M67 Fundamentals of Risk Management

M67/P67
Fundamentals of
risk management
2018–19 Study text
Fundamentals of
risk management
M67/P67 Study text: 2018–19
RevisionMate
Available for the life of your study text enrolment, RevisionMate offers an unrivalled suite of online services to support
your studies and improve your chances of exam success. Availability of each service varies depending on the unit, but
typically includes:
• Study planner – build a routine and manage your time more effectively.
• Online study text – conveniently view your material online.
• Student discussion forum – share common queries and learn with your peers.
• Quiz questions – check understanding of the study text as you progress.
• Examination guide – practise your exam technique.
To explore the benefits for yourself:
1. Visit www.revisionmate.com
2. Log in using your CII PIN* as your username and your surname in lower case as your password for first
time access
*Your CII PIN is shown on the ‘study material acknowledgement’ included with this study text (e.g. 012345678A).
Please note: If you have received this study text as part of your update service, access to RevisionMate will only be
available for the remainder of your enrolment.
Updates and amendments to this study text

As part of your enrolment, any changes to the exam or syllabus, and any updates to the content of this study text, will be
posted online so that you have access to the latest information. You will be notified via email when an update has been
published. To view updates:
1. Visit www.cii.co.uk/qualifications
2. Select the appropriate qualification
3. Select your unit on the right hand side of the page
Under ‘Unit updates’, examination changes and the testing position are shown under ‘Qualifications update’; study text
updates are shown under ‘Learning solutions update’.
Please ensure your email address is current to receive notifications.
© The Chartered Insurance Institute 2018
All rights reserved. Material included in this publication is copyright and may not be reproduced in whole or
in part including photocopying or recording, for any purpose without the written permission of the copyright
holder. Such written permission must also be obtained before any part of this publication is stored in a
retrieval system of any nature. This publication is supplied for study by the original purchaser only and must
not be sold, lent, hired or given to anyone else.
Every attempt has been made to ensure the accuracy of this publication. However, no liability can be
accepted for any loss incurred in any way whatsoever by any person relying solely on the information
contained within it. The publication has been produced solely for the purpose of examination and should not
be taken as definitive of the legal position. Specific advice should always be obtained before undertaking
any investments.
Print edition ISBN: 978 1 78642 316 0
Electronic edition ISBN: 978 1 78642 317 7
This revised and updated edition published in 2018
The author
Stephen W. Lowe MSc, CFIRM, FCII, Chartered Insurance Practitioner. Stephen has over 25 years’ experience
with international insurers, international brokers and risk management consultants in a variety of technical
and managerial roles.
Now an established independent consultant, he helps organisations set up and manage risk management
and insurance solutions, supplemented, where appropriate, with comprehensive training and procedural
manuals.
He has helped to shape the new British Standard for Damage Management and publications relating to
National Occupational Standards for the financial sector in a risk management context.
Previous research work focused on business continuity and the management of fraud and reputation risks.
Stephen is a keen supporter of CII efforts to promote ongoing professional development, training and
education across the profession.
Reviewers and updaters

The CII would like to thank Stephen Lowe for reviewing and updating this and previous editions of this study
text.
We would also like to thank Dr Simon Ashby BA (Hons), PhD, FIOR for his assistance with previous editions
of this study text.
Acknowledgements
The CII would like to thank the authors and reviewers of other CII study texts in respect of any material drawn
upon in the production of this study text.
While every effort has been made to trace the owners of copyright material, we regret that this may not have
been possible in every instance and welcome any information that would enable us to do so.
Typesetting, page make-up and editorial services CII Learning Solutions.
Printed and collated in Great Britain.
This paper has been manufactured using raw materials harvested from certified sources or
controlled wood sources.
3
Using this study text

Welcome to the M67/P67: Fundamentals of risk management study text which is designed to cover the
M67/P67 syllabus, a copy of which is included in the next section.
Please note that in order to create a logical and effective study path, the contents of this study text do
not necessarily mirror the order of the syllabus, which forms the basis of the assessment. To assist you
in your learning we have followed the syllabus with a table that indicates where each syllabus learning
outcome is covered in the study text. These are also listed on the first page of each chapter.
Each chapter also has stated learning objectives to help you further assess your progress in
understanding the topics covered.
Contained within the study text are a number of features which we hope will enhance your study:
Activities: reinforces learning through Learning points: provide clear direction to
practical exercises. assist with understanding of a key topic.
Be aware: draws attention to important Refer to: Refer to: located in the margin, extracts from
points or areas that may need further other CII study texts, which provide valuable
clarification or consideration. information on or background to the topic.
The sections referred to are available for you
to view and download on RevisionMate.
Case studies: short scenarios that will test Reinforce: encourages you to revisit a point
your understanding of what you have read previously learned in the course to embed
in a real life context. understanding.
Consider this: stimulating thought around Revision questions: to test your recall of
points made in the text for which there is no topics.
absolute right or wrong answer.
Examples: provide practical illustrations of Sources/quotations: cast further light on the
points made in the text. subject from industry sources.
Key points: act as a memory jogger at the Think Think back to: located in the margin,
end of each chapter. back to: highlights areas of assumed knowledge that
you might find helpful to revisit. The sections
referred to are available for you to view and
download on RevisionMate.
Key terms: introduce the key concepts and Useful websites: introduce you to other
specialist terms covered in each chapter. information sources that help to supplement
the text.
At the end of every chapter there is also a set of self-test questions that you should use to check your
knowledge and understanding of what you have just studied. Compare your answers with those given at
the back of the book.
By referring back to the learning outcomes after you have completed your study of each chapter and
attempting the end of chapter self-test questions, you will be able to assess your progress and identify
any areas that you may need to revisit.
Not all features appear in every study text.
Note
Website references correct at the time of publication.
Revision just
got a whole
lot easier
RevisionMate is an online
study support tool that
helps you revise.
Key features typically include:

• Study planner – helps you build
a routine and manage time effectively
• Online study text – so you can study
at home or on the move
• Student discussion forum – interact
with your peers and share queries
• Quiz questions – check understanding
of the study text as you progress
• Examination guide – useful hints, tips
and a specimen paper with answers
to help prepare you for the exam
Find out more

www.revisionmate.com
5
Examination syllabus
Fundamentals of risk management

Purpose
To explore the principles of risk management and the role of insurance within these principles.
Assumed knowledge
It is assumed that the candidate already has knowledge of the fundamental principles of insurance as
covered in IF1 Insurance, legal and regulatory or equivalent examinations.
Summary of learning outcomes Number of questions

in the examination*
1. Understand the meaning of risk. 9
2. Understand the role and purpose of risk management. 8
3. Understand the core elements of the risk management process. 12
4. Understand the different categories of risk. 5
5. Understand current trends in risk management. 6
6. Understand the position of insurance within risk management. 5
7. Understand the key risk management lessons learnt from major loss events. 5
*The test specification (relevant to the M67 multiple choice question examination only) has an in-built element of flexibility. It
is designed to be used as a guide for study and is not a statement of actual number of questions that will appear in every
exam. However, the number of questions testing each learning outcome will generally be within the range plus or minus 2 of
the number indicated.
Important notes
M67
• Method of assessment:
Mixed assessment consisting of two components, both of which must be passed. One component is
a coursework assignment and one is a multiple choice question (MCQ) examination. The details are:
1. an online coursework assignment using RevisionMate consisting of 10 questions which
sequentially follow the learning outcomes. This must be successfully completed within 6 months
of enrolment; and
2. an MCQ exam at one of the CII’s online centres (paper-based MCQs are available in April and
October for those sitting outside the UK). The MCQ exam consists of 50 MCQs. 1 hour is allowed
for this exam. This exam must be successfully passed within 18 months of enrolment.
• This syllabus will be examined from 1 May 2018 until 30 April 2019.
• Candidates will be examined on the basis of English law and practice unless otherwise stated.
• Candidates should refer to the CII website for the latest information on changes to law and practice
and when they will be examined:
1. Visit www.cii.co.uk/updates
Published February 2018 M67/P67

Copyright © 2018 The Chartered Insurance Institute. All rights reserved.
6 M67/P67/March 2018 Fundamentals of risk management
P67
• Method of assessment: Part I 14 compulsory questions (140 marks). Part II 2 questions selected from
3 (60 marks). Total of 200 marks. Three hours are allowed for this exam.
• The syllabus is examined on the basis of English law and practice unless otherwise stated.
• The general rule is that the exams are based on the English legislative position six months before
the date of the exams.
• Candidates should refer to the CII website for the latest information on changes to law and practice
and when they will be examined:
1. Visit www.cii.co.uk/qualifications
Published February 2018 2 of 5

7
1. Understand the meaning of risk 6. Understand the position of insurance

1.1 Explain the difference between risk and within risk management
uncertainty. 6.1 Explain the role of insurance as a risk transfer
1.2 Explain the basics of probability theory. mechanism.
1.3 Discuss risk perception. 6.2 Explain the role of an insurance intermediary in
1.4 Explain the difference between pure and supporting risk management.
speculative risk. 6.3 Discuss alternatives to insurance (captives,
alternative risk transfer, self-insurance).
2. Understand the role and purpose of
risk management 7. Understand the key risk management
2.1 Explain the evolution of the discipline of risk lessons learnt from major loss events
management. 7.1 Explain why risk management systems can fail.
2.2 Outline the benefits of risk management. 7.2 Explain the consequences of the failure of risk
2.3 Explain key roles and responsibilities for risk management systems.
management (board, managers, risk function etc). 7.3 Discuss examples of relevant loss events and
2.4 Explain the relationship between risk explain the lessons learnt from them.
management, compliance and the audit function.
3. Understand the core elements of the

risk management process
3.1 Outline the risk management process.
3.2 Explain the purpose and contents of a risk
register.
3.3 Explain the various risk management standards
that exist.
3.4 Explain the various risk management tools and
techniques (identification, assessment,
monitoring, control and financing).
3.5 Explain the regulatory and corporate governance
context surrounding the risk management
process.
4. Understand the different categories of

risk
4.1 Define and categorise risk (e.g. various financial,
operational, insurance risks, strategic and
reputation).
4.2 Discuss difficult to categorise risks.
4.3 Examine the link between cause, events and
effects.
5. Understand current trends in risk

management.
5.1 Discuss the emergence of enterprise risk
management (ERM).
5.2 Discuss the emergence of governance, risk and
compliance (GRC).
5.3 Explain the role of the Chief Risk Officer and Risk
Committee.
5.4 Explain the concepts of risk aggregation and
correlation.

Enterprise risk management: from incentives to controls.

Reading list James Lam. 2nd ed. Hoboken: Wiley, 2013.
The following list provides details of various Fundamentals of enterprise risk management: how top
publications which may assist you with your studies. companies assess risk, manage exposure and seize
opportunity. John J. Hampton. New York: American
Note: The examination will test the syllabus alone. Management Association, 2015.
The reading list is provided for guidance only and is Fundamentals of risk management: understanding,
not in itself the subject of the examination. evaluating and implementing effective risk management.
Paul Hopkin, Kogan Page, 2014.
The publications will help you keep up-to-date with
developments and will provide a wider coverage of Risk analysis in finance and insurance. 2nd ed. A V
syllabus topics. Melnikov. Boca Raton, Florida: CRC Press, 2011.
CII/PFS members can borrow most of the additional Risk management and financial institutions. John Hull.
study materials below from Knowledge Services. Wiley, 2015.
CII study texts can be consulted from within the
library. Risk management: concepts and guidance. Carl L.
Pritchard. 5th ed. Boca Raton: CRC Press, 2015.
New materials are added frequently - for information
about new releases and lending service, please go to Factfiles and other online resources
www.cii.co.uk/knowledge or email
CII factfiles are concise, easy to digest but technically
knowledge@cii.co.uk.
dense resources designed to enrich the knowledge of
members. Covering general insurance, life and pensions
CII study texts and financial services sectors, the factfile collection
includes key industry topics as well as less familiar or
Fundamentals of risk management. London: CII. Study
specialist areas with information drawn together in a way
text M67/P67.
not readily available elsewhere. Available online via
Insurance, legal and regulatory. London: CII. Study text www.cii.co.uk/ciifactfiles (CII/PFS members only).
IF1.
• Alternative risk transfer (ART). Alan Punter.
Books (and ebooks) • Insurance-linked securities (ILS). Alan Punter.
Approaches to enterprise risk management. London: • Risk control. Ian Searle.
Bloomsbury, 2010.* • Risk identification. Ian Searle.
Handbook of insurance. Georges Dionne. New York: • Risk transfer. Ian Searle.
Springer, 2013.* • Recent developments to Solvency II. Brad Baker.
Handbook of the economics of risk and uncertainty. Mark AIRMIC. www.airmic.com.
Machina, W. Kip Viscusi. North Hollans, 2014.*
Institute of Risk Management www.theirm.org.
Introduction to insurance mathematics: technical and
financial features of risk transfers. Annamaria Olivieri, Risk.net: and online resource providing news, analysis
Ermanno Pitacco. Berlin: Springer, 2011. and trends in risk management. Available via
www.cii.co.uk/risknet (members only).
Principles of risk management and insurance. 12th ed.
George E. Rejda, Michael J. McNamara. Pearson Further articles and technical bulletins are available at
Education, 2014. www.cii.co.uk/knowledge (CII/PFS members only).
Rethinking risk measurement and reports. 2v. Klaus Journals and magazines
Bocker (ed). London: Incisive, 2010. The Journal. London: CII. Six issues a year. Also available
Risk: an introduction. Bernardus Ale. Routledge, 2010. * online via www.cii.co.uk/knowledge (CII/PFS members
only).
Risk analysis. 2nd ed. Terje Aven. Hoboken: Wiley, 2015.*
Post magazine. London: Incisive Financial Publishing.
Risk analysis in finance and insurance. 2nd ed. Monthly. Also available online at www.postonline.co.uk.
Alexander Melnikov. Chapman and Hall/CRC, 2010. *
Strategic risk. London: Newsquest Specialist Media. Eight
Risk culture and effective risk governance. Patricia issues a year.
Jackson, ed. London: Risk Books, 2014.
Further periodical publications are available at
Risk management for insurers: risk control, economic www.cii.co.uk/journalsmagazines
capital, and Solvency II. Rene Doff. 3rd ed. London: Risk (CII/PFS members only).
Books, 2015.
The risk management handbook. David Hillson. London: Reference materials
Kogan Page, 2016.* Concise encyclopedia of insurance terms. Laurence S.
Silver, et al. New York: Routledge, 2010.*
Ebooks Dictionary of insurance. C Bennett. 2nd ed. London:
The following ebooks are available through Discovery via Pearson Education, 2004.
www.cii.co.uk/discovery (CII/PFS members only):
* Also available as an ebook through Discovery via
Enterprise risk management: a common framework for www.cii.co.uk/discovery (CII/PFS members only).
the entire organisation. Philip E.J. Green. Oxford:
Butterworth-Heinemann, 2016.

9
M67
Exemplars
Exemplar papers are available for all mixed assessment
units. Exemplars are available for both the coursework
component and the MCQ exam component.
These are available on the CII website under the unit
number before purchasing the unit. They are available
under the following link www.cii.co.uk/qualifications/
diploma-in-insurance-qualification.
These exemplar papers are also available on the
RevisionMate website www.revisionmate.com after you
have purchased the unit.
P67
Examination guides
Guides are produced for each sitting of written answer
examinations. These include the exam questions,
examiners’ comments on candidates’ performance and
key points for inclusion in answers.
You are strongly advised to study guides from the last
two sittings. Please visit www.cii.co.uk to buy online or
contact CII Customer Service for further information on
+44 (0)20 8989 8464.
Alternatively, if you have a current study text enrolment,
the latest exam guides are available via
www.revisionmate.com.
Older guides are available via
www.cii.co.uk/pastexamguides (CII/PFS members only).
Exam technique/study skills

There are many modestly priced guides available in
bookshops. You should choose one which suits your
requirements.
The Insurance Institute of London (IIL) holds a lecture on
revision techniques for CII written exams approximately
three times a year. The slides from their most recent
lectures can be found at
www.cii.co.uk/iilwrittenrevision (CII/PFS members only).

