Professional Documents
Culture Documents
Hopkin - Fundamentals of Risk Management
Hopkin - Fundamentals of Risk Management
ULACIT
mentals of
Risk
Management w 5th Edition
Understanding,evaiuating
and implementing effective /
risk management /'A
KoganPage
. -.♦r
''tid
—-V
Introduction to risk management
Risks cannot be considered outside the context that gave rise to them. It may ap
pear that an organization is being risk aggressive, when in fact, the board has de
cided that there is an opportunity that should not be missed. However, the fact that
the opportunity entails high risk may not have been fully considered.
One of the major contributions from successful risk management is to ensure that
strategic decisions that appear to be high risk are actually taken with all of the infor
mation available. Improvement in the robustness of decision-making activities is one
of the key benefits of risk management. Attitude to risk is a complex subject and is
closely related to the risk appetite of the organization, but they are not the same.
Risk attitude indicates the long-term view of the organization to risk and risk ap
petite indicates the short-term willingness to take risk. This is similar to the dif
ference between the long-term or established attitude of an individual towards the
food they eat and their appetite for food at a particular moment in time.
Other key factors that will determine the attitude of the organization to risk in
clude the stage in the maturity cycle, as shown in Figure 2.2. For an organization that
is in the start-up phase, a more aggressive attitude to risk is required than for an
organization that is enjoying growth or one that is a mature organization in a ma
ture marketplace. Where an organization is operating in a mature marketplace and
is suffering from decline, the attitude to risk will be much more risk averse.
It is because the attitude to risk has to be different when an organization is a start
up operation rather than a mature organization, that it is often said that certain
high-profile businessmen are very good at entrepreneurial start-up but are not as
successful in running mature businesses. Different attitudes to risk are required at
different parts of the business maturity cycle shown in Figure 2.2.
The referendum in the UK on continued membership of the European Union (EU)
in June 2016 resulted in a vote in favour of British exit (Brexit). The UK government
has to activate the procedure for the UK to leave the EU. The text box below pro
vides an outline of the most commonly discussed options available to the UK gov
ernment. Overall, the challenge for the UK government is to ensure the continued
success of the UK economy based on a Brexit strategy and tactics that will ensure the
continued resilience of the UK.
• the existence of a single market: there are no tariffs or other barriers to trade;
Switzerland has had some success in building a two-way deal with the EU, which essentially
allows it to access certain selected parts of the European market in return for accepting EU
legislation in relevant areas as well as making contributions to the EU budget.
Canada has recently(May 2017) ratified the most far-reaching trade deal with Europe that
has ever been created, and it is possible that the UK could aim to replicate this sort of
relationship. Such an agreement might not allow the continued passporting of financial
services.
All these models struggle to reconcile the central issue of regulatory control. Using these
three models as a base,the UK now has to evaluate how Brexit will create risks and
opportunities for business.
Contribution
PERFORM
Opportunity
management
•Invest
• Enhance
•Success
CONFORM • Embrace
Achievement of
Control
benefits
management
REFORM
Hazard
comoliance
management
•Tolerate
• Inhibit
• Failure
• Mitigate
NFQRM
Fearful of
Compliance rements
management
•Avoid
• Undernrilne
Sophistication
Risk management standards
free download of the executive summary of COSO ERM cube. The approach
adopted by the COSO ERM cube suggests that enterprise risk management is not
strictly a serial set of activities, where one component affects only the next. It is con
sidered to be a multidirectional, iterative process in which almost any component
can and does influence all other components.
In the COSO ERM cube, there is a direct relationship between objectives,
which are what an entity strives to achieve, and enterprise risk management com
ponents, which represent what is needed to achieve them. The relationship is de
picted in a three-dimensional matrix, in the form of a cube, and this is reproduced
as Eigure 6.3.
The COSO ERM cube is a very influential risk management framework and it
consists of eight interrelated components. These are derived from the way manage
ment runs an enterprise and are integrated with the management process. A brief
description of the components of the COSO ERM cube is set out in Table 6.2.
