-effective.
Banks have long been concerned with market risk and credit risk (and insurance
companies with underwriting risk as well), but the advent of Basel II and Solvency II
requires financial institutions to consider broader operational risk exposures. Opera
tional risk was initially defined as being any form of risk that was not market risk or
credit risk. This imprecise definition was replaced by Basel II with a definition of
operational risk as:'the risk of loss resulting from inadequate or failed internal pro
cesses, people and systems or from external events'.
The Basel II definition includes legal risk, but excludes strategic and reputational
risk. The types of risks associated with the Basel II definition include the following:
• internal fraud, including misappropriation of assets, tax evasion and bribery;
• external fraud including theft, hacking and forgery;
• employment practices and workplace safety;
• clients, projects and business practices;
• damage to physical assets;
• business interruption and systems failures;
• execution, delivery and process management.
However, there is also recognition that operational risk is a term that has a variety
of meanings and that certain financial institutions use a different term or a broader
definition. The Basel II definition identifies four types of risk categories: people, pro
cess, system and external risks. People risks include failure to comply with pro
cedures and lack of segregation of duties. Process risks include process failures and
inadequate controls. System risks include failure of applications systems to meet user
requirements and the absence of built-in control measures. Finally, external risks
include action by regulators (change of regulation, but excluding enforcement or
disciplinary action), unsatisfactory performance by service providers and fraud, both
internal and external. External risks also include legal action by customers of finan
cial institutions in relation to negligence or fraud committed by staff.
The definitions of market risk and credit risk are also worth considering in rela
tion to financial institutions. Market risk is the risk that the value of investments
 Risk governance

Figure 31.3 Project lifecycle

Project Inception
• Feasibility study
• Outline cost plan
'Jlim
• Appointments
a

Project Closure Project Planning

• Handover Project • Detailed design
• Project review Lifecycle • Scheduling
• Procurement

Project Execution
• Construction
• Cost reporting
• Quality check

SOURCE Reproduced with permission from Feasible.

Each stage of the project lifecycle will have significant risk and uncertainty issues
embedded within it. The uncertainty embedded in each stage of the project will in
clude such issues as defining the project precisely, agreeing the timescaie and budget,
and confirming the performance/specification. There will also need to be arrange
ments for changes and developments within the project specification, as well as ar
rangements for any deviation from expected circumstances.
Figure 31.4 illustrates how uncertainty decreases during the various stages of a
project. Uncertainty can be associated with cost, time and quality. The issue that is
identified by Figure 31.4 is that as the project develops, the cost of making any al
teration increases. It is easier and cheaper to amend the specification before any
work has commenced than in the latter stages of a project. The fact that amendments
and alterations are more costly as the project progresses reinforces the need for risk
management throughout the project, to increase the likelihood of the project being
delivered to time, within budget and to quality.
Many organizations include a fourth variable in what is otherwise known as the
project triangle. This uncertainty may relate to the scope of the project, the effective
ness of the tactics that gave rise to the project or the ability of the project to comply
with stakeholder expectations. The stakeholders will almost certainly include regula
tors and so compliance is often added as the fourth output from a project that has to
be successfully delivered. Sustainabiiity is also used by some organizations as an al
ternative fourth output from a project. The simple approach is to include compliance
and sustainabiiity as part of the third output of quality, specification or performance.
Take the example of refurbishing a block of fiats. There will be a large number of
interested parties,including architects and the principal contractor. Fxternai agencies
 Project risk management

Figure 31.4 Decreasing uncertainty during the project

High

Stakeholder influence, risk and uncertainty

CD

=!

C
CD

Cost of changes

Low

Inception Planning Execution Closure

Project Time

will also need to be involved, including planning, building regulations requirements,

health and safety, environmental protection and the utilities. Successful management
of a project of this type will require the following;
• making risk management part of the project;
• identifying risks early in the project;
• communicating about risks;
• considering both threats and opportunities;
• clarifying ownership issues;
• prioritizing risks;
• analysing risks;
• planning and implementing risk responses;
• registering project risks;
• tracking risks and associated tasks.
 Internal audit activities

Figure 35.1 Role of internal audit in ERM

Grving assurance
on the risk rnanagement
Accountability for risk management

Core internal audit roles Legitimate internal audit Roles internal audit
in regard to ERM roles with safeguards should not undertake