11
M67/P67 syllabus
quick-reference guide
Syllabus learning outcome Study text chapter and section
1. Understand the meaning of risk
1.1 Explain the difference between risk and uncertainty. 1C, 1D
1.2 Explain the basics of probability theory. 5D
1.3 Discuss risk perception. 1B
1.4 Explain the difference between pure and speculative risk. 1E
2. Understand the role and purpose of risk management
2.1 Explain the evolution of the discipline of risk management. 1A
2.2 Outline the benefits of risk management. 2A, 2B, 2C, 7E
2.3 Explain key roles and responsibilities for risk management (board, 3B, 3C, 3H
managers, risk function etc).
2.4 Explain the relationship between risk management, compliance, and 3D, 3E
the audit function.
3. Understand the core elements of the risk management process
3.1 Outline the risk management process. 2D, 7D
3.2 Explain the purpose and contents of a risk register. 5H
3.3 Explain the various risk management standards that exist. 7A
3.4 Explain the various risk management tools and techniques 4A, 4B, 4C, 4D, 4E, 4F, 4G, 5A, 5C, 5E,
(identification, assessment, monitoring, control and financing). 5F, 5G, 6A, 6B, 6C, 6D, 6E, 6F, 7C
3.5 Explain the regulatory and corporate governance context 3A, 3G, 6C
surrounding the risk management process.
4. Understand the different categories of risk
4.1 Define and categorise risk (e.g. various financial, operational, 1E
insurance risks, strategic and reputation).
4.2 Discuss difficult to categorise risks. 5B
4.3 Examine the link between cause, events and effects. 1F
5. Understand current trends in risk management.
5.1 Discuss the emergence of enterprise risk management (ERM). 3B, 3I
5.2 Discuss the emergence of governance, risk and compliance (GRC). 3F
5.3 Explain the role of the chief risk officer and risk committee. 3C
5.4 Explain the concepts of risk aggregation and correlation. 5C, 5D
6. Understand the position of insurance within risk management
6.1 Explain the role of insurance as a risk transfer mechanism. 6C
6.2 Explain the role of an insurance intermediary in supporting risk 6C
management.
6.3 Discuss alternatives to insurance (captives, alternative risk transfer, 6D, 6E, 6F
self-insurance).
7. Understand the key risk management lessons learnt from major loss events
7.1 Explain why risk management systems can fail. 7B
7.2 Explain the consequences of the failure of risk management 7B
systems.
7.3 Discuss examples of relevant loss events. 7B
13
Introduction
In this study text we explore how people and organisations can anticipate and deal with risk and
uncertainty. We see how a formal structure can help to identify risks, establish how often they are taken,
and measure potential consequences if risks materialise. Then we look at risk management, how risk
taking can be avoided or reduced, and what can be done to soften the effects when a risk goes wrong.
Finally, we study some examples of well-publicised major losses to see what lessons can be learnt.
We start by looking at how the concept of risk management evolved and explore how different people
perceive different risks. By anticipating how people are likely to behave, an organisation can set
guidelines as to how risk taking should be approached. We look at the type of risks faced by business
organisations, what might cause them, and how they might be classified to facilitate further study.
We study risk management as an integral part of achieving business objectives, reducing potential
future costs and sometimes preventing total disaster. A formal risk management programme will
consider the interests of all stakeholders in the business, evaluate external influences and investigate
new and emerging risks. Risk management studies the link between cause, event and effect with a view
to preventing causes, mitigating effects, or breaking links in the chain. We see that an organisation’s
attitude to risk is determined by the board of directors and should be published as a formal risk
philosophy.
The board of directors has legal responsibility to supervise the management of operations and not to
take unnecessary risks. Public companies must publish structures for corporate governance and risk
management control that show the board is fully, accurately and reliably informed of important
decisions and events. We see that risk management, audit and compliance functions are integral parts
of strong governance and should use the same strategies, processes and technologies so that coherent
information is presented to the board. The system used to control risk management across an
organisation is known as enterprise risk management (ERM).
Specific tools and techniques are available to help the various stages of risk management and control.
We review internal and external sources of risk information, how to collect this data, assess its
reliability, and determine whether it is susceptible to imminent change.
We need to compare different risks in order to prioritise them. If we evaluate potential impact on the
business, then impact multiplied by frequency is a measure of possible loss to which an organisation is
exposed. It can be used as a basis for ranking. Some risks can be quantified in monetary terms but
others will have qualitative descriptions based on their damage to business objectives. Large numbers
of risks will be more easily managed if they are first divided into meaningful categories.
Options are available to mitigate the effects of unavoidable risks and will be selected in line with risk
philosophy. A reserved fund could ensure money was available to restore normal working as soon as
possible, or we could transfer risk to a third party with an insurance policy or specific clauses in
contracts. Options available to larger organisations may be to set up their own insurance company,
negotiate global insurance cover, or directly access capital markets. We discuss the pros and cons of all
these solutions, and see that, usually, a mix of financing options will be preferred, balancing costs
against perceived benefits. An insurance portfolio needs to make best use of insurance limits and sums
insured in commercial package offerings, and evaluate any external risk management services on offer.
Not all risks can be insured, and most organisations must accept a disaster scenario is possible, and
that continuity plans will be required.
International risk management standards have been published with codes of best practice to assist
organisations setting up and managing risk management systems. We review the most important of
these. All these standards have to be kept up-to-date. Large disasters can alter our perception of risk,
alert us to new risks and change risk management attitudes. We look at three high-profile examples in
depth to see how multiple risk management failings allowed these events to happen. Organisations’
attitude towards risk management is an important factor in these examples. Organisations must actively
work to achieve and maintain an appropriate risk management culture that is firmly embedded in their
organisations. This will involve continuous management, audit, benchmarking and review.
15
Contents
1: The meaning of risk
A Evolution of risk management 1/2
B Risk perception 1/7
C Risk and uncertainty 1/11
D Risk and reward 1/12
E Types of risk 1/12
F Risk and consequence – the link between cause, events and effects 1/17
2: The purpose and process of risk management

A Introduction to risk management 2/2
B Benefits of risk management 2/3
C Risk and organisational objectives 2/4
D The risk management process 2/15
3: Roles and responsibilities

A Corporate governance and internal control 3/2
B Enterprise risk management (ERM) 3/9
C Individual responsibilities 3/12
D Relationship between audit and risk management 3/17
E Relationship between compliance and risk management 3/19
F Governance, risk and compliance (GRC) 3/20
G Risk appetite and risk tolerance 3/21
H Risk aware culture 3/23
I Risk maturity 3/24
4: Tools and techniques 1: risk identification

A Why do we need risk information? 4/2
B What sort of information do we need? 4/3
C Sources of internal information 4/4
D Sources of external information 4/7
E Collecting data 4/10
F Reliability and change 4/13
G Methods of risk identification 4/14
5: Tools and techniques 2: assessment and measurement of risk

A Risk assessment 5/2
B Risk categorisation 5/4
C Measuring impact 5/7
D Measuring probability 5/10
E Risk ranking 5/15
F Risk appetite and tolerance 5/19
G Risk control 5/20
H Risk registers 5/22
Appendix 5.1: Extract from a sample risk register 5/31
6: Risk financing, retention and transfer

A Cost of risk incidents 6/2
B Risk financing options 6/6
C Insurance as a risk transfer mechanism 6/8
D Other risk financing options 6/23
E Alternative risk transfer 6/30
F Risk financing plan 6/31
7: Risk management lessons

A Risk management standards 7/2
B Example studies of major losses 7/7
C Embedding risk management 7/28
D Benchmarking 7/29
E Conclusion 7/30
Self-test answers i
Statutes ix
Index xi
Chapter 1
The meaning of risk
1
Contents Syllabus learning
outcomes
Learning objectives
Introduction
Key terms
A Evolution of risk management 2.1
B Risk perception 1.3
C Risk and uncertainty 1.1
D Risk and reward 1.1
E Types of risk 1.4, 4.1
F Risk and consequence – the link between cause, events and effects 4.3
Key points
Question answers
Self-test questions
Learning objectives
After studying this chapter, you should be able to:
• explain the evolution of the discipline of risk management;
• discuss risk perception;
• explain the difference between risk and uncertainty;
• explain the connection between risk and reward;
• explain the difference between pure and speculative risk;
• define a selection of fundamental risks; and
• examine the link between cause, events and effects.
1/2 M67/P67/March 2018 Fundamentals of risk management
Chapter 1
Introduction
Risk management as we understand it today is a process that evolved during the twentieth century as a
formal approach to anticipating and dealing with risk and uncertainty.
If we can identify and understand the risks involved in an activity, then we might be able to control or
avoid them and thus improve our chances of a successful outcome. More importantly, we might reduce
our chances of total disaster. Alternatively, we might have a logical basis for deciding if we accept a
particular level of risk in order to gain some reward.
Risk management depends on:
• identifying risks involved in an organisation;
• estimating how often those risks are likely to materialise;
• measuring potential consequences; and
• exploring options available to exercise some degree of risk control.
The theory is simple but practical difficulties abound. In large, changing organisations, it would be
In large organisations
it would be impossible impossible to identify all the risks, analyse interdependencies and estimate impacts. Priority decisions
to identify all the need to be made, measurement techniques decided and detailed records maintained. We also have to
risks, analyse
interdependencies keep up with change.
and estimate impacts
Therefore, for practical reasons, organisations need to develop a coherent management and procedural
framework for effective risk management. The framework must be:
• organisation-wide;
• an integral part of the organisation and its culture; and
• organised to allow for both audit and continuous change.
Information within the framework presents a further challenge. Is it accurate and who needs access to it?
Managed communication channels are essential.
We will start with a short history to help understand the meaning of risk and how perception of risk
changed over time. We will see how eminent scientists and mathematicians set about quantifying
different types of risk in terms of numbers, and how probability theory developed. From the timeline it is
clear that modern approaches to management of a variety of risks are relatively new. This helps explain
why there is as yet no universal agreement on fundamental definitions of key terms and why several
similar yet different standards are in common use today.
Next, we will look closely at how risk is perceived, how risk can be concerned with rewards and
opportunities and how risk is related to uncertainty. We will examine a selection of fundamental risks
likely to be faced by a variety of financial institutions. Finally, we will explore the link between cause,
events and effects.
Key terms
This chapter features explanations of the following terms and concepts:
Business risk Credit risk Dread and unknown risks Insurance risk
Liquidity risk Market risk Operational risk Pure risk
Regulatory and legal risks Reputation risk Risk and reward Risk and uncertainty
Risk perception Speculative risk
A Evolution of risk management

People have always been interested in foretelling the future. Our decisions as to what to do today are
influenced by what we think will happen in the future. Examples of short-term decisions might be
placing a bet on a horse or overtaking another car on a blind corner. Decisions with long-term
consequences might be agreeing to marry or adopting a particular religion. When we make such
decisions we recognise, consciously or subconsciously, that there are both risks and benefits involved.
Some people may ignore risks, but wiser people take a chance only if they believe expected benefits
outweigh the risk.
Chapter 1
Chapter 1 The meaning of risk 1/3
Today we are used to measuring some risks. Bookmakers quote odds on horses so we can weigh up
potential returns against our chances of winning. Statisticians work out life expectancies and can tell us
the possible age when people will die. When we have comparative information to help us make choices
we can make informed decisions, take reasonable chances and avoid unnecessary risks. We have the
basis for managing risk.
It was not always like this. The concept of measuring risk dates from the middle of the seventeenth
century when two mathematicians, Fermat and Pascal, first proposed theories of probability. Gamblers
knew long before this that the chance of throwing a particular number with a true dice was the same for
each number on the dice, but they had no mathematical means of expressing this, or for working out
differences between long and short runs of dice throwing or for throwing combinations of dice. Most
believed a particular number came up because of fate or some decision of the gods. You cannot manage
an event that is decided by the gods.
The early history of risk management theory is also the early history of mathematics. We express the
The early history of
severity of a risk in numerical terms and manipulate probabilities with mathematical expressions. This risk management
has only been possible since the thirteenth century when the numbers 0 to 9 we now use were gaining theory is also the
early history of
acceptance in the Western world. Also, people were only readily able to share ideas after the invention mathematics
of printing in the middle of the fifteenth century.
It took the early mathematicians and scientists over three hundred years to work out how to use
numbers for things like multiplication, division, proportions, conversions, and the simple algebra that
we now take for granted in school. It was not until 1565 that an eminent physician called Cardano, who
was also a mathematician and inveterate gambler, produced a mathematical analysis of games of
chance. It was another forty years before Galileo published a paper on similar topics.
A1 Evolution of risk management in the seventeenth century

Fermat and Pascal set out to decide how to divide the stakes fairly in an unfinished game of chance
when one player is ahead when the game stops. They needed to work out what the probable outcome
would have been. Fermat worked algebraically while Pascal developed a triangular arrangement of
numbers from which probabilities could be deduced. For the first time there was a mathematical way to
measure the probability that any specified combination of events might happen in the future. However,
this was based on the assumption that all risks had an equal chance of happening or not happening.
Pascal also considered the idea that one of two evenly possible risks might be more preferable than the
other. As well as measuring the probability that a risk might materialise in the future, the consequences
of that event had to be taken into account when deciding what risks to take.
However, Fermat and Pascal were mainly dealing with simple risks whose probabilities could be
mathematically calculated. How do we measure and assess everyday risks that have no obvious
relationship? Can we assess future probabilities of events that are influenced by lifestyle factors or
human decisions? Emphasis shifted from predicting the outcome of games of chance to the study of
naturally occurring phenomena.
A significant development came in 1662 with the publication of an analysis of records of births and
deaths in London. This was compiled by a businessman called John Graunt with help from William Petty,
a professor of anatomy and music and author of a pioneering book on political arithmetic, a precursor to
modern economics. Graunt summarised available data and drew from it a variety of conclusions,
including a forecast of life expectancy. He established the value of analysing past data as a reasonable
guide to what might happen in the future.
In 1693, Edmond Halley (best known for calculating the orbit of the eponymous Halley’s Comet)
published a similar analysis based on the town of Breslau in Germany, which kept particularly good
births and deaths records. Halley developed the idea of statistical distributions and produced life
expectancy tables giving the probability that a person of a given age would live for a further number of
years. It was this analysis of the numerical measurement of risk of death which led to the development
of life insurance and the birth of the annuity business.
Chapter 1
A2 Evolution of risk management in the eighteenth century

Other useful data was being collected around this time for use in forecasting. Edward Lloyd ran a coffee
house in London that attracted merchants and shipping proprietors, who exchanged information on the
value and risks involved in various shipping options and trade routes. To keep his customers coming,
Lloyd started to keep records of shipping movements and conditions abroad and at sea. He had a
network of reporters across the trade routes and in 1696 published the information as a document called
the Lloyd’s List. People used information in the List to calculate the probability of ships arriving safely at
their destinations, and the coffee house became an effective centre of marine insurance, developing in
1771 as the Lloyd’s underwriting business that still exists today.
Useful website
www.lloydslist.com.
A major step forward in risk measurement and assessment came with the publication in 1738 of a paper
by Daniel Bernoulli in St Petersburg, Russia. Bernoulli recognised that the value placed on a particular
risk would be different for different individuals. People react to risk in different ways.
Daniel Bernoulli’s uncle Jacob (who was also interested in probability) was attempting to extend early
mathematical theories to forecast useful probabilities of risk in the real world. These mathematical
theories were developed around games of chance. What general inferences could be drawn from
samples of data such as that collected by Halley? Bernoulli worked on the basis that under similar
conditions the chance of an event occurring would follow the same pattern as was observed in the past.
He deduced that for a large number of events the average value will be more likely than the average
value of a small number of similar events to differ from the true average by less than some stated
amount. His work allowed estimates of probable average values to be calculated from collections of
observed data.
Abraham de Moivre is known to have corresponded with the Bernoulli family. In 1733 he published a
paper acknowledging their early work and showing how the values of a set of similar random events
would distribute themselves about the mean value. His distribution is known today as the normal curve,
and has been shown to apply to many varied types of measurements. By observation of the standard
deviation of results about the mean, it became possible to judge whether a data sample is sufficiently
representative of the whole.
A3 Evolution of risk management in the nineteenth century

Following these developments in the eighteenth century, mathematicians became obsessed with
Mathematicians
became obsessed collecting measurements so they had reliable past data to analyse. Quetelet, for example, was involved
with collecting in planning the French census of 1829. With this data and other social measurements he analysed the
measurements so
they had reliable past characteristics of a variety of groups of people. He found that his measurements often fitted the normal
data to analyse distribution, which led him to come up with the idea of the ‘average man’ (or woman) in a particular
sociological group. This is a concept which we still use today.
Later in the nineteenth century, Francis Galton measured everything he came across from court
sentences to the weight of an ox. He kept detailed records of the range and characteristics of every part
of human anatomy. Developing a keen interest in heredity, he plotted changes in characteristics from
one generation to the next. Studying the distribution of heights, for example, he found that parents with
heights at the edges of the normal distribution for their generation did not invariably go on to produce
even taller (or shorter) children. However, after one or two generations their children’s heights would be
shorter, which would be more aligned towards the average heights for the group. His observations of
‘regression to the mean’ are fundamental to many risk management strategies today.
Galton built on the earlier work by Gauss and Laplace. Large numbers of independent measurements are
needed to decide whether a normal distribution can reliably be applied to any particular situation. Also,
care must be taken to investigate cause and effect to distinguish one off events from the outlying
measurements of random distributions. Henri Poincaré developed these ideas, recognising from the
outset that real risk decisions often have to be taken when there is not enough reliable data available to
be used for mathematical purposes.
Chapter 1
A4 Evolution of risk management in the twentieth century

By the twentieth century attention had moved on from essentially mathematical developments and the
People were
study of distributions of naturally occurring phenomena. People were interested in the human element of interested in the
decision making and risk taking. How do real people decide which risks to take? Why do people with the human element of
decision making and
same facts make different decisions? What circumstances encourage people to take larger risks? Why do risk taking
we gamble when we know the mathematical odds say we should lose?
People like Arrow, Knight and Keynes focused on risks that could not be measured. New developments
and inventions were happening rapidly that bore no resemblance to anything that was relevant in the
past. World War I had introduced discontinuity where previously people were looking for order.
Limitations of earlier work were exposed as emphasis shifted from the study of probability to theories of
uncertainty.
Knight and Keynes were economists trying to make sense of the relationships between unemployment,
interest rates, money supply, borrowings and growth. Knight distinguished between risk and
uncertainty, arguing that uncertainty could not be measured and that if risk could be measured then it
could not be termed uncertainty at all. Attitude to uncertainty should be different to attitude to risk.
Keynes worked with degrees of belief about the probability of future events, with past data often
misleading or irrelevant. If outcomes were not inevitably following laws of chance or nature, then
outcomes could be influenced by judicious interference in cause and effect. Risk management was
possible.
Economists, however, faced a major practical difficulty. Changes could be made to influence a particular
outcome, but immediately people would react to those changes. Different decisions would be made and
the resulting model might be quite unlike the model on which the original judgments were based.
Decisions could not be guaranteed to produce the required effect. They had to be assessed on the basis
of their likelihood of producing that effect.
Considerations of this nature gave rise to the study of strategic game theory. This is where one person
seeks to gain advantage over the other, without knowing in advance how their opponent is going to
respond to any particular move. Von Neumann published a theory of games of strategy in 1926 analysing
a very simple game in mathematical terms. Later, Von Neumann and Morgenstern produced a theory of
games and economic behaviour, suggesting how risk appetites (how much risk an individual or
organisation is willing to accept) might be measured in numerical terms and mathematical calculations
applied to rational decision making.
In 1900 Bachelier attempted to develop a mathematical model to simulate fluctuations in the value of
financial products. However, up until World War II, managing risk was mainly seen as a combination of
risk avoidance and insurance.
A4A Post-World War II onwards