The description of the COSO ERM cube includes the statement that:'within the
context of the established mission or vision of an organization, management estab
lishes strategic objectives, selects strategy and sets aligned objectives cascading through
the enterprise.' COSO has recently published additional guidance on ERM and how it
can be integrated with strategy and performance and this guidance is reviewed in
ntema Environment
SOURCE COSO Enterprise Risk Management: Integrated Framework, © 2004, Committee of Sponsoring
Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.
Approaches to risk management
External context
Internal context
Architectur^ Strategy
RM
process
Protocols
Internal context
External context
is acceptable. The risk management context should also provide a means of establish
ing the overall total risk exposure so that this can be compared with the risk appe
tite of the organization and the capacity of the organization to withstand risk.
The internal context is about the culture of the organization, the resources that
are available, receiving outputs from the risk management process and ensuring that
these influence behaviours, and supporting and providing governance of risk and
risk management. The internal context concerns objectives, the capacity and capa
bilities of the organization, as well as the business core processes that are in place.
An important consideration regarding the internal context is how the organization
makes decisions.
The external context is about stakeholder expectations, industry regulations and
regulators, the behaviour of competitors and the general economic environment
Risk assessment
Damage limitation
Damage limitation in relation to fire hazards is well established. Although sprinkler
systems are often considered to be a loss prevention measure,they are in fact the major
control measure for ensuring that only limited damage occurs when a fire breaks out.
Other damage limitation factors related to fire include the use of fire segregation within
buildings, the use of fire shutters, and having well-rehearsed arrangements in place to
remove,segregate or otherwise protect valuable items. After the fire at Windsor Castle
in 1992,arrangements were quickly put in place for valuable artwork to be removed
from areas of the castle that had not (up to that time) been affected by the fire.
Accidents at work still occur, despite the considerable attention paid to health and
safety standards and other loss prevention activities. Provision of adequate first aid
arrangements is an obvious damage limitation activity and suitable first aid facilities
are provided by most organizations. For some high-risk factory occupancies, emer
gency treatment arrangements and even medical facilities are provided on site.
In some cases, these medical facilities will include specialist treatment facilities
related to the particular hazards on site. An example is the provision of cyanide an
tidotes in factories where chromium-plating activities take place using cyanide-
plating solutions. A simpler example is the provision of emergency eye-wash bottles
in locations where hazardous chemicals are handled.
The Deepwater Horizon oil spill in the Gulf of Mexico in 2010 provides many risk
management lessons. One of the key issues was that the oil spill took some weeks to
stop. Loss prevention measures were in place to prevent the oil spill starting and cost
containment steps were taken to manage the cost of clean-up, recovery and business
continuity. It is, perhaps, the case that the damage limitation measures were not as
robust as may have been required. Because the oil leak lasted some weeks, there was
opportunity for damage limitation measures to be introduced. However, it does not
appear that these measures had been sufficiently planned in advance.
Cost containment
When a hazard risk materializes despite the efforts put into loss prevention and the
efforts that have been put into damage limitation, there may well still be a need to
contain the cost of the event. For example,among the activities for minimizing costs
associated with serious fires are detailed arrangements for salvage and arrangements
for decontamination of specialist items that have suffered water or smoke damage.
Cost containment in relation to a fire will also include arrangements for specialist
recovery services.The actions that will be taken to ensure that post-incident costs are
minimized should all be set out in business continuity, disaster recovery and crisis
management plans, as appropriate. The topics of business continuity planning and
disaster recovery planning are considered in more detail in Chapter 1 8.
A further consideration relevant to cost containment after an incident is what
insurance companies refer to as'increased cost of operation'. Most material damage/
business interruption insurance policies will allow for payment of increased cost of
operation. This may arise when an organization has to sub-contract certain
Loss control
1 :2
High High Medium Medium .InilScJf;! .
Probable
1 :10
High ivfeslium Low Mei^ifim IkLyint
Possible
1 :100
Medium Low Low Medium
Unlikely
Consequence
Riskiness index
The risk profile of an organization can be represented in many ways. The most
common method used is to prepare a risk register that contains details of the
significant risks that it faces. However, a disadvantage of the risk register is that it is
usually a qualitative evaluation of individual risks. Organizations need to develop a
means of measuring, evaluating and quantifying the total risk exposure of the or
ganization.