SOURCE This diagram Is taken from Position Statement: The role ofinternal audit in enterprise-wide risk management,
reproduced with the permission of the Institute of Internal Auditors - UK and Ireland. For the full statement visit
wvi/w.iia.org.uk.

activities where it is legitimate for internal audit to become involved, provided that
suitable safeguards are in place. These activities include facilitating the identification
of risks,co-ordinating ERM activities, developing the ERM framework and champion
ing the establishment of ERM.The division of responsibilities set out in Figure 35.1
is not just compatible with the three lines of defence approach; it reinforces that ap
proach and provides considerable detail on the allocation of responsibilities. Use of
the information shown in Figure 35.1 will help an organization allocate responsibili
ties to management as the first line of defence, specialist risk management functions
as the second line of defence, and internal audit as the third line of defence.
Establishing audit priorities is an important function of the audit department.
In relation to risk management activities, internal auditors will need to establish
their priorities for the testing of controls. There is an important interface between
risk management and internal control. Risk management professionals are very good
at assessing risks and identifying the appropriate type of control that should be in
place. The risk register will often record current controls and make recommendations
for the implementation of additional controls.
The core work of the internal auditor starts at this point. Having identified the criti
cally important controls, the auditor will need to check that they are implemented in
practice and that they are correct and effective. The outcome of testing of controls
is to ensure that the intended level of risk is actually achieved in practice. In other
words, the control actually moves the level of risk from the inherent level to the
intended current level in the way that was planned and often assumed.
Index

civil emergencies 212-13 Rank (iroup 12

components of 204-05,206 risk assessment 1 16-17
controls as represented by 204 risk assurance 3<S4-(S5
cost containment 152 risk culture 282-(S3
defined 203 risk governance 330-3 1
disaster recovery planning 203-04 risk management 12-13,66-67
ERMand 99-100,211-12 risk response 170-71
ISO 22301:2012 205-06,207 Sainsbury\ 385-86
model for BCP 207 Severn Trent Water 330
principles 206-08 strategy, risk 216-17
risk controls and 183, 186 Tesco 385-86
scenario planning 212 Tim Hortons 330-3 1
standards 203, 205-08 Tsago Sun 67
success in 208-10 Unilever 384
timeline and costs 206 United Utilities 66
business delivery model 219-20 use of in book 7
components of 228-29, 229 Walt Disney C.ompany 170-71
CORR (customer, offering, resources, charities, risk reporting by 419-20
resilience) 228, 229,229-30 checklists and questionnaires in risk assessment
customers 229-30 122, 122
importance of 228 chief risk officers (C^ROs) 98, 258
reputation 230 civil emergencies 212-13
risk assessment of 228-29 classification of risks 17-18, 19,20-21
risk management and 229-30 bow-tie representation 132
strategic risks 230 BS 31100:201 1 135-36
sustainability of 230 choice of system 133
business development model 220-21,221 compliance risks 140
business impact analysis (BIA) 210-11 C:OSO HRM cube /34, 134-35, 136
examples of systems 133-38, 134, i34, 135,
capacity, risk 148-50 137

risk appetite and 297-98 finance sector 141

risk exposure and 303-05,304 FIRM risk scorecard 133, 134, 134, 135,
captive insurance companies 200-02,201 136-37
career success 226-27 personal risk matrix 139-40, 139-40
cars PF'STLF risk classification system 137,
buying 130 137-38
risk management 62 purpose of 133
risks associated with 36, 36 short, medium and long-term 131-32,132
case studies tailoring for individual needs 138-40,
AA 116 139-40
ABIL 12-13 timescale of impact 34-35
AMEC Foster Wheeler 216 see also types of risks
Australian Mines Limited 171 clinical risk management 47-48,250
BBC 216-17 COBIT 48, 1 10
Birmingham City Council 66-67 C^oOj(Oiteria of C^ontrol) 70, 79, 108-09
BIS 13 C>olgatc Palmolive 384-85
British Land 116-17 committees
Colgate Palmolive 384-85 audit 395-97, 396, 398
DCMS 331 disclosures 416
Ekurhuleni Metropolitan Municipality risk 262, 262-64
(EMxM) 282-83 communication
Emperor Watch and jewellery 217 consistency of risk response 3 1 1
F>icsson 283 intranets 316
Guide Dogs 117 means ol 316
Intu Properties 170 presentation skills 324
Network Rail 282 risk culture and 312-1 3