It was not until the 1950s that risk management theory began to develop into the form we recognise
It was not until the
today. Insurance products were becoming costly and incomplete and some risks were uninsurable. 1950s that risk
management theory
During the 1960s, attention turned to continuity planning, self-protection and self-insurance schemes began to develop
into the form we
and protection against work-related illness and accidents. Loss prevention and safety management recognise today
became fashionable.
The 1970s saw large fluctuations in interest rates, stock market returns, exchange rates and the prices of
many raw materials and commodities. This led to derivatives being used as a risk management tool.
Originally derivatives were seen as a simple option to buy or sell stock or commodities at a fixed price at
a future date. However, they were seen as a form of insurance and available options soon became more
complex and secondary markets evolved, leading to new risks which needed to be managed.
The development of self-insurance and other risk retention programmes continued, especially in relation
to large organisations. In parallel to these, captive insurance companies emerged as alternative risk
financing options. By the 1980s, large companies were introducing financial risk management and
financial institutions were increasing market and credit risk management activities.
Consider this…
What do you think are the benefits of a captive insurance company?
Operational risk and liquidity risk management became popular in the 1990s as organisations realised
the importance of having enough cash available to meet commitments when required.
Chapter 1
Computers also became affordable in the 1990s and financial institutions developed risk management
models and capital calculation formulae to protect themselves from unanticipated risks and reduce
capital. International regulation of risk started, governance and control of risk became essential and risk
management standards evolved.
The large risks involved in new and rapidly growing financial markets and products became apparent in
the late 1990s when a number of high profile bankruptcies were attributed to speculation in derivatives.
Governments were forced to intervene and financial regulation tightened.
The group of ten most industrialised nations had agreed in 1988 a system for regulating banks by
controlling their capital reserves (Basel I accord). This was upgraded in 1994 (Basel II), introducing a
more risk based calculation of capital value for credit risk control and extending capital calculation rules
for operational risk. In 2010 Basel III added more capital controls to address liquidity risk and
emphasised the importance of financial risk management, transparency and corporate governance.
Similar controls for insurance organisations were the subject of EU directives known as Solvency I in
1973 and Solvency II, which was implemented in January 2016.
EU referendum
On 23 June 2016, the UK voted to leave the European Union (EU).
The UK Government invoked ‘Article 50’ of the Lisbon Treaty on 29 March 2017. In doing so, the two-year
negotiation period which will result in Britain leaving the EU began. This means that, at the time of publication,
the UK’s membership of the EU will cease on 29 March 2019.
Until this final ‘withdrawal agreement’ is entered into, the UK will continue to be a full member of the EU, compliant
with all current rules and regulations, and firms must continue to abide by their obligations under UK law, including
those derived from the EU, and continue with the implementation of all legislation that is still to come into effect.
The longer term impact of the decision to leave the EU on the UK’s overall regulatory framework will depend, in part,
on the relationship agreed between the UK Government and the EU to replace the UK’s current membership at the
end of the ‘Article 50’ negotiation period.
Please note: The UK decision to leave the European Union will have no impact on the 2018 CII syllabuses or exams.
Changes that may affect future exam syllabuses will be announced as they arise.
Useful website
To learn more about Solvency II visit the EIOPA website: https://eiopa.europa.eu
In the USA stringent governance and financial reporting regulations were imposed by Sarbanes–Oxley
Act 2002 covering all companies listed on the New York Stock Exchange. Corporate governance
requirements specifically emphasised risk management controls and recommended risk management
standards to be followed. These developments were echoed in the UK with particular attention paid to
the role, responsibilities and actions of directors, chief executives and senior management of
organisations, who were to be held accountable for their long-term decisions.
Insurance is no longer seen to be the main answer to risk-related problems. We look at the management
Insurance is no longer
seen to be the main of risk across and around an organisation as a whole. With emphasis on prevention of risk-related
answer to risk-related problems and sharper focus on managing consequences when a risk materialises (in the form of
problems
business continuity management) organisations are viewing risks in a more holistic way.
Accidents are no longer accepted as fate. People look for the cause and try to allocate responsibility.
Someone did something they should not have done or did not do something they should have done.
Financial implications are argued by lawyers and health and safety regulations abound. While events
such as lightning strikes are still attributed to acts of God, authorities are expected to recognise the
probability of other natural disasters occurring in their region and legislate to mitigate their effects.
Risk management professionals still have to address the same issues faced by the early pioneers.
Insurers, intermediaries and organisations alike continue to try and predict future events and what their
impact will be if they materialise. Debates around validity of data and its relevance abound and
inferences or reasonable judgments still have to be made. Time continues to be devoted to identifying
underlying causes of events and to management of their outcomes when they materialise.
Before any decisions can be made, risks must be identified and measured so their threats and cost
implications can be compared. As we have seen, it was the early work of mathematical pioneers over a
long time period that made this first element of risk management possible.
Chapter 1
However, any organisation has to start by deciding what sort of risks they are prepared to take. In order
to understand the process leading to decisions whether or not to accept certain risks it is important to
appreciate in general terms how risks may be perceived. Are we happy to tolerate certain risks but not
others and, if so, why? What shapes our thinking in this area? In the next section we will look at the
different ways risks can be perceived.
B Risk perception
People view risk in different ways and will therefore react differently to identical risks. What would
happen if a group of people are asked to estimate the risk of fatality from various hazards and the
answers compared with actual statistical observations? Slovic, Fischhoff and Lichtenstein found that
individuals consistently underestimate or overestimate certain types of risk although the group average
may be near the actual figure. What influences are at work? In this section we will look at the following
issues which are associated with risk perception:
Voluntariness
Other influences
Controllability
on risk perception
Dread and
Delay
unknown risks
Man-made and
Media
natural risks
Expected benefits Familiarity
B1 Voluntariness
Renn, Jungermann and Slovic confirmed our perception of risk is reduced if we choose a risk voluntarily,
and our risk perception is increased if the risk is imposed on us. Earlier work by Starr found people were
willing to accept risks they chose themselves (for example, skiing) that were up to one thousand times
greater; compared to risks they had to accept which were imposed on them (for example, food
preservatives). They chose risks because they wanted the rewards involved, and at the same time were
confident of their personal ability to control the risk. They had freedom of choice and were prepared to
accept responsibility for their decision.
B2 Controllability
People are more willing to accept risks they think they can control. Risks that are out of our control are
People are more
more frightening because we cannot influence their outcome. Sjoberg notes that most people willing to accept risks
overestimate their ability to control risk, thinking they are better than average, which of course everyone they think they can
control
cannot be. A variation of controllability is when we do not have the skills needed to accept a risk
(say flying an aeroplane) then our perception is influenced by the degree of trust we have in the
responsible person we accept on our behalf.
Chapter 1
B3 Delay
If the effect of a risk is far into the future we may be more willing to accept that risk now. Perhaps we
think something in the meantime will happen to reduce or avoid the consequences of the risk. A typical
example is a smoker willing to accept known risks spelt out on the packet for transient rewards of
immediate pleasure.
B4 Man-made and natural risks

Man-made and natural risks are perceived differently, the latter being more accepted than the former.
Man-made and
natural risks are This refers back to control. We assume something could be done to reduce the effect of man-made
perceived differently situations. We look to cause and effect and someone responsible to blame when things go wrong.
Natural processes can be accepted as acts of god or fate, against which there is no redress. However,
distinctions in this area are becoming blurred as some natural phenomena like global warming and
climate change are being linked to man-made activity, and common natural disasters like floods and
earthquakes can be defended against with suitable man-made precautions.
B5 Familiarity
Familiarity with risks also affects our perception. Slovic, Fischhoff and Lichtenstein confirmed we get
used to living with certain risks, for example with driving, and our perception of the real risk can
diminish with time. Uncertainty causes us problems and new risks whose outcomes are unknown can
cause particular concern. Examples here would be the BSE/CJD beef scare, the consequences of genetic
engineering and the side effects of shale gas fracking.
B6 Expected benefits
Expected benefits also influence our view of risk. We have already seen that driving, for example, a
known high risk is accepted because of the overriding benefit of getting quickly from place to place. In
this case, a personal risk gives a personal benefit, but will we accept a risk if the benefit goes to
someone else?
Studies show that we are more prepared to accept risk where we perceive benefits to be justly shared
than if we think benefits are unfairly distributed. We may accept living with nuclear power stations
because we all benefit from the resultant energy distribution, but we may protest about coal mining
where risks may be seen as out of proportion to the distribution of rewards. In addition, people’s
perception of justice differs between communities according to whether rewards are distributed
universally, principally to benefit the poor or disadvantaged, or principally to benefit risk takers or
contributors.
B7 Media
Finally, perceptions of risk are influenced by the media. Risks not in the media are not seen as important
Rightly or wrongly,
we think risks must be as those that are. Rightly or wrongly, we think risks must be important if the media has chosen to cover
important if the media them. Today the media and social networking sites are among the main influences on our knowledge of
has chosen to
cover them risk, though there is debate as to how much media reports alter risk perception.
The above broad classifications are attributed to the work of Slovic and others in 1985. In his paper,
Perception of Risk, his US-led research also came up with a further way to illustrate how risks come to be
viewed by comparing and plotting on a simple graph two extreme risk descriptions he called dread and
unknown risks.
B8 Dread and unknown risks

A psychometric paradigm can be used to illustrate and compare the way ordinary people judge risks.
Based on observation that many of the influences described below correlate with each other, a
simplified chart is produced based on two composite risk descriptors – dread risk and unknown risk.
Chapter 1
Be aware
Dread risks are characterised by perceived lack of control, catastrophic potential, inequitable distribution of risks
and benefits and dreadful consequences. The opposite of dread risk is risk with characteristics such as controllable,
individual or relatively contained consequences, equitable and voluntary.
Unknown risks are those less generally known, with limited knowledge of the risk, perhaps with delayed effect and
where the risk type is new. The opposite is known risks with known consequences, observable, and with immediate
effect.
As you can see from figure 1.1, using dread and unknown risks as the x and y axes of a chart, with their
opposites in the negative direction, people’s perception of particular risks can be plotted in relation to
each other. This gives a visual representation of the weight people tend to place on various categories
of risk.
Risks in the high dread/high unknown sector tend to be widely discussed and generally overestimated.
Risks in the low dread/low unknown area attract little attention and are generally underestimated.
Following this observation, if a new risk can be positioned on the chart, predictions can be made about
the amount of public concern likely to be generated.
Figure 1.1: Dread and unknown risks

Unknown risk
Microwave ovens
Electric fields
Diagnostic x-rays Radioactive waste

Nuclear reactor
Pesticides accidents
Antibiotics
Asbestos insulation
Satellite crashes
Caffeine Lead paint Coal burning pollution
Vaccines
Skateboards Auto exhaust (CO2) Dread risk
Smoking (disease)
Large dams
Skyscraper fires
Chainsaws
Underwater construction
Bicycles
Fireworks
Auto racing
Auto accidents
Handguns
Source: Slovic, P (1987) ‘Perception of risk’, Science, 236(17 April), pp.280–5, DOI: 10.1126/science.3563507. Reprinted with
permission from the American Association for the Advancement of Science (AAAS) and Dr Paul Slovic. Modified with permission
from Dr Paul Slovic.
B9 Other influences on risk perception

Risk perception influences are not limited to the factors outlined above. Further studies are exploring
Religious beliefs,
wider social issues and the effect of cultural differences between communities across the globe. lifestyle and
Religious beliefs, lifestyle and economic concerns all have to be taken into account as well as different economic concerns
all have to be taken
notions of justice and fairness. Local concerns can override otherwise general conclusions. into account
In 2000 Renn and Rohrmann suggested a structured framework to take these additional factors into
account. They adapted an earlier model developed by Breakwell in 1994 to highlight four context levels
of risk perception.
Chapter 1
Each level has two sections reflecting individual and collective influences, and each level is embedded
in the higher level to highlight mutual interdependence.
A simplified diagram of Renn and Rohrmann’s structured framework is illustrated in figure 1.2.
Figure 1.2: Renn and Rohrmann’s structured framework
Personal identity and views
Cultural influences
Social, political and

economic culture
Media influence
Knowledge of risk
Emotional factors
Collective reasoning
strategies
Common sense
First level The first level covers collective and individual reasoning strategies that have evolved over the
years, popularly referred to as common sense. These strategies are independent of the nature of
a risk and are primary mechanisms of selecting, memorising and processing signals to form an
opinion about the seriousness of the risk.
Second level The second level covers knowledge of the risk, or at least what we believe from available
information to be true. It also recognises that emotional factors are important. Whether the
consequence of a risk is seen as good or bad will colour a person’s attitude to the risk and
influence their process of balancing risk with rewards.
Third level Level three concerns the influence of social and political institutions that people associate with a
risk or its cause. People’s views are shaped by the views of their reference group, the group a
person would like to or believes they belong to. Level three recognises economic as well as
social status and values and acknowledges important input from the media.
Fourth level The last level explores cultural factors that affect risk perception and govern many of the lower
levels of influence. Perception of risk is shaped by the society in which we live. Politics, climate,
economic development, culture and religion all play a part. We develop a view of the world from
within this framework, together with our personal identity and beliefs. Studies focus on the
importance of powerful interest groups, with either open or perceived hidden agendas, in
altering individual attitudes and emotions.
All four levels of influence need to be taken into account to study how people evaluate risk. The old
model of probability and consequence does not match how people actually think. We know that
psychological, social and cultural contexts need to be taken into account together with their mutual
interactions. However, as of yet no one has developed a practical model that can be relied on to predict
real decisions.
Consider this…
Despite the availability of a suitable vaccination programme, people in South Wales did not get children immunised
and later suffered from a local outbreak of measles in 2013. What factors might have influenced their decision?
Further problems arise when we consider the consequences of major new and emerging risks, as their
indirect effects need to be taken into account. Will their outcome change the political or economic
climate? Will the risk trigger widespread change in attitudes or new social movements? Can general
conclusions ever be reached?
Chapter 1
B10 Importance of risk perception in risk management

Anyone trying to manage risk must recognise the multitude of factors determining how risks are going to
Risks cannot be
be perceived and take them into account when making practical decisions. Risks cannot be ignored ignored simply
simply because one person or group does not see them as important. Conversely, people may demand because one person
or group does not see
controls for risks they see as threatening, even when mathematical logic says their probability is low. them as important
Communication can be vital. Open discussions may change opinions or at least gain acceptance of
proposed mitigation measures.
How individuals, or groups of individuals, at senior management or executive level perceive a given risk
can be fundamental to the future direction of an organisation. This is because it could shape their risk
appetite and their attitude to acceptance of a given risk. Similarly, maybe at a lower level in an
organisation, an individual’s perception of a risk, or set of interrelated risks, could severely hamper their
judgment or dictate their pattern of future behaviour.
In certain circumstances an individual allowed to take large risks in a reckless or irrational manner could
jeopardise the entire future of an organisation.
The way individuals in an organisation approach risk assessment and risk acceptability is influenced by
the attitude and behaviour of senior management over a period of time. Organisations develop a
particular way of approaching risk that is known as the organisation’s risk culture. We will discuss the
importance of risk culture in chapter 3. As we will see it is a vital element of effective risk management.
C Risk and uncertainty

We have seen that risk is associated with uncertainty. We may be able to identify a risk but we are
uncertain as to how often and when it will materialise in the future, if at all. Study of past measurements
and application of probability theory can crystallise the degree of uncertainty associated with known
risks, but we will always be faced with uncertainty when considering new and emerging risks. As well as
frequency and timing, precise consequences and impact may also be unknown.
Uncertainty has to be taken into account when attempting to manage and control risk in a practical
Uncertainty has to be
environment. Control mechanisms and management alternatives for dealing with retained risks need taken into account
some built in tolerance in case attributes of a risk turn out to be smaller or larger than expected. This can when attempting
to manage and
be particularly important where the risks affect objectives that have strict time deadlines for completion. control risk
When undertaking new projects or changing processes or structure, an organisation has to accept a
degree of uncertainty and build in continuity plans. It must decide what variations from the original
anticipated outcomes can be tolerated.
Using concepts of classic control theory developed by mathematicians and engineers to keep machinery
performances within specified tolerances, information gathered from measuring the effect of a variation
on the outcome of a project can be fed back to control the variation and bring it back within acceptable
limits.
This sort of control risk management is the basis of a risk management approach often adopted by
auditors and accountants. Frequently referred to as internal control, it concentrates on reducing
uncertainty of outcomes by controlling risks and risk assessment is of secondary importance. Useful as
this may be in particular project endeavours, organisations should not concentrate solely on internal
control management techniques as they may find the process stifles entrepreneurial flair. We will
explore the role of the audit functions and internal control issues in chapter 3.
Consider this…
What steps can an organisation take to protect against late delivery of a new project:
• when it is uncertain exactly how long it will take to complete key activities; and
• when it is uncertain when or how often work will be disrupted by unplanned events controlled by others?
Question 1.1
Why is understanding risk perception important in managing risks?
Chapter 1
D Risk and reward