One of the features of the enterprise risk management approach is to develop a
consolidated view of the risk exposure of the organization. The approach based on
calculating the total risk exposure of an organization is similar to the approach
taken to the measurement and quantification of risk in operational risk management.
This section introduces the idea of a 'riskiness index'. The idea is to present a
semi-quantitative approach that takes a snapshot of the overall level of risk embedded
in the organization. The overall level of risk will take account of the strategy currently
being followed by the organization, the projects that are in progress, and the nature
of the routine operations being undertaken. This approach can offer an opportunity
to benchmark risk management performance and track changes over time.
Table 14.2 presents a set of questions that can be used to develop a riskiness index
for an organization. The table uses the structure of the FIRM risk scorecard as a means
of categorizing risks. By using the riskiness index, an organization should be able to
identify the level of risk faced by its finances, infrastructure, reputation and the level
of risk that it faces in the marketplace.
Core business processes
1. Strategy 3. Tactics
(where the organization wants to be) (how the organization will get there)
2. Operations
(where the organization is now)
Effective and efficient operations
No disruption or failure
Annual budget and business objectives
1
^ 5. Results of operations
ji (how well the organization is doing)
it
Support Impact or
or deliver attach
events will represent risks that could materialize. The other component of this business
development model is the reporting of the results of operations.
Actions and events can be good, bad or routine, and enable the organization to
monitor what progress is being made against the business strategy, tactics, operations
and compliance. These actions and events impact the organization and its ability to
sustain effective, efficient and compliant business operations and core processes.
Although compliance core processes are not specifically mentioned, they represent
the means by which the organization will enstne that it fulfills its legal and contractual
obligations. Compliance core processes should underpin all the activities of the or
ganization and will be similar in nature to operational core processes.
Identification of strategy will require an approach based on opportunity
management. Delivery of tactics, often by way of projects, will require attention to
uncertainties and management of control risks will be important. Delivery of effec
tive and efficient operations will require particular attention to the successful man
agement of hazard risks.
Reputation and the business model
C';iESstbWi(i? : iResbgrces
Custonner segments and targets Data, capabilities and assets
Marketing and sales activities Partnerships and networks
Customer servicing and support Organizational structure
Distribution routes and channels Activities and core processes
Offering
Alignment of available resources and capabilities to deliver the
intended customer value proposition and related benefits
Resilience
Pedple, commitment, purpose, capability, culture, leadership and governance
Ethos, organizational activities and values, standards, ethics and reputation '
^ Exisenditure based on development, infrastructure, sales and support cos^^^
strategic position that the organization wishes to achieve. Tactics for implementing
that strategy will need to be devised, as identified in Figure 19.1.
Business models can be quite complex and have a large number of dependencies,
including suppliers and outsourced facilities. The weaknesses and inefficiencies in the
existing business model need to be identified and analysis of the business model rep
resents an additional way of undertaking a risk assessment. The importance of resil
ience within the business model is considered in the next section. Other factors that
are important in the business model are related to reputation and etliical trading. A
particular consideration for many organizations is corporate social responsibility
within the supply chain. Analysis of the business model will enable an organization
to assess the supply chain and identify embedded risks, including ethical risks that
could damage the reputation of the organization.
Impact
Actual risk
1
exposure
Ultimate risk
capacity
Likelihood
S Critical zone 1
\ Risk exposure
O Concerned zone V
There can be no doubt that the topic of risk appetite will receive more attention in
future, and risk management practitioners need to get a better understanding of
what this concept means and bow it can be applied. The riskiness index described in
Chapter 14 takes a somewhat different approach.
Organizations, just like individuals, do not actively seek risk. An individual may
be described as a risk taker, but the reality will be that such a person enjoys activities
that have a high level of risk attached. It is the activity that appeals to the individual
in the first instance, not the actual risk. People may be identified as risk takers
because they have a high-risk hobby or pastime. That does not mean that the risk
taking for this individual will extend to crossing a busy road without looking.
In other words, risk taking has to be seen within the context of the activity and the
intended rewards.