Risk management is also about opportunity. We can illustrate this with an example.
Example 1.1
A dental surgery plans to move from paper records to a fully computerised system. There are risks at the
implementation stage, such as delays in software supply or surgery staff being unfamiliar with the software.
However, there is a big opportunity to save time and money through ease of access to records. Also, there will be
ongoing risks such as data security and back-up, but if those risks are properly managed the opportunity will be fully
maximised.
Now consider the following statements:
A risk is the threat that an event or action will adversely affect an organisation’s ability to maximise
stakeholder value and to achieve business objectives.
Risk arises as much from the possibility that opportunities will not be realised as it does from the possibility
that threat will materialise or that mistakes will be made.
Risk is integral to all opportunity and is as much about opportunity as it is about threat.
A person or organisation pursuing an opportunity balances risks involved against perceived rewards.
A person or
organisation pursuing There is always an element of risk. As a child you would have experienced conflict between risk and
an opportunity reward, for instance when learning to ride a bicycle. Pleasure of success would have been tempered by
balances risks
involved against the pain of inevitable early falls.
perceived rewards
In theory then, we can measure the magnitude of a risk by evaluating and measuring its consequences,
and balance that risk against any possible reward gained from allowing the risk to continue. We will see
that sometimes risks are taken deliberately to achieve potential reward. Other times the reward is merely
in reducing or removing risk, saving time or money that would be spent if that risk materialised. The
difficulty, as we saw earlier, is that each person or organisation has their own perception of the value of
a particular reward and make their own assessment of the effect of misfortune. The decision whether to
tolerate a risk or try to avoid it is not always a simple one to make.
This study text is concerned with risk management in business rather than personal and household
risks. However, business organisations are simply groups of people organised to achieve common aims:
• Those who enjoy and use risk.
• Those who are risk averse.
• Those who fit into the gap between the two extremes and bring their own personalities with them.
The overall attitude to risk an organisation adopts will depend on its directors and managers as well as
its strengths, sensitivities, culture, marketplace, competitor strength and stakeholder expectations.
E Types of risk
In this section we will look at individual or specific risks which an organisation is likely to face. We will
start to appreciate the scope of individual risks and how they are sometimes difficult to clearly describe
or define.
Any organisation must agree on the description or definition of specific risks, especially those whose
Any organisation
must agree on the management is considered fundamental to its future success. This is a practical necessity because these
description or risks will be referred to in many risk-related communications, including risk registers, and need to be
definition of
specific risks universally understood.
Later on, as we move through the key stages of a risk management process, we will consider tools and
techniques to identify a whole range of differing risks. Then we will look at some suggestions of the best
way to go about grouping or placing risks into appropriate categories and sub-categories. For many
reasons we will see that this is no easy task.
For our examples we have selected risk names that appear frequently in risk literature, particularly in the
context of financial service institutions. Their management is usually considered to have a fundamental
part to play in the success of organisations within that sector of the economy. While the descriptions do
not provide a definitive form of words to describe these specific risks they should give you a feeling for
their nature and likely scope. We will revisit some of these risks when we consider options available for
risk control or mitigation.
Chapter 1
Various definitions or descriptions of specific risks can be found in academic reference material,
business and general dictionaries, financial media and books. Definitions vary from one organisation to
another, different economic sectors, relevant professional organisations and with different people.
Definitions can be brief or elaborate and can apply to groups of similar or different risks, related or
independent.
Be aware
There is no universally accepted risk management terminology and therefore no universally accepted definition of
individual risks.
Remember that specific risks can dovetail and overlap with others. It is not always clear where
demarcation lines should be drawn, or what risks should fall under broad heading descriptions. To a
non-specialist person terms such as corporate risks and business risks may appear to be
interchangeable. Similarly, strategic risks are conventionally associated with long-term decisions or
objectives of an organisation, but would all senior management teams agree on what long-term risk is?
Long term in one organisation may be considered short term in another.
Similarly, what risks would you consider under the heading of reputation risk? Would you include
corporate social responsibility considerations? Would you include reference to media and, if so, which
sections? Would you make specific reference to issues arising from social media? Questions like these
are obviously relevant when we try to put risks into categories, but they also affect the description or
definition of individual risks.
Organisations therefore need to decide what definitions they will use and make sure names are
All functions need to
consistently applied across the organisation. All functions need to understand how a given risk is understand how a
defined and the context in which it should be used. This understanding must permeate all levels of the given risk is defined
organisation if confusion and inconsistent risk related decisions are to be avoided.

We start by looking at two very broad categories: speculative and pure risks. After this we have selected
a number of risks that have general and wide application.
Speculative
Regulatory
and legal Pure
Reputational Strategy
Types of risks
Insurance Operational
Business Market
Liquidity Credit
Question 1.2
What is the link between risk and reward?
Chapter 1
E1 Speculative risk
Speculative risk is where someone deliberately chooses to place money or other resources at risk in the
hope of obtaining a positive outcome.
The objective of an organisation using capital (money) in this way would be to make a profit or secure
another long-term objective. As part of this decision, an organisation should consider what gain could
be made and balance this with the ‘downside’ risk of things not turning out as predicted. Examples
could include decisions whether to invest in a new product, the timing of such an investment or perhaps
whether to enter a new market or a new country.
If you make a strategic decision that affects the long-term future of an organisation you are taking a
speculative risk. You could be committing substantial financial or other resources in support of your
reading of future events. The effects of a wrong decision may be devastating. In financial organisations,
speculative risk could involve betting large sums of money on their assessments of future market or
currency variations.
E2 Pure risk
Pure risk is a category of risk in which loss is the only possible outcome: there is no beneficial result.
Pure risk is related to events that are beyond the risk taker’s control and, therefore, a person cannot
consciously take on pure risk. This is opposite to speculative risk.
Consider this…
Think of two pure risks to which a company might be exposed.
Example 1.2
Buying a house is a speculative risk. The value may go up or down and the owner benefits from gains and suffers
from losses. A house fire is a pure risk. The owner has no control over the event and suffers loss. The owner may
recover fire loss through insurance but cannot make a profit this way.
If profit or loss can result from an event the risk is speculative. If the only outcome is loss then the risk is said to
be pure.
E3 Strategic risk
Closely related to speculative risks are strategic decisions or risks, which are usually associated with the
Closely related to
speculative risks are long-term objectives of an organisation. As such they invariably relate to decisions the organisation
strategic decisions makes about its direction, product mix and target markets. Organisations may well see strategic risks
or risks
incorporating failings around the sale of inappropriate products or services, lack of long-term planning,
failure of strategic partnerships or alliances (including outsourcing), and the implementation of
inappropriate mergers and acquisitions.
E4 Operational risk
Operational risk is generally defined as risk of loss resulting from inadequate or failed internal
processes, people and systems or from external events.
Operations of an organisation can encompass a wide array of risks, examples of which may include:
• the management of fraud (both internal and external);
• damage to physical assets;
• business disruption;
• system failure;
• employment practices;
• workplace safety;
• outsourcing;
• supplier disruption; and
• customer service issues.
System failures would include IT failure, process breakdown and potential damage caused by, say, a fire,
terrorist or arson attack, events that may need continuity or related recovery plans.
Chapter 1
Another example of operational risk is the failure to protect data. The new General Data Protection
Regulation (GDPR) is similar in many ways to the existing Data Protection Act 1998 but imposes
additional legal requirements on those collecting and processing personal data. Breaches of the
Regulation could occur through data leaks due to cyber attacks but also through inadequate, internal
discipline and procedures.
Be aware
The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and replace all existing data
protection legislation, including the Data Protection Act 1998. This will occur regardless of decisions taken by the UK
concerning membership of the EU.
The GDPR aims to ensure that the regulation of data is simplified and that gaps in existing legislation, such as those
pertaining to electronic data, are addressed. Key components of the GDPR include:
• The right of individuals to have their personal data erased and to transfer it from one organisation to another
(data portability).
• A mandatory requirement to report a breach within 72 hours of it becoming known, and to inform the individual
concerned ‘without undue delay’, if their rights are likely to be at risk.
• The introduction of a statutory role of data protection officer (DPO).
• Tougher fines for non-compliance with the legislation.
• Application of the GDPR to companies outside the EU processing the personal data of EU citizens.
For further information, see: www.eugdpr.org/key-changes.html.
Consider this…
Do you feel that the most significant risks faced by an organisation are likely to fall within the broad description of
operational risk?
E5 Market risk
Market risk (also sometimes referred to as systematic risk) is concerned with the risk of losses in trading
positions arising from movements in market prices.
Equity, interest rate, currency and commodity price movement and changes fall within this area, leading
to careful monitoring of stock, interbank lending rates (such as LIBOR) or foreign monetary exchange
rates. Other areas of potential concern arise through changes in world market prices of essential
commodities such as corn or crude oil.
Largely driven by economic factors, market risks can be heavily influenced by events such as natural
disasters, recessions, political turmoil or terrorist attacks. Market risk can include equity risk (relating to
organisation-wide investments), property price risk (relating to changes in value of aggregate holdings of
property owned by an organisation) and solvency risk, the risk of going bankrupt.
Liquidity management, investment returns, mix and concentration of various assets and liabilities are
also likely to be of significant concern to all risk professionals looking to manage market risks, and the
closely associated financial risks of an organisation.
E6 Credit risk
Credit risk is risk that a counterparty will suffer real or perceived deterioration in financial strength, or be
unable to pay amounts in full when due.
Factors that influence credit risk can include the type of business or industry sector, customer profiles,
and the geographical, economical, political or social standing of the counterparty.
Credit risk is associated with credit worthiness of those with whom an organisation does business. An
organisation will review as many sources of public information as it can access and also consider
approaching appropriate credit rating agencies in order to try and determine the financial strength of
those it deals with. Credit risk can affect suppliers, business partners, agents and customers.
Useful website
Visit Standard & Poor’s website to learn more about the work of a credit rating agency:
www.standardandpoors.com.
Chapter 1
Activity
Find out how your organisation, or one with which you are familiar, assesses the credit worthiness of its customers.
Consider this…
What signs would suggest that a counterparty might be struggling to meet payments due?
E7 Liquidity risk
Liquidity risk is the risk of running out of cash when it is needed to meet financial obligations (e.g. the
payment of valid insurance claims).
Liquidity is fundamental in any organisation. If an organisation cannot pay its debts as they fall due and
no one is prepared to supply additional cash to the company, either as capital or in the form of loans or
overdrafts, then almost certainly the company will fail, no matter how technically ‘profitable’ it may be.
Liquid funds can be cash or liquid assets. Asset liquidity is the ease with which an asset can be turned
into cash should the investor need it. Real estate, for example, is relatively illiquid; if a property owner
needs to convert their investment into cash, the selling process can be prolonged and the outcome
uncertain. Shares in public companies on the other hand are relatively liquid as they can be sold
quickly and easily, although at current market price. In the middle are bonds and securities, with fixed
redemption dates normally between one and twenty years from the date of purchase, depending on
their type.
Useful website
www.gov.uk and search for ‘liquidity’.
E8 Business risk
Business risk is the probability of loss inherent in an organisation’s operations and environment, such
as competition and adverse economic conditions that may impair its ability to provide returns on
investment.
Likely to be captured under this broad heading are risks arising from changes in competitive
environment and increase in market share of competitors. In addition, there may be consideration of
changes that may affect the industry within which the organisation operates. Examples would be risks to
its overall stability, consolidations, regulation or maybe changes in consumer or supplier expectations.
E9 Insurance risk
Insurance risk associated with any one insurance contract is twofold; uncertainty that an insured event
will occur, and uncertainty of the amount of any resulting claim.
For example, with life related products, which are long-term contracts with individual policyholders
provided by an appropriate insurer, there are inherent risks relating to mortality, morbidity or expenses
variances.
Similarly, with general insurance products, which are short-term contracts with individual policyholders
such as domestic motor or home insurance, there are financial risks for an insurer in estimating
reserves, with associated uncertainty of financial liability for potential future claims.
E10 Reputation risk

Reputation risk is the possible loss of an organisation’s reputation. In basic terms, if an organisation
Reputation risk is the
possible loss of an does or is seen to be doing something good its reputation will be enhanced. Conversely, if it does
organisation’s something bad or it seems it has done something bad, its reputation will be tarnished. An organisation
reputation
can lose or have its reputation severely dented whether or not allegations concerning it are true. Its
reputation can be tarnished through behaviour of individual employees, groups of employees,
organisations acting on its behalf, or through actions of customers, potential customers or other
stakeholders that operate outside the organisation.
Chapter 1
Reputation risk is closely associated with brand management and accordingly the factors surrounding it
concern levels of public confidence or trust. A significant event under this risk category could spark
significant loss of customers, together with associated revenue, litigation against the organisation
and/or its business partners, and possibly substantial share price decline. Depending on circumstances,
a significant negative event surrounding an organisation can also lead to:
• loss of key employees;
• smear campaigns or similar across multiple media outlets (including social media, such as Facebook
and Twitter);
• loss of advertising revenue, possibly including celebrity endorsements; and
• the need to implement an expensive product recall programme.
Consider this…
A national daily newspaper publishes a negative article about an organisation on its front page. How do you think the
organisation goes about estimating its potential financial loss?
E11 Regulatory and legal risks

Regulatory risks are associated with factors an organisation needs to consider because of the regulatory
environment in which it operates. For example, an insurer might risk a fine or regulatory censure by
virtue of any failure to comply with applicable regulations. Also under this heading is the threat to an
insurer of potential failure to comply with minimum solvency margins due to regulatory legislation.
Organisations will increase regulatory risk if they fail to keep up with changes in regulations and should
avail themselves of any opportunity to input their views while new legislation is being considered.
Legal risks are associated with alleged or actual breach of contract between an organisation and a
Legal risks are
counterparty. Counterparties could be business partners, third party service providers or customers. associated with
Litigation can arise through a variety of activities an organisation may undertake, including financial alleged or actual
breach of contract
transactions, financial reporting, or allegations of fraud or misappropriation of funds. For some global or
international organisations, rules and regulations introduced in Europe or the USA can pose particular
problems. As an example, the EU Gender Directive 2012 requires insurers to reconsider their use of
gender-based pricing and cover. At the start of 2011 the European Court of Justice ruled that insurers
could no longer consider gender when calculating insurance premium rates and required insurers to
implement changes to their pricing models by 21 December 2012.
Another legal risk concerns money laundering; use of a business to convert illegally obtained assets or
cash to untraceable usable funds, or to divert any funds to finance terrorism. Organisations that handle
large volumes of high-value financial products are particular targets for money laundering activities, and
must take specific action to prevent criminal activity. Laws, regulations and guidance follow risk
management principles, and set out mandatory procedures and management controls. Certain types of
organisations must register with government regulators, and penalties for non-compliance stretch to
unlimited fines.
Legal and regulatory risks can also encompass situations where an organisation may be required to
comply with industry wide requirements even if these are not enshrined in law. In financial services, for
example, there are agreements between organisations within that sector regarding sharing of
information across relevant databases. Also within this broad heading can be considerations arising
through changes in corporate tax laws or Acts of Parliament.
F Risk and consequence – the link between cause,

events and effects
Organisations are threatened by a wide range of risks. There are risks within the organisation, around
Organisations are
the organisation and risks related to the organisation’s responsibilities to others. Not all of these threats threatened by a wide
may be the responsibility of risk professionals, but all need to be considered at some level if an range of risks
organisation is to meet best practice standards of governance.

We accept these risks in order to achieve corporate objectives. They arise from the organisation we have
set up. We may take steps to minimise their impact but as we have seen earlier, there will always be risk
associated with reward. One measure of the impact of a risk is reduction of anticipated reward.
Chapter 1
We have seen that wide variances in risk understanding and use of risk are often quite valid. This study
text will reinforce the value of this wide range of views. It is important, however, to establish a base
within which our discussions can take place.
As a practical starting point, risk can be looked at from the viewpoint of whether an incident is likely to
occur. It is also necessary to consider how often such an incident could happen and how damaging the
incident would be if and when it occurred. In brief:
• Could it happen?
• How bad would the loss or damage be?
• How often could it happen?
Damage can take many forms and is certainly not always measurable simply in financial terms. For
example, a holiday village is destroyed by flood. Homes and shops can be rebuilt at a known cost, but
what price can be put on bad publicity and potential visitors who choose to holiday elsewhere, possibly
for many years to come?
To make good risk management decisions you need to understand the precise significance of such
damage to the organisation’s processes and the responsibilities that the organisation is carrying. It is
not enough to just consider whether an incident may occur and cause damage to an organisation.
Every risk is associated with cause and effect. To fully understand a risk we must study its cause as well
To fully understand a
risk we must study its as its effect. In cases where cause is not known we must look for potential causes of risk. This is
cause as well as its particularly necessary when analysing new or emerging risks. Remember that causes can be man-made,
effect
and therefore potentially avoidable, or result from natural events. We may not be able to control natural
events, but we can often limit our exposure to their effects.
We will see how we can use various techniques and charts to help link cause and effect and identify
interdependencies. One cause can have multiple effects and one effect might have several potential
causes. We need to look carefully at organisation and procedures to see if some of these links can be
avoided.
Once a risk has been evaluated, its consequences can be classified according to whether:
• they can be tolerated;
• they can be tolerated with financial compensation (e.g. insurance); or
• they are totally unacceptable.
Once a risk has been evaluated recommendations for appropriate management action can be taken.
By studying the cause or causes of events we can look to remove causes and thus prevent associated
risks from materialising, or at least reduce the likelihood or frequency of such events. Even if risk causes
materialise there are still things we can do. We can put controls in place between causes of risk and
associated effects to try and limit likely damage. Even after a risk materialises we still have the option of
taking further measures to limit its impact through continuity planning or disaster recovery measures.
Figure 1.3: The risk chain
People Processes Resources Human
Cause(s) Event Effect(s)