Risk culture
Know the stakeholders, by identifying both external and internal stakeholders and finding
out their interests and concerns
Simplify the language and presentation, although not the content if complex issues need
to be communicated
Be objective in the information provided and differentiate between opinions and facts
Communicate clearly and honestly, taking account of the level of understanding of the
audience
Deal with uncertainty and discuss situations where not all information is available and
indicate what can be done to overcome these problems
Be cautious when putting risks in perspective, although comparing an unfamiliar risk with
a familiar one can be helpful
Develop key messages that are clear, concise and to the point, with no more than three
messages communicated at any one time
Be prepared to answer questions and agree to provide further information if it is not
currently available
tCS HlSil Risk training and communication
risks have changed significantly. Training will also he required when an individual
takes a new job or assumes additional responsibilities. Also, risk training will be
important after an incident has occurred and new or enhanced procedures are
introduced.
An important part of risk information and communication is ensuring that there
are adequate arrangements in place for 'whistlehlowers'. Although members of staff
and other individuals may collect confidential information about an organization
that would not normally be disclosed, there need to be arrangements in place for
staff and other stakeholders to raise concerns, if they have reasonable grounds for
believing there has been serious malpractice. The text box below provides an extract
from the University of Cambridge whistleblowing policy.
• investigated internally;
• referred to the external auditors;
• the subject of independent enquiry.
Following investigation, some matters will need to be referred to the relevant outside body,
including the police or funding council. If the person to whom the disclosure is made decides
not to proceed with an investigation, the decision will be explained as fully as possible to the
individual who raised the concern. It is then open to the individual to make the disclosure
again eitherto another person orto the chair of the audit committee.
University of Cambridge
ization conflicts with strict risk management definitions, communication will be more
successful if the established vocabulary is used.
In this book, a standard vocabulary has been used in order to assist with the
introduction and explanation of concepts relevant to risk management. Sometimes,
this vocabulary contradicts ISO Guide 73, but it has been used to aid communica
tion and understanding. The subject of a risk vocabulary and agreeing definitions
can take a great deal of time and effort, and compromise is usually required.
A common language and agreed definitions are important so that all parties to
a discussion have the same understanding of the terminology being used. This is
illustrated by the summary in the box below.
used to pool risk exposure information and report accidents or other events that
may lead to an insurance claim.
As well as information-recording RMIS systems, there are a number of software
products that support risk management. These include software packages that can
undertake various analytical activities and systems that can undertake risk analysis
and dependency-modelling reviews.
It is generally accepted that the application of a RMIS software tool to an enter
prise risk management(ERM)initiative can be very helpful. However,the disadvantage
that is often encountered is that entering a substantial amount of risk data onto a
computer database can be very time-consuming. Nevertheless, the benefits of having
the data available for detailed analysis can make the effort worthwhile.
Risk information needs to be shared throughout an organization to enhance risk
awareness and ensure improved risk performance. It is almost always the case that
individuals within an organization will have the best understanding of the risks, as
well as detailed practical knowledge of the actions that should be taken to mitigate
risk events. Communication is also important to share information about incidents
that have occurred, including lessons that were learnt and the actions that were
taken to ensure that the event is not repeated.
An analysis of the advantages and disadvantages of RMIS is set out in the box
below. In general, an RMIS becomes more valuable when the risks are complex or
the amount of data that needs to be recorded is substantial.
Develop strategy Develop risk strategy and risk managennent policy and
develop the common language of risk
management technical skills can be set out as a competency framework, in the way
described in Table 27.1.
The range of business skills that will be required will vary according to the type
of organization. In general, they will include skills related to accounting, finance,
legal affairs, human resources, marketing, operations and information technology.
The importance of people skills has increased considerably as communication
within and between organizations has changed. People skills are often referred to as
soft skills. Technical skills are usually considered to be associated with intellectual
intelligence, whereas soft or people skills are associated with emotional intelligence.
To be successful, the risk practitioner needs a combination of both types of intelli
gence and both sets of skills.