External
Systems Reputation
Events
A cause or several causes could be a result of failings associated with activities of people, processes or
systems within an organisation, or perhaps external events beyond its control. These could combine or
operate in isolation to trigger an event, such as a fire or explosion. This event could have widespread
effects, such as human injury or death, tarnishing reputation or perhaps depleting an organisation’s
resources.
Chapter 1
Key points
The main ideas covered by this chapter can be summarised as follows:
Evolution of risk management
• Modern risk management is a new discipline, effectively dating from the latter part of the twentieth century.
• Risk management is based on fundamental mathematical concepts of risk perception and measurement developed
by mathematicians and scientists during the previous three hundred years. Before that risk outcomes were
attributed to God or fate.
• We can trace mathematical analysis of games of chance back to the sixteenth century. Analysis of historical life
expectancy data and shipping records can be traced back to the seventeenth century.
• Statistics from past data allowed people to judge what might happen in the future and formed the basis of insurance
business.
• The eighteenth and nineteenth centuries saw developments in statistical analysis, analysis of distributions and
theorems based on these advances, such as regression to the mean.
• By the early twentieth century it was recognised that history was not always a reliable guide to future events.
Emphasis was on dealing with uncertainty and making decisions with a range of possible outcomes.
• Risk management as we recognise it developed after World War II and was accelerated by technology advances
such as the availability of computers. People stopped relying on insurance and concentrated on preventing or
mitigating the effects of risk incidents.
• Health and safety and security measures became commonplace, and continuity plans came into existence ensuring
business continuity in the event of disaster.
• Government regulation has widened and there is growing emphasis on responsibility and accountability for not
controlling risk.
Risk perception
• People view risk in different ways and will therefore react differently to identical risks.
• People are more willing to accept risks they think they can control.
• Man-made and natural risks are perceived differently, with the latter being more accepted than the former.
• Familiarity with risks also affects our perception.
Risk and uncertainty
• We may be able to identify a risk but we are uncertain as to how often and when it will materialise in the future.
• Uncertainty has to be taken into account when attempting to manage and control risk in a practical environment.
• When undertaking new projects or changing processes or structure, an organisation has to accept a degree of
uncertainty and build in continuity plans.
Risk and reward
• A person or organisation pursuing an opportunity balances risks involved against perceived rewards.
• We can measure the magnitude of a risk by evaluating and measuring its consequences, and balance that risk
against any possible reward gained from allowing the risk to continue.
Types of risk
• Organisations need to define key risks so that all stakeholders share a clear and common understanding.
• A speculative risk is where someone deliberately chooses to place money or other resources at risk in the hope of
obtaining a positive outcome.
• A pure risk is a category of risk in which loss is the only possible outcome: there is no beneficial result.
• Other types of risk include: strategic risk, operational risk, market risk, credit risk, liquidity risk, business risk,
insurance risk, reputation risk, and regulatory and legal risks.
Risk and consequence – the link between cause, events and effects
• As a practical starting point, risk can be looked at from the viewpoint of whether an incident is likely to occur.
• Damage can take many forms and is certainly not always measurable simply in financial terms.
• Every risk is associated with cause and effect. To fully understand a risk we must study its cause as well as its
effect.
Chapter 1
Question answers
1.1 Anyone trying to manage risk must recognise the multitude of factors determining how risks are going to be
perceived and take them into account when making practical decisions.
1.2 A person or organisation pursuing an opportunity balances risks involved against perceived rewards.
Chapter 1
Self-test questions
1. Approximately when did modern risk management ideas originate?
2. How were risks viewed before the seventeenth century?
3. Why did governments introduce regulation of financial institutions?
4. What characteristics of a risk cause people most concern?
5. What is the link between risk and uncertainty?
6. Why is it necessary for an organisation to publish definitions of risks?
7. What is the difference between pure and speculative risk?
8. Why do you need to understand the causes of individual risks?
You will find the answers at the back of the book

Supporting
your success
CII membership helps you achieve

your professional goals; providing
tools and ongoing support throughout
your studies and your career.
Join today and push your

potential to the next level.
Member beneﬁts include:

• Market knowledge and insight via our knowledge
services hub, online library and member magazines
• Professional designation upon completion
of relevant qualifications
• Networking opportunities, CPD and support
from our societies, faculties and local institutes
• Affinity benefits scheme providing a range
of high street and online discounts
Find out more

www.cii.co.uk/membership
2
Chapter 2
The purpose and process of
risk management
outcomes
Learning objectives
Introduction
Key terms
A Introduction to risk management 2.2
B Benefits of risk management 2.2
C Risk and organisational objectives 2.2
D The risk management process 3.1
Key points
Question answers
Self-test questions
Learning objectives
• describe the benefits and value of risk management;
• describe what sort of risks organisations need to consider;
• outline the risk management process; and
• outline the variety of options available to an organisation to reduce, retain or transfer risk.
Introduction
In this chapter we learn why it is important for an organisation to manage risks and what benefits might
be expected if this is done properly. The need to systematically identify and analyse risk becomes
Chapter 2
apparent and we look at an outline of the risk management process. We will also look at the range of
options available to an organisation to control risk and reduce its impact.
Key terms
Continuity planning New and emerging risks Physical and non-physical Risk management
controls philosophy
Risk management policy Risk management process Risk treatment and control
statement
A Introduction to risk management

After reading chapter 1 you should have a good understanding of the concept of risk and the link
between cause, events and effects. If we thoroughly understand a risk and its implications we can take
steps to prevent causes, mitigate effects or break a link in the cause/event/effect chain. We call this
process risk management.
A working definition of risk management is ‘the identification, analysis and control of those risks which
can threaten the operations, assets and other responsibilities of an organisation’. Note this is not a
universally accepted definition, but is a good base from which the subject can be developed.
However this is not the complete story. Risk management also includes the assessment of risks to
decide which risks are worth management attention and to balance risks against corresponding
opportunities.
Risk management takes place in specific working environments, where the attitude and aspirations of
people involved influence decisions that are made. Different organisations have different objectives and
structures and these influence attitudes to risk. Risk management processes, however, remain the same,
even though different decision criteria may result in different actions being taken by different
organisations to resolve similar problems.
In this study text we will describe risk management processes that can be universally applied, but
illustrate environments with examples of typical organisations. In any practical situation, standard risk
management processes are tailored to fit the objectives, structure and people of the organisation
concerned.
Be aware
Organisations do not attempt to manage all the risks they face. Risk assessment and ranking processes identify
those risks deemed to be important. Important risks would include those that threaten achievement of organisation
objectives, those threatening continuity of business, health and safety risks and threats to reputation. Compliance
with relevant legislation and regulations will be particularly important to certain types of business.
Risk management activities cost money, an investment that all organisations will want to justify. What is
the return on that investment? What benefits is the organisation expecting? Any practical risk
management function must be set up and run with these questions continually in mind. In addition, risk
managers must expect financial considerations to curtail their resources and ambitions. Non-operational
(overhead) budgets are hard fought annual battles, only to be won by demonstrating measurable
achievement of objectives and good value for money.
Parallels can be found in the pharmaceuticals industry. Pills and medicines are designed to prevent
causes, mitigate effects or break a link in the cause, event and effect chain. Illnesses deemed to be
important get priority and cost and effectiveness generates the continual debate.
Chapter 2 The purpose and process of risk management 2/3
B Benefits of risk management

Risk management recognises and deals with threats to an organisation or person. Potential weaknesses
Chapter 2
Risk management
are explored to assess the likelihood that threats will meet weaknesses, causing damage or preventing recognises and deals
business objectives being achieved. Steps can then be taken to minimise undesirable effects. with threats to an
organisation or
person
However, risk management is also concerned with opportunity. Risk arises as much from the possibility
that opportunities will not be realised as it does from the possibility that threat will materialise or that
mistakes will be made.
In theory, if we can measure the magnitude of a risk by evaluating and measuring its consequences,
then we can balance that risk against any possible reward gained from allowing the risk to continue.
Sometimes risks are taken deliberately to achieve potential reward, but sometimes the reward is merely
in reducing or removing risk, saving time or money that would be spent if that risk materialised.
Risk management offers a range of benefits, always reducing potential future costs and sometimes
saving organisations from otherwise inevitable closure. In depth structured analysis of an organisation
to uncover weaknesses provides valuable information that can be used to improve management and
processes and avoid unpleasant surprises when changes are being made.
Consider this…
Can we calculate a value for the rewards risk management offers? Do the benefits outweigh the cost of hiring
professional risk management expertise?
There are difficulties balancing risk and reward. One difficulty, as we saw in chapter 1, is that each
person or organisation has their own perception of the value of a particular reward and make their own
assessment of the effect of misfortune. Different people, different cultures and different types of
organisation have dramatically varying views on the level of risk that they will tolerate. Depending on
their background they would have very different views, for example, on the amounts of money they feel
could comfortably be placed at risk or the level of physical danger they could accept.
Decisions made by senior managers have an impact throughout an organisation. One strategic decision
can give rise to a wide range of risks at different levels of seniority and authority. For these reasons,
large public companies and regulated organisations have legal responsibilities to demonstrate they
have adequate risk management in place. Risk management is recognised as a vital and essential part of
top management control.
A vivid example of the potential effect of management decisions has been seen recently in the banking
industry. A strategic decision to offer substantial rewards for results measured over a short-term period
has been shown to have influenced operational decisions that in turn led to severe and sometimes
catastrophic problems.
The benefits and value of risk management should be felt at all levels and within all functions of an
The benefits of risk
organisation. To summarise, potential benefits include: management should
be felt at all levels
• compliance with legislation and regulation; and within all
functions of an
• improved corporate governance (top management control); organisation
• understanding (and therefore avoiding or reducing) operational risk;

• understanding risks associated with opportunities (and therefore better choices);
• improvements in both internal and external risk reports and communications (increase in stakeholder
satisfaction and possible decrease in cost of borrowing);
• avoidance of disasters;
• reduction in frequency of incidents;
• reduced cost of incidents;
• reduced insurance costs;
• increased likelihood of meeting organisation objectives;
• preservation of reputation;
• improved health and safety; and
• quicker recovery from emergencies.
Risk management activities should include the measurement of benefits, if possible in financial terms,
to justify the use of resources and budgets.
C Risk and organisational objectives

We know that all organisations have a range of objectives, some more crucial than others. The objectives
of a modern organisation are sometimes informal but most often are defined in a formal and
Chapter 2
documented strategic plan. Larger organisations need some formal focus to communicate common
objectives to their employees and to form the basis of later assessment to measure if those objectives
are being attained.
The information within these plans, whether formally documented or informal, is shared with their
various stakeholders and other people with an interest in the organisation’s performance. These might
be shareholders, employees, customers, suppliers, bankers, trade unions or relevant government
departments. Neighbours might also have an interest and other specialist concerns, depending on the
nature and business of the organisation.
Figure 2.1: The organisation as a nexus of contracts
Regulators
Internal
External environment
environment
Creditors
The media
Employees
Suppliers Organisation Investors/

shareholders
Directors
Rating agencies
General public
Business
partners
Customers/
distributors
Figure 2.1 illustrates the multiple relationships an organisation might have with other parties – some
directly affect internal concerns and others influence decisions from the outside. The links can be
regarded as contracts, requiring the organisation to satisfy the expectations of the various stakeholders,
whether the contracts are formally documented or not. Section C1 explores these relationships with
stakeholders further.
A stakeholder is defined as any individual, group or organisation that can affect, be affected by, or
A stakeholder is
defined as any perceive itself to be affected by, a risk.
individual, group or
organisation that can Having set out their objectives, organisations will develop strategies and plans to demonstrate those
affect, be affected by,
or perceive itself to objectives can be met. Although strategic plans should not be adopted without considering the range of
be affected by, a risk risks involved, published plans will, typically, indicate only some of the risks assessed. This is because
an organisation will not want to highlight its perceived weaknesses. It will attempt to limit public
discussion to well known or previously documented concerns and usually only broad categories of risk
will be mentioned. The organisation will maintain a far more detailed risk assessment document on a
highly confidential basis.
In pursuing their objectives, organisations will have a range of dependencies; these could be other
organisations, resources or markets they rely on. Continuation of some of those dependencies will be
crucial to avoid losses, weaknesses emerging, and in some cases, survival of the organisation.
Chapter 2
Traditional dependencies are changing as modern business models have emerged over the last
Traditional
decade or so. There have been dramatic changes in the way that businesses have organised themselves dependencies are
as they take up opportunities that are now available to them. This can be seen in particular in the changing as modern
business models have
development of new technologies that have enabled faster and more direct business-to-customer and emerged
business-to-business communications.
Organisations are becoming more globally oriented and increasingly look to outsourcing to squeeze
costs out of supply and distribution chains. Some modern organisations are no more than an
entrepreneurial shell, holding intellectual assets and perhaps owning a brand, with all supply and
distribution contracted to others. Note that in this type of organisation it is crucial to be clear whether
risks inherent in the outsourced operation have been transferred or retained.
Modern businesses tend to be leaner than their traditional counterparts, offering less margin for error. In
many cases their ability to absorb surprises has largely evaporated, so the understanding of risks and
their management is critical.
Risks are anything with the potential to threaten the operations, assets and other responsibilities of an
organisation. If following a failure or other unplanned incident an organisation cannot deliver the
promises it has formally made, it can be damaged in many different ways. The damage can be extensive
even if the organisation can still deliver its goods and services, but does not continue to meet the
contracted, or implied, quality standards.
When producing a strategic plan the directors of an organisation will normally consider risks such as:
• market factors and trends;
• potential competition moves;
• possible technological change; and
• developing the needs of the customers they serve.
Also they have to acknowledge the aspirations of other stakeholders. In some cases the greatest risks to
the achievement of a business plan will be from outside influence. Governments can take over
businesses, introduce regulatory legislation, impose financial controls and change taxation
requirements. Pressure groups can influence reputation. It is important that risks from all stakeholder
activities are taken into account; for example, employees can resist change, particularly where working
conditions or job security are involved.
C1 Risks from stakeholders

Let us look at some of the stakeholders and the types of risk that might arise from their interests.
C1A Employees
Creating the right working environment is a primary aim of many organisations, particularly those that
Creating the right
need to foster creative talent. Anything that might make employees dissatisfied must be viewed as a risk working environment
that threatens efficient operation and achievement of objectives. Organisations may depend very heavily is a primary aim of
many organisations
on key management or specialist staff and many take out insurance to mitigate the effects of key people
leaving or suffering ill health.
The behaviour of employees will not always be aligned with organisation objectives. Risks of fraud and
general negligence must be considered and precautions taken against wilful damage being caused by
disgruntled staff.
C1B Suppliers
Organisations and their suppliers are interdependent. Each must have confidence that the other party
will perform. Good quality, on-time deliveries are required from the supplier and dependable payments
from the organisation.
Exactly where the risk lies in respect of perceived defaults will depend on the wording of the legal
agreement between the two. Organisations must not assume that risk is automatically subcontracted
with a task.
Particular risks arise in supply chains where goods and services need to be competitively priced.
Sub-contractors may be tempted to cut costs through poor working conditions, paying little attention to
health and safety and, in some cases, exploitation of their workforce. Long hours, low pay, child labour,
slave labour and exploitation of immigrants have all been reported, particularly in overseas locations.
Chapter 2
The Modern Slavery Act 2015 makes large organisations legally responsible for ensuring that slavery or
human trafficking are not taking place in their organisation or any of their supply chains. They are
required to produce a slavery statement each financial year, describing their business and supply
chains, and setting out the steps they have taken to ensure compliance with the Act.
C1C Customers and other recipients of service

Most business customers will move to other organisations if they lose confidence in either delivery or
quality. Sales teams will find it increasingly difficult to find new customers. Non-commercial
organisations, such as public service organisations or charities, will face difficult relationships with their
service recipients should confidence be lost.
Failure to deliver contracted services on time with sufficient quality can lead to litigation for damages or
restitution. An organisation also retains legal responsibilities in addition to those specifically mentioned
in a supply contract.
C1D Distributors
Distributors are in effect wholesale customers. Therefore, all the comments about customers apply.
Some distributors depend on few or even one source of supply (e.g. a distributor of new motor vehicles).
Failure of that one source of supply could damage that distributor in many different ways. It can even
cause the distributor to fail altogether if an adequate replacement supplier is not found soon enough.
C1E Regulators
There are various regulators which, in many different ways, will take a continuing interest in an
Failure to satisfy
statutory and other organisation. Failure to satisfy the statutory and other requirements of these regulators can result in
requirements can them imposing substantial fines, restricting business or closing down a business altogether. Adverse
result in regulators
imposing substantial regulator comment will invariably damage reputation.
fines
C1F The media

The media has many forms including local and national newspapers, television and radio, popular and
professional magazines and, increasingly, the internet.
We can view the media as wholesale distributors of the reputation of an organisation and its officials. If
a publication is negative about an organisation much damage can be done. This is so whether the story
reflects the truth, only part of the truth, or even is factually incorrect.
C1G Private investors

Private, monetary investors can range from family, partners, employees, associated companies and other
investors in an organisation. Often they can be more exposed to devastating loss than stock market
investors who have more opportunity to spread their investments, and therefore risk, across different
companies and markets.
There are also ‘investors’ who have a non-monetary stake in the organisation. They stake their
professional and personal reputations alongside that of the organisation. They too can suffer loss
alongside any damage to the organisation itself. They can find it a very long and difficult process to
rebuild this type of asset.
C1H Banking industry

Banking and investor finance companies will maintain an interest in the fortunes of those organisations
to which they have provided money. If that money is perceived to be at greater risk due to an unexpected
downturn in the strength of an organisation, the cost of borrowing can increase significantly.
If financiers believe there is sufficient cause for concern, they may demand that assets that are security
for loans be sold immediately and loans repaid. The lender can have that power under the terms of the
loan or mortgage agreement. Primarily the decision when to sell mortgaged assets will be based on the
interests of the financier and not necessarily the longer-term interests of the organisation and its other
stakeholders.
C1I Quoted shareholders

Quoted shareholders come to an organisation through stock markets in various forms. Usually the
Chapter 2
investor has many choices beyond the subject organisation and can switch funds rapidly. In addition,
stock market sentiment has many other influences beyond the success of an individual quoted
organisation and thus its behaviour becomes a risk in itself.
Falling stock values can increase the cost of borrowing capital. If lenders perceive that the relationship
Falling stock values
between total borrowings and the net value of the company is narrowing they can demand higher can increase the cost
interest rates and security. of borrowing capital
Single points of influence can affect shares widely. These influences include credit rating agencies, such
as Standard & Poor’s and investment analysts employed by larger brokers and merchant banks.
C1J Business partners

Organisations and individuals often share objectives and responsibilities. This sharing is mostly defined
by contract defining what those objectives and responsibilities are. Often there is a sharing of brand
values and reputation, and situations are created where each depends on the other to meet its own
responsibilities and needs. Failure of one can be destructive to the other; hence there are important
stakeholdings in the quality and delivery of the other organisation or organisations. Franchises and
jointly owned organisations are common examples of interdependent business partners.
C1K The environment

Increasingly there is public and statutory interest in the quality of the environment. You will know this is
a very wide subject not only covering pollution of the physical environment, but everything from
renewable sources of material, waste disposal, energy and water conservation, waveband utilisation and
fair trade issues. Organisations violating environmental legislation risk heavy penalties and fines.
Rules apply to restrict proliferation of dangerous articles and substances, to protect children, and to
discourage potentially addictive activities like smoking, drinking and gambling. Specific regulations
govern imports and exports and general movement of goods likely to be of use to terrorist activities.
Organisations may need to consider their vulnerability to fraud, money laundering and insider dealing as
well as corporate manslaughter and other potentially criminal acts.
C1L Others
Individual organisations may have their own different stakeholder pressures. One example would be a
Individual
political organisation with its own dependencies to protect. Another example of responsibilities to organisations may
others can be to industry pressure groups, or alternatively, industry associations. have their own
different stakeholder
pressures
Competitors too are a form of stakeholder. If an organisation is weakened by an unexpected event there
may be a whole range of competitors who will see the incident as an opportunity for themselves.
An unplanned, damaging incident can affect, to a varying degree, the ability of an organisation to deliver
on its promises to any one of these stakeholders. The severity of that failure will of course vary, incident
by incident, organisation by organisation and stakeholder by stakeholder. The impact can range from a
level that is acceptable right through to damage that is irreparable in time for the organisation to survive
at all.
C2 Protection against damage or loss

As well as failing to uphold the various interests of its stakeholders, an organisation can be damaged in
many other ways. Put another way, this means an organisation has to consider continually the values
and responsibilities that it needs to keep safe from damage and loss.
In brief, the needs to be considered are as follows:
• Safety of people.
• Safety of assets.
• Revenue and cash flows.
• Legal obligations.
• Delivery of promised goods and services.
By way of further explanation we will look at this list in more detail and begin to show the extent of the
needs and the exposures that lie within these headings.
C2A Safety of people

Organisations need to ensure that they look after the needs of their employees. They need to ensure that
they provide employees with a safe working environment and provide them with the necessary resources
Chapter 2
they need to carry out their duties effectively.
In relation to its
people an
organisation
needs:
a safe environment that protects a safe environment that protects skilled human resources to
employees and visitors from employees and visitors from continue to be available whether in
accidents and crime. This can be illnesses, for example, passive individuals or teams
crime that may be perpetrated by smoking, stress, bullying,
third parties or by colleagues diseases, pandemics or other
disease transmissions, repetitive
strain injury, radiation hazards and
others
C2B Safety of assets

Balance sheet assets must be protected. There are money, buildings, equipment, vehicles and other
assets embraced in balance sheet figures. Included must be assets that are held in trust on behalf of
others.
‘Off balance sheet’ assets must also be protected. These are valuable items that are not always included
in balance sheet figures. Here are some examples:
• Intellectual assets are assets that are information rather than hard material things. This not only
includes information that is documented but the information and knowledge that lies accumulated
within a trained and experienced workforce and is crucial to the product or service delivery.
Intellectual assets embrace such things as licences, enabling software, patents, contracts,
relationships with workforces and others, audit trails, research outputs, credit ratings, recipes and
current work.
• The reputation of, and confidence in, the organisation. Even a non-profit-making organisation can
have an equally important dependency on the value of its ‘brand’ or reputation to maintain good and
efficient working relationships with its service users.
• The network of critical suppliers, the relationships and the contracts.
• The distribution system and its relationships and contracts.
• Customer base.
C2C Revenue and cash flows

Organisations depend on timely cash and revenue flows. Although legal definitions leave room for some
An organisation is in
breach of insolvency negotiation, an organisation is basically in breach of insolvency law if it continues trading when it is
law if it continues unable to pay its debts as they fall due. Protection takes the form of efficient financial and credit
trading when unable
to pay its debts controls.
C2D Legal obligations

It is important that organisations are aware of the legal obligations they have and take steps to ensure
they are complying with all relevant laws and regulations. Organisations need to be aware of these
issues if they are to avoid having to deal with litigation issues and court cases.
An organisation has a
number of legal obligations,
which may involve issues,
Chapter 2
such as:
regulatory and contractual environmental fines and expenses arising other statutory
licence liabilities responsibilities penalties from litigation by responsibilities
approvals emerging from employees and
criminal law third parties
C2E Delivery of promised goods and services

We saw that the main operational objective of an organisation is its ability to deliver the services and
goods it has promised. Clearly any organisation has a responsibility to deliver what it has contracted to
do, both on time and to a high standard.
Defects in product quality can be extremely costly. A well known example is the 2009–10 Toyota recall of
Defects in product
millions of vehicles for free repair because of a single quality problem giving rise to customer safety quality can be
concerns. Product defects affecting people’s health and safety are invariably costly. Further high profile extremely costly
examples abound in the aircraft and aerospace industries and in medical organisations such as
hospitals and drug manufacturers. Note that the cost of a problem does not stop when a defect has been
remedied. Damage to the reputation of the organisation has occurred and this in turn may damage future
business plans.
Consider now the aftermath of a serious incident. Particular efforts will be needed to deliver those goods
and services that are due in the first few hours and days after a risk incident has occurred. This
responsibility needs to be met while recovery is still taking place and is part of continuity planning.
The urgency to recover services varies dramatically with different kinds of businesses. An organisation
dealing with its customers via e-commerce may have raised expectations to the point that their failure to
continue service delivery can become business critical within minutes. A nuclear power plant will
concentrate on safely shutting down, as other power sources are available to its customers.
An organisation has to be able to retain securely all that is needed to continue to sell its products or
services and continue to feed the order book for the future. Continuing confidence and trust is one key
element, as is the ability to price on tenders.
C3 New and emerging risks

Consider this…
What risks might organisations face due to social media?
One of the challenges of risk exposure is the identification of new types of risk. Risks do not stay
constant with time. The impact of present risks might alter as circumstances change, and new risks and
types of risk continually emerge. This is inevitable as knowledge expands, technology advances, social
and legal systems alter and human behaviours change.
There are a number of risks prevalent today that would not have been recognised, say, 100 years ago.
New health risks,

such as AIDS,
MRSA and
Chapter 2
BSE/mad cow
disease
Increase risk Technology risks,

and changing such as cyber
methods of crime, identity theft
terrorism and drone activity
Examples could
include the
following:
Effects of high
density Developments in
electromagnetic genetic engineering
fields, solar flares and stem cell
and global research
warming
Other ‘new’ risks may actually be old ones, but changes in cultures and attitudes cause them to receive
serious attention. A prime example is the risk of environmental damage. Organisations have damaged
the environment for thousands of years, but now, backed by legislation, we are demanding that
environmental damage must cease. Not only must they avoid causing new damage, organisations can be
made responsible for the pollution of past generations.
Fortunately, new risks do not often suddenly appear, and if they do take us by surprise it is usually first
an isolated, though maybe serious, incident in a particular location. Developments in science,
technology, medicine and similar knowledge based disciplines are normally forecast well in advance,
and potential risks are discussed alongside potential benefits. Nevertheless, it is not always easy to
forecast the effects of some new process or development, particularly when someone launches an
application for which the original development was never envisaged.
Similarly, changes in social structures and behaviours take root over time. Government agencies monitor
political and social behavioural changes in countries all over the world and issue risk information and
warnings in the media and on their websites as appropriate.
If we define emerging risks as those that have not yet occurred but are at an early stage of being known,
then many new risks can emerge in the course of major projects.
Examples of major projects include:
• building a nuclear facility;
• designing and commissioning a new hospital complex;
• developing a new pharmaceutical product;
• installing a new deep sea oil drilling platform;
• developing a supersonic airliner; or
• planning a manned space mission to Mars.
People engaged in major projects look for new and emerging risks as part of their risk management
process and engage with others in similar situations through various professional bodies and seminars.
C3A Global and political risks

Risks with an international dimension have particular challenges, as not only have the risks changed,
Risks with an
international but also the legal systems, culture and language. New risks will become apparent and the frequency and
dimension have impact of others may be different.
particular challenges
In each country of operation, local legal and compliance requirements will have a real bearing on
working conditions and liability exposures, as will the practical risk environment of health and hygiene,
crime patterns, terrorism, safety standards, travel risks and the risk of natural disasters such as
Chapter 2
hurricanes and earthquakes. In some countries, political instability may lead to sudden regime changes
and the breakdown of conventional trading conditions. There may also be religious or racial concerns to
consider and morality issues such as fair wages and corruption.
Other risks can arise from extended internal processes. Lack of management control and ineffective
administration can bankrupt even large companies if policies and procedures designed in head office
are not implemented abroad. Threats arise from distant managers signing poor contracts, not managing
cash flow and not controlling product quality. On top of this are very serious threats of fraud and
embezzlement or just personal incompetence going undetected.
Part of the risk management task is to evaluate the security of processes, procedures and internal
Part of the risk
controls, and these must withstand translation into different languages and cultures. What one group of management task is
people accept may be totally alien to another, leading to different interpretations and misinformation to evaluate the
security of processes,
arriving at head office. Properly designed IT systems may help, but can also be a threat if the procedures and
implications of the information they carry is not properly understood. Audit committees can mitigate internal controls
internal system risk, but large organisations must recognise the difficulties of controlling distant
operations.
Global and political risks are of particular concern. Events and trends that have potential global impact
are known as global risks. They can affect both organisations with international operations and ‘home’
organisations with international suppliers or markets. We can divide them into six general categories:
• Global economic risks are financial issues that affect particular market sectors or global trading
environments. Examples would include oil price fluctuations, reduction in Chinese economic growth or
the world banking crisis. Attempted management of economic risks causes governments to alter their
fiscal policies, organisations to reassess markets and price structures and consumers to alter their
spending patterns.
• Global environmental risks can be natural phenomena, weather related or the consequence of
man-made activity. Large earthquakes not only destroy physical assets, they can have economic
implications that last for many years. Weather-related examples might be hurricanes and tsunamis,
widespread drought or floods, or significant climate change destroying national tourist industries.
Man-made global environmental risks would include air pollution and biodiversity loss. Environmental
risks threaten assets and employees, and may disrupt vital services or supplies.
• Global social risks arise from the ease with which people and ideas move around the world.
Worldwide television, telephone, radio and internet coverage allow instantaneous discussion of ideas
and thus movement of cultures, expectations and standards. Mass travel facilitates transmission of
diseases and migration of underprivileged populations. Organisations may be affected by local
government regulations attempting to mitigate various social risks, perhaps imposing penalties or
censorship.
• Global technology risk would describe events such as internet or satellite failure leading to the
breakdown of commercial distribution and customer service facilities. Related technology risks would
be data fraud or data loss on a global scale. Other technological risks may arise from new
developments or a better understanding of current developments. Examples could be electromagnetic
field effects attributed to extensive use of mobile phones, toxicity of nanoparticle devices or genetic
engineering mutations. Materialisation of technology risk is often followed by changes in regulations.
• Geopolitical risks arise when several nations disagree causing tension and the risk of armed conflict,
or where a particular nation’s philosophy and behaviour is seen as a general threat to others. An
example would be Middle East discontent centred on Israel–Palestine arguments. International
terrorist activity would also come under this heading, as would unilateral decisions to develop atomic
weapons and transnational crime and corruption. Management of geopolitical risks is normally
addressed by diplomacy, perhaps reinforced by threats of economic or physical intervention. Use of
either of these sanctions would affect any organisations with operations in the areas concerned.
Perceived terrorist risk can drastically affect local economic behaviour.
• Political risks can be defined as risks that stem from political activity by governments, but are not
likely to provoke widespread immediate and united opposition. This definition is not universal, and
you will find many references to political risk that include what we have called geopolitical risk.
Political risks arise mainly from economic or social decisions. Sometimes the effects are local,
sometimes repercussions are felt in particular activities or business sectors around the world. Often,
political decisions that may affect an organisation are made in response to another global risk.
Governments can make decisions that have far-reaching consequences. They can interfere with basic
market forces of supply and demand, seize assets, raise or lower taxes, tackle crime and control major
project spending. Another example would be political use of dominant supply situations, such as gas
flow from Russia to Europe, or of strategic facilities such as the Suez Canal. Only governments can
Chapter 2
mitigate basic risks such as forecast shortages of food, energy supplies or water.
Each government will eventually reach its own conclusions, pass its own laws and change its own
regulations. Decisions will be influenced by political pressure from major economies and other
influential stakeholders. Inevitably, different detailed decisions will be made as different nations assess
their own vulnerabilities. Organisations operating on a global basis must take account of international
and national politics, determine what threats might be serious and consider what response they
will make.
C3B Technology and cyber risk

Since computing techniques were first used in business applications in the 1950s and 60s, computers
and similar devices have become both small and cheap enough to find their way into nearly every
business and domestic machine sold today. Advances in programming and communication techniques
have ensured that almost any application can be developed on a worldwide basis. Developments in
storage and retrieval, display construction and international standards cooperation combined with
significant investment in infrastructure technology, such as satellites, broadband and the World Wide
Web, have resulted in unprecedented growth of new technology devices and applications, with new
hardware and software products emerging daily.
Computers are now integral to delivery of goods and services. Some organisations have developed by
Technology is a
source of competitive using new technology to make traditional operations more productive or reliable, then linking
advantage applications to improve management control. Others have built new organisation structures and
products specifically to take advantage of innovative technology and so gain a competitive edge.
Opportunities and expectations
The internet has transformed people’s expectations. People take powerful search engines for granted,
and expect questions to be answered rapidly, without fuss. Organisations expect instant access to
customer information and customers expect instant access to product and service information. Personal
computers are commonplace in homes and increasingly powerful mobile devices allow most computing
functions to be accessed while travelling. People can now function 24 hours a day and are expecting
organisations to do the same.
New technology devices offer exciting opportunities for organisations and often allow them to provide
products and services that would have been thought impossible only a few years ago. However, benefits
can’t be achieved without considerable planning and organisation. New technology carries its own
threats as well as opportunities, and inherent risks must be carefully assessed.
Data concentration
The most obvious risk is in concentrating information in a central computer system with a common
communications system servicing both internal and customer-facing staff. This risk creates a single
point of failure, where previously information was widely dispersed. The more an organisation depends
on this information, the more vital is its security against physical hazards to common equipment and
electronic intrusion.
Recent marketing of ‘the cloud’ underlines data concentration issues. It is advertised as a place to store
programs and data instead of investing in and maintaining your own data storage or backup facility.
However, it is simply a computer complex with vast amounts of data storage operated by third parties,
about which the average customer knows nothing. Customers have no control over security
arrangements and legal aspects of data usage and ownership are not fully resolved.
This concentration of data can also result in communication problems. For example, loss of
communication with a call centre could deprive an organisation of its customer information, which could
be vital for airlines or mail order firms. Similarly, media organisations may depend on satellite links to
transmit international news and television programmes.
Such concentrated risk and raised expectations on the part of customers mean technology infrastructure
and associated communications have become of major interest for risk professionals. The ‘technology
service chain’ leads not only through the data, central hardware, software and communications, but right
through to the ability of the end user to gain access and the system to deliver trusted products and
services as required.
Human intervention
Computers are reliable and follow their programmed instructions faithfully. They are not subject to
fatigue, error or distraction like human workers and can be relied on to perform repetitive tasks with
Chapter 2
consistent accuracy. However, when processing data fed in by humans or using human input to decide
which programs to run, they are again subject to human imperfection, which will affect the results they
produce. Often, computers will be programmed to deliberately restrict human input choices to improve
output integrity. Another technique used is to record all human interventions to provide an audit trail, or
in some applications to allow programs to rewind to a previous state.
Cyber crime
Computers connected to the internet can be threatened by any malicious individual anywhere in the
world, an opportunity for criminals that has been labelled cyber crime.
Cyber crime works by sending malicious program instructions over a network to interfere with (hack into)
connected computers. The intention is typically to gain access to data or to divert communications
between devices on the network. Criminals can profit from access to commercially or politically sensitive
information or they might seek to detect useful passwords or divert internet payments to a dummy
website. Terrorists or others may simply want to prevent other computers working, or to cause them to
send destructive commands.
Cyber crime is widespread and cannot be ignored. Most medium and large businesses will have suffered
Most medium and
a malicious IT security incident during the past twelve months. The May 2017 WannaCry incident is a large businesses will
prime example. Malicious code spread over the internet, capturing and encrypting data and demanding have suffered a
malicious IT security
ransom to restore it. Over 200,000 computers in 150 countries were infected, including some in NHS incident in the past
hospitals in England and Scotland, causing medical services to be disrupted or cancelled. twelve months
First-line defences include using the latest operating systems, installing security software from a
reputable source, making sure available security-related software updates are installed, and possibly
encrypting data streams. Additional design precautions, including duplication and perhaps private data
networks, will be needed in critical applications where malfunctions could have serious repercussions.
Staff training is also essential as malicious software is often sent as attachments to seemingly harmless
messages or emails.
Consider this…
WannaCry was a worldwide cyber attack on computers running Microsoft Windows operating systems. It exploited a
weakness in older versions that allowed malicious software to access data in computers connected to the internet.
The software detected and encrypted data files and left a screen message offering to restore the data on payment of
about $300 in electronic currency (Bitcoins). Russia, Ukraine, India and Taiwan suffered most with high-profile
public service disruptions. Worldwide losses were estimated in hundreds of million dollars. UK NHS hospitals were
affected, including computers, MRI scanners and blood storage refrigerators. Most of the damage occurred on the
launch date of 17 May 2017 as, fortunately, a security expert shortly afterwards found a way to stop its rapid
spread. Although it is known that over US$130,000 ransom was paid, there are no reports of any data being
restored by the perpetrators.
Subsequent investigations confirmed that Microsoft had discovered the vulnerability and issued a security bulletin on
14 March 2017 with patches for all supported Windows systems. Two months later some users had not installed the
patches, and some were still running unsupported Windows versions. After the incident Microsoft made patches
available for all Windows versions. WannaCry triggered a political argument when it was discovered that the US
National Security Agency (NSA) had known about the loophole for some time, but chose to use it for its own cyber
activities rather than report it to Microsoft.
What reasons might people have for not taking advantage of available cyber security measures? How could risk
management help?
In summary, new technology offers unlimited opportunities in terms of flexible operation and
application, speed of data sorting and distribution, and worldwide connectivity through the internet and
mobile phone networks. The downside is the need for increased physical security and protection from
human interference. Whether a large computer data processing complex or a consumer device such as a
tablet or mobile phone, equipment needs physical security protection from usual asset hazards such as
damage, fire and theft, and some means of protecting data, either by backup or alternative source.
Software must be protected from both careless and malicious human activity at source, in design and
testing procedures, and in operation from misuse or cyber crime.
C3C Terrorist risk