Risk governance
Mission statement
Strategic or
Internal External
business plan
evaluation evaluation
(and annual budget)
i
Core processes
Strategic
Compliance Tactical
Operational
T Processes to deliver
Influence and enhance the
business model
relation to the expectations that each stakeholder places on each core process. An
important aspect of managing an organization is balancing the various stakeholder
expectations. There are dangers inherent in achieving this balance, and a risk identi
fication procedure based on analysis of stakeholder expectations is the most robust
way of ensuring that these dangers are recognized, analysed and minimized.
The analysis of stakeholder expectations is also one of the fundamental require
ments of the business process re-engineering (BPR) approach. The stakeholders in
the current and future activities of the organization can be identified. The expect
ations of each stakeholder in relation to each stated objective and the corporate
Risk governance
aside to guard against the types of financial and operational risks they face. Basel III
requirements have been developed, although it is not anticipated that Basel III will
come fully into force until 2019.
Project Inception
• Feasibility study
• Outline cost plan
'Jlim
• Appointments
a
Project Execution
• Construction
• Cost reporting
• Quality check
Each stage of the project lifecycle will have significant risk and uncertainty issues
embedded within it. The uncertainty embedded in each stage of the project will in
clude such issues as defining the project precisely, agreeing the timescaie and budget,
and confirming the performance/specification. There will also need to be arrange
ments for changes and developments within the project specification, as well as ar
rangements for any deviation from expected circumstances.
Figure 31.4 illustrates how uncertainty decreases during the various stages of a
project. Uncertainty can be associated with cost, time and quality. The issue that is
identified by Figure 31.4 is that as the project develops, the cost of making any al
teration increases. It is easier and cheaper to amend the specification before any
work has commenced than in the latter stages of a project. The fact that amendments
and alterations are more costly as the project progresses reinforces the need for risk
management throughout the project, to increase the likelihood of the project being
delivered to time, within budget and to quality.
Many organizations include a fourth variable in what is otherwise known as the
project triangle. This uncertainty may relate to the scope of the project, the effective
ness of the tactics that gave rise to the project or the ability of the project to comply
with stakeholder expectations. The stakeholders will almost certainly include regula
tors and so compliance is often added as the fourth output from a project that has to
be successfully delivered. Sustainabiiity is also used by some organizations as an al
ternative fourth output from a project. The simple approach is to include compliance
and sustainabiiity as part of the third output of quality, specification or performance.
Take the example of refurbishing a block of fiats. There will be a large number of
interested parties,including architects and the principal contractor. Fxternai agencies
Project risk management
CD
=!
C
CD
Cost of changes
Low
Project Time
Grving assurance
on the risk rnanagement
Accountability for risk management
Core internal audit roles Legitimate internal audit Roles internal audit
in regard to ERM roles with safeguards should not undertake
SOURCE This diagram Is taken from Position Statement: The role ofinternal audit in enterprise-wide risk management,
reproduced with the permission of the Institute of Internal Auditors - UK and Ireland. For the full statement visit
wvi/w.iia.org.uk.
activities where it is legitimate for internal audit to become involved, provided that
suitable safeguards are in place. These activities include facilitating the identification
of risks,co-ordinating ERM activities, developing the ERM framework and champion
ing the establishment of ERM.The division of responsibilities set out in Figure 35.1
is not just compatible with the three lines of defence approach; it reinforces that ap
proach and provides considerable detail on the allocation of responsibilities. Use of
the information shown in Figure 35.1 will help an organization allocate responsibili
ties to management as the first line of defence, specialist risk management functions
as the second line of defence, and internal audit as the third line of defence.
Establishing audit priorities is an important function of the audit department.
In relation to risk management activities, internal auditors will need to establish
their priorities for the testing of controls. There is an important interface between
risk management and internal control. Risk management professionals are very good
at assessing risks and identifying the appropriate type of control that should be in
place. The risk register will often record current controls and make recommendations
for the implementation of additional controls.
The core work of the internal auditor starts at this point. Having identified the criti
cally important controls, the auditor will need to check that they are implemented in
practice and that they are correct and effective. The outcome of testing of controls
is to ensure that the intended level of risk is actually achieved in practice. In other
words, the control actually moves the level of risk from the inherent level to the
intended current level in the way that was planned and often assumed.
Index