One class of emerging risk deserving special mention is the worldwide increase in terrorist activity. Much
of this is geopolitical. As extremist groups are defeated in conventional warfare in the Middle East, their
Chapter 2
leaders actively promote terrorist activity in countries perceived to support their enemies.
Nowadays, organisations involved in staging or controlling events which draw large numbers of people
need to consider the terrorism risk. Similarly, landmark buildings, critical infrastructure, public transport,
defence activities and VIP visits are all potential targets. Obviously, individual organisations cannot
duplicate government counter-terrorism activities but they can take precautions such as controlling
access, searching bags and running awareness campaigns. Organisations must consider ‘what if?’
scenarios and prepare staff to take appropriate action should a terrorist attack occur.
The world’s attitude to terrorism changed on 11 September 2001 when 19 Islamist Al-Qaeda terrorists
hijacked four passenger planes in the USA. Two were flown into the twin towers of the World Trade
Center in New York, both of which collapsed with considerable surrounding damage. One flew into the
west side of the Pentagon building in Virginia. The fourth headed to Washington, but crashed in
Pennsylvania after a struggle with passengers. The attacks killed 2,996 people and over 6,000 were
injured. Infrastructure and property damage was estimated to be over US$10bn.
The immediate response was a US declaration of war on terror and despatch of troops to Afghanistan to
depose the Taliban organisation, which had harboured Al-Qaeda. The leader of Al-Qaeda, Osama Bin
Laden, was hunted down and eventually killed by US troops in May 2011. Security at all major airports
was significantly increased. Al-Qaeda said the attack was retribution for US support of Israel, the
presence of US troops in Saudi Arabia and US sanctions against Iraq.
Consider this…
On 22 May 2017 a suicide bomber detonated a homemade device in the foyer of Manchester Arena as people were
leaving after an Ariana Grande concert. Twenty-three people were killed, including the attacker, and 250 people
sustained injuries of varying degrees. The bomber was a 22-year-old British Sunni Muslim from a Libyan family. It is
thought he acted largely alone, although others were aware of his plans. The bomber was known to the police,
though only in the context of petty crime. Later, it was established he had links to ISIS in Libya who claimed he was
one of their ‘soldiers’. Hate crimes against Muslims in Manchester rose 500% in the months following the attack.
On 17 August 2017, a 22-year-old man drove a van into pedestrians in the Las Ramblas area of Barcelona. The van
deliberately zig-zagged from side to side for about 550 meters killing 14 people and injuring more than 130. The
driver escaped on foot, then hijacked a car, stabbing the car driver to death in the process.
Imagine you had been in charge of Manchester Arena or were the mayor of Barcelona, could you have employed any
risk management techniques to achieve a better outcome?
Risk professionals need both knowledge and imagination to identify emerging risks. Anything that
encourages discussion should increase the chances of identifying possible new risks, and comparison
across disciplines might help to broaden thinking. Away from major projects, risk professionals could
use similar brainstorming techniques within their own organisations. Other useful information can be
found in professional magazines, news articles and through websites.
Be aware
It is important that risk professionals keep up-to-date with current developments, proposals for changes in their local
environment, information about other stakeholders and their expectations, new legislation and regulations,
professional best practice guidelines and current affairs. Risk professionals also need to be supported internally by
other staff. If their function is known and appreciated, then appropriate information will be passed to them routinely.
This will reduce the chance of new risks being missed.
D The risk management process

In chapter 1 we discussed the concept of risk. We will always have a reason why we took a risk, even if it
Chapter 2
may not be a sensible one. When the outcome is positive we think that was a risk worth taking. When
things go wrong we think of it as an ill-considered risk to take.
Organisations try to make sure they make the right decisions concerning risks they need to address.
Small organisations may consider risks informally as they are identified, but larger organisations usually
set up a formal risk management process. The process has various stages where results from each stage
feed into the next. Decisions made on how to treat risks will be subject to subsequent monitoring and
review, and the whole process is dynamic and continuous.
Figure 2.2: Risk management process

Establish the context
Identify risks
Monitor and review

Communicate
Analyse risks
Evaluate risks
Treat risks
An organisation must discuss and decide what sort of risks it is willing to take in pursuit of its objectives
and what magnitude of those risks it can tolerate. The objective of risk management is then to reduce all
risks to a level that has been formally confirmed as being acceptable.
Good risk management will avoid unpleasant surprises by recognising and managing risk before
unexpected damage occurs. It should also examine business opportunities that lie in carefully
understood risk taking. This second element is often neglected, but can be one of the most important
rewards from investment in professional risk management.
Let us look at the diagram in a bit more detail:
• Establish the context. Obviously it is necessary to start with a clear understanding of the objectives,
structure and culture of an organisation before proceeding to identify risks. This process results in the
development of a risk management philosophy on which all future risk management decisions will
depend. In large organisations this philosophy will be defined and reflected in a formal risk policy
document issued for the guidance of staff.
• Identify risks. Understand what threats there are. What might make it more difficult to achieve stated
objectives, or indeed prevent achieving them altogether?
• Analyse risks. Understand the potential within those threats for damage to the organisation and its
stakeholders. Assess likely frequency of risk damage from each of those threats:
– Could it happen?
– How bad would the loss or damage be?
– How often could it happen?
• Evaluate risks. Decide what risk levels – both single and cumulative – are acceptable; and thereby
identify those risks that are at a level or frequency that are unacceptable to the organisation.
• Treat risks. Steps must be taken to control or limit the impact of those risks deemed unacceptable.
One or more of the following actions may be appropriate:
– reduce likelihood and/or frequency;
– reduce impact, whether it is human, operational or financial;
– transfer the risk to another organisation;
– prepare for the incident by continuity planning.
Ongoing activities at all stages of the risk management process include the following:
• Monitor and review. Update and maintain the agreed risk levels, risk analysis and evaluation as the
organisation evolves and changes. Procedures for detecting changes that might alter risk assessments
Chapter 2
must be in place and the effectiveness of these procedures must be in constant review. Changes in
and around the organisation must be monitored for new and emerging risks. Note that risk
management processes are an essential ingredient of effective quality control. Risk management
procedures are assessed for quality and quality control procedures assessed for risk.
• Communicate. Information on risk and risk changes is vital for a wide range of planning, investment
and management activities. Make a list of all the people that would like to know the risks an
organisation is facing. Many will not be officers or employees. Some will be competitors or people in a
position to affect the organisation’s reputation. Communication of risk information must be properly
organised and effectively controlled.
Consider this…
Look back over the risk management process diagram in figure 2.2. Can you now appreciate why the terms
‘communicate’ and ‘monitor and review’ are positioned where they are – running alongside the entire process?
Now we have an understanding of the overall risk management process we can proceed to examine
some of the practical steps that need to be taken to make effective risk management achievable.
Remember that all these tasks are ongoing as changes to an organisation and its environment occur.
Systems and procedures must be able to cope with continual updating and change.
D1 Writing a risk management philosophy or risk management policy

statement
In chapter 1 we established that different types and sizes of organisations will take different views on
what constitutes a potentially damaging risk. Furthermore, there would be chaos if every part of one
organisation took its own quite individual view. A clear, organisation-wide, risk management philosophy
enables individual risk work to be done within a framework of long-term objectives and provides an
effective benchmark for local decisions and activity.
The very first step, therefore, is for a view to be taken at the highest level of what does constitute a
threat to the organisation. The highest level of any organisation is the board of directors, which has legal
responsibilities for the welfare of their organisation and its stakeholders. We will examine their role in
risk management in chapter 3. The directors’ statement of risk philosophy may define different levels of
perceived threat, likelihood and impact, each requiring different responses. It needs to be issued
formally and communicated across the organisation as a base point for individual risk work.
The philosophy can also embrace how risk is monitored and reported. This organisation structure is
The philosophy can
also embrace how often described as the risk architecture of an organisation. It specifies the roles and responsibilities of
risk is monitored and key people involved, together with the communication and risk reporting structure.
reported
Example 2.1 is a risk management strategy statement included in an annual report to investors by
Barclays. Can you see the advantages of sharing this sort of information with people outside the
company?
Example 2.1
Risk management strategy
Chapter 2
Our approach to risk underpins our journey to commercial success.
Top down: setting parameters. Supporting business decisions and growth by setting high standards and
an appropriate risk appetite.
Bottom up: aiding decision making. Continuously evaluating, responding to and monitoring our risks.
The role of Risk is to support the Board in setting commercial appetite and direction; and as a tool in the
businesses for better decision making.
…This section outlines the Group’s strategy for managing risk and how risk culture has been developed to
ensure that there is a set of objectives and practices which are shared across the Group. It provides details
of the Group’s governance, specific information on policies that the Group determines to be of particular
significance in the current operating environment, committee structures and how responsibilities are
assigned.
The Group has clear risk management objectives and a well established strategy to deliver them through
core risk management processes.
At a strategic level, the Group’s risk management objectives are to:
• identify the Group’s significant risks;
• formulate the Group’s risk appetite and ensure that the business profile and plans are consistent with it;
• optimise risk/return decisions by taking them as closely as possible to the business, while establishing
strong and independent review and challenge structures;
• ensure that business growth plans are properly supported by effective risk infrastructure;
• manage the risk profile to ensure that specific financial deliverables remain achievable under a range of
adverse business conditions; and
• help executives improve the control and coordination of risk taking across the business.
Source: Barclays PLC (2015) Annual report 2015. Available at http://bit.ly/1jDQHUP [Downloaded 16 January 2017].
While the above extract refers to a risk management strategy it could quite easily have been headed ‘risk
management philosophy’ or ‘risk management policy’. Such documents will inevitably address different
issues, depending on the nature of an organisation and its approach to risk management. However, it is
likely you would see a reference to some or all of the following:
• Role and objectives of risk management function(s) and associated internal controls – corporate
governance.
• Statement of the organisation’s attitude to risk – the risk strategy.
• Description of risk culture to be cultivated.
• Statement of the organisation’s appetite for risk – decisions on which risks and which levels of impact
can be retained within the organisation.
• Lines of authority and responsibility – the risk architecture.
• How risks are to be identified, measured and prioritised for action – the risk assessment.
• How risks are to be documented for analysis and reporting upwards and through to the board.
• Risk mitigation requirements.
• Methods by which change is monitored within the organisation, thus ensuring that changes that could
have an impact on the risks carried are identified for decision.
• Risk management training topics and priorities.
• Criteria for monitoring and benchmarking performance.
• Allocation of resources, roles and responsibilities.
• Risk activities and priorities for the next period.
Each organisation will have its own philosophy, objectives, strategy, architecture and methods. Each will
Each organisation will
also have its own budget requirements, determining the extent of resources that can be employed. have its own
philosophy
Small organisations will not be able to afford an elaborate risk management structure and would be
foolish to attempt to set one up. However, the principles described here are applicable to all
organisations and should be borne in mind even if the risk management policy statement is drastically
simplified.
A risk policy statement may be restricted to strategic objectives and policies or it may go on into detail
about methods and actual levels of risk acceptance. Often this is left for a separate risk manual
document or booklet, which will also record routine operational procedures to be followed.
Chapter 2
Increasingly, large commercial organisations are under pressure to publish risk statements in their
annual reports. This adds an extra dimension to risk management information control as organisations
strive to protect commercially sensitive information. Certain documents may have different issues for
internal and external use.
D2 Identify, analyse and evaluate risks

D2A Identifying risks
Risks need to be identified formally. Anecdotes in informal discussions can be dangerous in that they
can miss key exposures. Individual function managers are often best able to understand what threats
they carry.
A process to identify risks requires a structured approach. The debate needs to start with clear
objectives, with a definition of the tasks and contributions from all those that can add to the debate.
There are many tools and techniques that can help to identify risks. Some of these are specific activities
that can be routinely carried out. Others rely on effective communication, systematic documentation and
patient detective investigation. We will explore these tools and techniques in more detail in chapter 4.
D2B Analysing risks

Once risks have been identified as existing we need to analyse them. We need to set out to understand
Once risks have
been identified as the relevance of those risks to the individual operation, and to the organisation as a whole. Both likely
existing we need to frequency of a risk incident happening and potential severity of damage are relevant to these
analyse them
considerations.
Again there are tools to assess various risks and to measure their impact so as to compare exposures.
These tools and techniques are discussed in more detail in chapter 5. They have been developed to help
organisations to make decisions about risk and prioritise risk activity.
The risk management philosophy, as embedded in the risk policy statement, continues to be the
foundation stone on which individual decisions can be made throughout each stage.
D2C Evaluating risks

Once risks are thoroughly understood, we can decide what risk levels, single and cumulative, are
acceptable; and thereby identify those risks that are at a level or frequency that is unacceptable to the
organisation.
Decisions on acceptability must be in line with risk appetite and risk tolerance levels set by senior
management of the organisation. We will look at risk appetite and tolerance in chapter 3, section G. In
large organisations, sufficient guidance information will be given to allow consistent decisions to be
taken at various management levels.
Useful website
www.gov.uk/government/publications/orange-book.
D3 Risk treatment and control

Organisations have a number of choices available when setting out to control an unacceptable risk. They
can retain the risk, reduce the risk down to acceptable levels or transfer the risk to insurers or other
parties. They can also prepare continuity plans that will enable them to manage themselves through an
incident in a way that will avoid unacceptable levels of damage.
D3A Retaining the risk

An organisation may consider that if a particular risk incident occurs, ‘worst case scenario’ damage
would not be sufficient to divert the organisation from its objectives and responsibilities. In addition,
this would not adversely affect stakeholders’ expectations to an unacceptable level. If this is so, a
decision could be made to accept the consequences if a risk incident were to occur.
In large organisations, a group office may formally advise smaller units and subsidiaries that losses that
would be disproportionate to the size of the unit can be carried cost effectively by group office. This
allows the strength of group office to be used as a cost-effective risk measure for the division. Care
Chapter 2
needs to be taken, however, not to over expose minority shareholders in such a subsidiary.
When accepting exposures we also need to remember that an incident, say a hurricane, can happen
more than once in any accounting period.
D3B Reducing the risk

Prior to a loss occurring, an organisation has plenty of opportunity to reduce the chance of a risk
incident happening.
Physical controls can include fire protection, health and safety measures, security controls, duplication
offsite of computer data etc. Organisations may choose to move parts of the organisation away from the
rest and thus create two or more independent risks. This can avoid a single point of failure concentration
of risk that would be a much more destructive exposure.
Non-physical controls can include effective staff recruitment and other procedures that remove an
unacceptable concentration of people risks. Some large organisations will have a limit to the number of
board members or key managers travelling in one form of transport. Investors may demand to see
succession planning in an organisation where they see an unacceptable dependency on one senior
executive. Manufacturers can decide that they would never source key ingredients from a single supplier
or country.
Throughout all these measures, employee awareness and training are vital risk tools. As time passes
without incident so risk awareness decreases and also the probability of risk is downgraded. People may
discount risks entirely if past management has been effective and discontinue ongoing precautions. A
public health issue illustrates this point. Do we continue with vaccination programmes once a disease
has been eliminated?
D3C Transferring the risk

Insurance is often the first thought when transferring the risk of financial loss. It is a valuable tool in
Insurance is often the
transferring to another organisation those exposures that cannot safely be managed internally. There first thought when
are, however, other ways of transferring risk. transferring the risk of
financial loss
An organisation may create and fund a different legal entity, such as a captive insurance company to
carry its risks. Financial instruments such as derivatives can also be used.
Lawyers will use contract wordings to move the consequences of a risk incident from one contracting
party to another. The directors, however, must still be sensitive to the fact that the failure of that
counterparty may still leave unacceptable exposures at their own door. Furthermore, some risks, such as
the safety of their own employees, cannot be transferred.
Business strategies can be used to prevent exposing an organisation to any one loss that is considered
to be unacceptable. The policy may be, for example, to ensure that all borrowings can be made only in
the same currency as its corresponding assets. Thus a currency movement will affect borrowings and
assets equally with no net loss to the organisation.
D4 Continuity planning
Continuity planning is a process where an organisation will anticipate an incident and prepares a plan to
manage the consequences so that the incident does not threaten the survival of the organisation.
This can be simple but very effective, e.g. backing up computer data frequently and storing the back-up
tapes off-site. Continuity planning can also be sophisticated and expensive. It can include contracts for
stand-by machinery and computers, stand-by suppliers, detailed recovery plans and exercises for staff
involved.
Continuity plans can prepare for a whole range of incidents, such as computer failure, product recalls,
kidnap, terrorism, fire, weather damage, major fraud, aggressive media attention. They set out to
requisition urgently needed resources, ensure effective control of the management of the incident,
organise recovery, and ensure that crucial and urgent functions and credibility are maintained
throughout. Continuity plans will also set out procedures to collect costs and other data necessary for
any insurance recovery claim.
Be aware
When you read risk management literature similar planning measures may be referred to using terms, such as
‘business continuity management’, ‘contingency planning’ or ‘disaster recovery’.
Chapter 2
Question 2.1
What are the four ways in which an organisation can transfer risk to another party?
D5 Updating and communication

Organisations do not stand still and neither do the environments they operate in. Consequently, all our
risk management processes must recognise and plan for change. In practice this means identifying and
adopting procedures for regularly updating information and reviewing assessments and
recommendations.
Not all changes will be significant of course, but those that are must be identified and their significance
evaluated. Rules must be formulated so that important changes trigger an immediate review of those
parts of the risk management plans that are affected, while other changes are incorporated in full-scale
annual reviews. Different organisations will adopt different rules and review periods according to their
attitude to risk and resources they are willing to deploy.
An organisation must also plan and manage risk management communications. There is great
divergence of people and other organisations that may have legitimate interest in an organisation’s
affairs. All these people need information in different formats about different aspects of the organisation
if the risk of alienating them is to be avoided or reduced. Most of them will place a high priority on
information supporting assurance that the organisation is being properly managed, and will expect
information about risk policies and management.
Efficient and effective communication does not happen by accident. Organisations must decide on the
scope of information relevant to each stakeholder and how this communication is to be achieved.
Procedures must be established and resources allocated to make sure planned communication is
achieved.
D6 Monitoring and reviewing

All organisations must adopt some form of quality control. In large organisations, particularly those in
All organisations must
adopt some form of regulated business sectors, this may be an elaborate structure of audit arrangements, reporting directly
quality control to the board on a regular basis. In small organisations the owner/manager may personally assess the
quality of work being done and product being supplied. Manufacturing organisations invariably adopt
quality procedures, from regular goods inspections, through to quality circles and continuous
improvement initiatives.
Like any other established procedures, risk management procedures can be audited to see if they are
being followed and if they are achieving required objectives. Both procedures and achievements can be
tested against those of similar organisations and against established standards to see if they can be
improved. We will come back to this process of benchmarking later on in the study text.
Where an organisation has dedicated risk professionals, they too will be interested in quality control to
assess risks involved in failing to meet either contractual or statutory requirements in products and
services supplied. There will inevitably be some overlap of interest as risk professionals seek to manage
quality risk, a task that may have been allocated to others. Whether quality monitoring and control is
allocated to specialist functional groups or embedded in the responsibilities of operational managers,
ultimate responsibility lies with the directors of an organisation, who have to satisfy other stakeholders.
Organisations must establish effective internal controls to satisfy stakeholders of their ability to properly
manage risk. We will see later on that in some cases controls will be mandatory requirements of
regulators, or required by law to demonstrate the existence of adequate corporate governance.
Compliance with international standard ISO 31000 would be regarded as a suitable benchmark against
which risk control systems could be measured.
Question 2.2
Why does an organisation need to plan and manage risk management communications?
Key points
Chapter 2
Introduction to risk management
• If we thoroughly understand a risk and its implications we can take steps to prevent causes, mitigate effects or
break a link in the cause, events and effects chain.
• Risk management also includes assessment of risks to decide which risks are worth management attention and to
balance risks against corresponding opportunities.
• Organisations have different structures but risk management processes remain the same.
Benefits of risk management
• Risk management offers a range of benefits, including reducing potential future costs and possibly saving
organisations from otherwise inevitable closure.
• Once a risk has been thoroughly evaluated, its consequences can be classified according to whether they can be
tolerated, tolerated with financial compensation (insurance), or are totally unacceptable.
• To make good risk management decisions it is important to understand whether an incident may occur and also the
precise significance of such damage to the organisation’s processes.
• Benefits and the value of risk management should be felt at all levels and within all functions of an organisation.
• Risk management activities should include the measurement of benefits, if possible in financial terms, to justify the
use of resources and budgets.
Risk and organisational objectives
• Organisations need to specify their objectives and communicate this to employees and stakeholders.
• Strategies and plans show how objectives are to be met. Risks must be considered at this stage to allow
stakeholders to form an opinion of the likelihood that anticipated results will be achieved.
• Risks include anything with potential to threaten the operations, assets and other responsibilities of an organisation.
• Risks arise from a variety of sources – all stakeholders are a source of risk.
• Organisations must protect themselves from damage or loss. This includes safety of people, safety of assets,
revenue and cash flows, legal obligations and delivery of promised goods and services.
• Organisations need to consider new and emerging risks.
• International organisations have to manage global and political risks. Risks with potential global impact can arise
from large-scale economic, environmental, social, technological or political events.
• Technology opens up new possibilities, but carries inherent risks, e.g. data security. Cyber criminals have
developed sophisticated tools.
The risk management process
• An organisation must decide what sort of risks it is willing to take in pursuit of its objectives and what magnitude of
those risks it can tolerate.
• A clear, organisation-wide, risk management philosophy enables individual risk work to be done within a framework
of long-term objectives and provides an effective benchmark for local decisions and activity.
• A risk policy statement may be restricted to strategic objectives and policies or it may go on into detail about
methods and actual levels of risk acceptance.
• Risks must be formally identified and analysed in terms of their likely frequency and potential impact.
• Organisations have a number of choices available when setting out to control an unacceptable risk. They can retain
the risk, reduce the risk down to acceptable levels or transfer the risk to insurers or other parties.
• Continuity planning is a process where an organisation will anticipate an incident and prepares a plan to manage the
consequences so that the incident does not threaten the survival of the organisation.
• Continuity plans can prepare for a whole range of incidents, such as computer failure, product recalls, kidnap,
terrorism, fire, weather damage, major fraud, aggressive media attention.
• Organisations do not stand still and neither do the environments they operate in. Consequently, all our risk
management processes must recognise and plan for change.
• Organisations must identify and adopt procedures for regularly updating information and reviewing assessments
and recommendations.
• All organisations must adopt some form of quality control.
• Organisations must establish effective internal controls to satisfy stakeholders of their ability to manage risk.
Question answers
2.1 Insurance, creating a separate funding mechanism, use of financial instruments and appropriate contract
Chapter 2
wording.
2.2 Planning and management are needed because various stakeholders require information about aspects of the
organisation in different formats, if the risk of alienating them is to be avoided or reduced.
Self-test questions
1. What is the purpose of classifying risks?
Chapter 2
2. List six benefits of effective risk management.
3. When operations are outsourced, what risk question must be asked?
4. What issues need consideration to protect an organisation against damage or loss?
5. What are the key elements of the risk management process?
6. What are we looking for when we set out to analyse identified risks?
7. What choices are available to control unacceptable risks?

Learning
support is
close to hand
Need a little support
with your studies?
A range of study materials are available
to support learning, with exclusive
discounts for members.
Our range of study essentials include:

• Key facts booklet – pocket sized summaries of
your study text, great for use while on the move
• Revision courses – delivered by experienced
industry practitioners
• Audio revision – covering the key elements of each
subject; perfect for use at home or on the move
• Interactive tutorials – interactive online study
programme with questions to help you gauge
your progress
• Question packs - online packs containing 150-300
questions based on the syllabus, allowing you
to test your knowledge and identify gaps
Find out more

www.cii.co.uk/qualifications
or call Customer Service
on +44 (0)20 8989 8464
Roles and responsibilities
3
Chapter 3
outcomes
Learning objectives
Introduction
Key terms
A Corporate governance and internal control 3.5
B Enterprise risk management (ERM) 2.3, 5.1
C Individual responsibilities 2.3, 5.3
D Relationship between audit and risk management 2.4
E Relationship between compliance and risk management 2.4
F Governance, risk and compliance (GRC) 5.2
G Risk appetite and risk tolerance 3.5
H Risk aware culture 2.3
I Risk maturity 5.1
Key points
Question answers
Self-test questions
Learning objectives
• explain the regulatory and corporate governance context surrounding risk management processes;
• discuss how enterprise risk management (ERM) shapes the roles, responsibilities and structure of an
organisation looking to address risk management issues;
• describe key roles and responsibilities for risk management in relation to the board, chief risk officer,
risk committees and the risk function;
• explain the relationship between risk management and audit functions;
• explain the relationship between risk management and compliance functions; and
• discuss the practicality of governance, risk and compliance (GRC) departments working closely
together.
Introduction
In this chapter we look at how people can be organised to carry out risk management functions
throughout an organisation. We will start by discussing the roles and responsibilities of the board of
directors (or their equivalent). Then we will describe a typical risk management department, through
chief risk officer to risk managers and individual risk officers. Finally we will see how standing
committees can promote information flows.
We will look at how risk management roles contribute to corporate governance requirements and how
they interact with other functions such as audit and compliance. Lastly, we will return to certain aspects
Chapter 3
of corporate governance. We discuss issues, such as risk culture, risk appetite, risk tolerance and risk
maturity and see how these attributes can be measured.
Key terms
Chief risk officer Corporate governance Enterprise risk Governance, risk
management (ERM) management and
compliance (GRC)
Risk appetite Risk aware culture Risk committees Risk manager
Risk maturity Chief risk officer Risk tolerance Sarbanes–Oxley Act 2002
Supervision of risk The board UK Corporate
Governance Code
A Corporate governance and internal control

A1 The board and risk management
Overall management and direction of any organisation is the responsibility of a small group of people
who accept certain roles and responsibilities in line with corporate legislation. Various fines and
penalties apply if required duties are shown not to be fulfilled. According to the constitution and
purpose of an organisation this group could have different names (e.g. trustees for a charity), but we will
use the common term of board of directors (the board).
The board exists to watch over an organisation and give it overall direction. It must act in a lawful
The board sets
clear objectives for manner to further the interests of shareholders. It sets clear objectives for executive management and
management arranges necessary funds and facilities.
and arranges
necessary funds
The Companies Act 2006 requires directors to have ‘regard amongst other matters’ to the:
• likely long-term consequences of their decisions;
• interests of the company’s employees;
• need to foster the company’s business relationships with suppliers, customers and others;
• impact of the company’s operations on the community and the environment;
• desirability of maintaining a reputation for high standards of business conduct; and
• need to act fairly between members (i.e. shareholders) of the company.
The UK Corporate Governance Code charges directors with:
• setting the company’s strategic aims and providing leadership to put them into effect;
• supervising management of the business; and
• reporting to shareholders on their stewardship.
The Code is based on principles of accountability, transparency, probity, and focus on the sustainable
success of an entity over the longer term. Under accountability:
• the board is responsible for determining the nature and extent of significant risks it is willing to take in
achieving its corporate objectives; and
• the board should maintain sound risk management and internal control systems.
We will discuss the UK Corporate Governance Code in more detail in section A3A of this chapter.
Chapter 3 Roles and responsibilities 3/3
In practice, most boards have five main responsibilities:
Regulation of the executive (executive directors and other members of senior management) to ensure they uphold
shareholder interests and laws governing the conduct of the business.
Approving the report and accounts, annual budgets, strategy and other important plans.
Chapter 3
Selecting, appraising and rewarding the chief executive officer (CEO) and ensuring
succession planning is actively addressed.
Supervision of the process of risk assessment and ensuring necessary actions are adopted to mitigate against those risks.
Ensuring that company integrity and principles are upheld on critical matters, such as financial reporting accuracy,
legal and regulatory compliance and adherence to the company’s stated ethical standards.
You will see that a board cannot ignore its responsibilities regarding risk management. It needs to
specify risk policy, thoroughly review risk exposures and define levels of risk it is prepared to
accommodate. These responsibilities will be emphasised later in this chapter when we discuss
corporate governance.
A board will delegate some of its responsibilities after considering ownership, objectives, organisation
structure, personnel and the interests of other stakeholders. It will set out what powers it reserves for
itself and what powers are to be delegated to executive officers. In some organisations the board will
make all the important decisions, receiving reports from management and giving advice. In other
organisations it will be little more than a rubber stamp for executive recommendations. Usually there is a
compromise between these two extremes, with the board concentrating on very major decisions, leaving
the bulk of decision making to executive officers. These will meet regularly, calling themselves the
executive committee, the management board or some similar title.
You can see from this summary that the board has ultimate responsibility for risk assessment and risk
management, even if it delegates some or most of the work. It must be concerned with all risks,
including any that might prevent it fulfilling its other responsibilities.
Question 3.1
One of the five main responsibilities of a board of directors concerns risk. Under this heading, what is the board
responsible for?
A2 Supervision of risk
We saw in chapter 2, section D1, that the board has to identify risks inherent in its business plans and
decide how much risk it is prepared to accept. This information is disseminated throughout the
organisation to influence executive decisions. The board needs assurance that risk guidelines are being
observed, that new risks are being identified and reported and that total risk levels are within acceptable
limits.
How, then, does the board go about supervising risk management? Different organisations may adopt
different solutions, but a common approach is to appoint a risk subcommittee. Boards and executive
committees have multiple responsibilities and their members have different aptitudes, knowledge and
skills. A board will carefully select individuals with appropriate risk backgrounds from the executive and
its own members to constitute the risk subcommittee, to which it will then delegate its risk assessment
and risk management supervision responsibilities. It follows that the risk subcommittee should
command full board attention when it has issues to resolve. The subcommittee will be under pressure
from the board to demonstrate that risk controls are implemented and effective.
The risk subcommittee will act with board authority, setting policies and making risk decisions as
required. Its terms of reference will require it to keep the full board informed of its activities and it will be
Chapter 3
expected to seek full board approval for policies and decisions that affect the organisation in a major
way. The risk subcommittee may have additional members from outside the board and the executive.
This would be appropriate, for example, if the senior risk professional is not a board or executive
member, or if there is a specialist risk expert in the organisation.
The remit for a board risk subcommittee will include compliance with appropriate legislation and
The risk
subcommittee will regulation relating to risk management functions of corporate governance. It will be responsible for
report on current risk implementing risk policies, setting up and monitoring systems to identify and assess risks, specifying
issues and investigate
those associated with risk appetite and reporting on risk management for the report and accounts. It will report on current risk
proposed new issues and profiles and investigate and advise on risks associated with proposed new ventures.
ventures
Following the 2008 financial crisis, Sir David Walker, a prominent British banker, was asked by the Prime
Minister to review corporate governance in the UK banking industry and recommended that a board risk
committee be made mandatory for FTSE 100 banks and life assurance companies. The board risk
committee would oversee risk and monitor current risk exposures on an organisation wide basis and
have a primary input assessing and advising on proposed major initiatives such as mergers, acquisitions
or new product lines. The risk committee would be supported by an independent chief risk officer
reporting to the CEO or chief financial officer, but with direct access to the chairperson of the risk
committee and the chairperson of the board, and with a full board decision required to change
employment terms. Organisations outside the financial industry are expected to incorporate or reflect
Walker’s recommendations in their best practice codes.
A risk subcommittee is not the full board and technically it can only submit recommendations for
approval. In practice, however, the risk subcommittee will proceed with general board authority on
everything except the very largest and important issues and will submit summary reports of its activities
for discussion at full board meetings. The full board may then vote to accept the report. If no comments
are recorded, the board will accept and approve the activities of the subcommittee as stated in the
report.
The first and most important task of a risk subcommittee will be to publish and maintain the overall risk
Best practice in
corporate risk management philosophy of the organisation. This document will set out the organisation’s commitment
management includes to risk assessment and management, and what it expects to achieve by risk management. It will identify
dealing with both
negative and major threats to the organisation as seen by the board and the strategy for dealing with these. It should
positive risks also outline the management structure and controls by which it means to supervise risk management
activities. Remember that we are not just trying to mitigate adverse events. Best practice in corporate
risk management includes dealing with both negative (downside) risks and positive (upside) risks.
The risk management philosophy document must have full board approval and support. In large
organisations it may be reproduced, in whole or in part, for the risk management section of the annual
report. Its purpose is not just to provide a consistent framework for ongoing risk work. It also serves to
convince stakeholders that risk is being effectively managed.
The risk management philosophy document may be the only formal statement some stakeholders have
from an organisation to assure them their interests are being protected. And in organisations subject to
regulatory regimes, the risk management philosophy is a key document to fulfil the requirement to
demonstrate proper corporate governance.
A3 Corporate governance
The way a board sets up an organisation to achieve its objectives, together with the systems it puts in
place to manage and control that organisation, is known as corporate governance. With strong corporate
governance arrangements, the board will have good timely information on all key aspects of the
organisation and be in full control of its operations.
The term ‘corporate governance’ has existed for many years, but a succession of high profile corporate
scandals in the 1990s and early 2000s brought it to public attention. In this period a number of large
organisations collapsed, with damaging effects on local and national economies and markets. Following
these events, many national governments made it clear they wanted to prevent major corporate failures,
particularly those arising from fraud or mismanagement. As a consequence, there is now a trend towards
establishing codes of practice for corporate governance that are either strongly advisory or legally
required.
Corporate governance codes differ across the world, but commonly adopted principles include:
Chapter 3
• Companies should respect shareholder rights and help shareholders to exercise them.
• Companies should recognise they may have obligations to other stakeholders.
• The board needs the skills and understanding to review and challenge management performance.
• Companies should develop a code of conduct for their directors and managers that promotes ethical
and responsible decision making.
• Companies should make public the roles and responsibilities of the board and management to
provide shareholders with a level of accountability.
• Companies should have procedures to independently verify their financial reporting.
In the UK and the USA codes tend to focus more on the interests of shareholders. In Japan and
continental Europe codes give more emphasis to interests of other stakeholders. As far as we are
concerned the main standards to date are the UK Corporate Governance Code and the Sarbanes–Oxley
Act 2002 (USA).
A3A UK Corporate Governance Code

The UK Corporate Governance Code (previously known as the Combined Code on Corporate Governance)
The UK Corporate
provides a code of best practice for companies listed on the London Stock Exchange. It is overseen by Governance Code
the Financial Reporting Council (FRC). It has been in existence for some years but was substantially provides a code of
best practice for
strengthened in 2003 in order to implement the recommendations of a series of major public reports on companies listed on
corporate processes and behaviour (Cadbury 1992, Greenbury 1995, Hampel 1998, Turnbull 1999 and the London Stock
Exchange
Higgs 2003). The current version is principles-based and thus more flexible in its application than its US
counterpart.
It was originally a ‘voluntary code’ but in the Financial Conduct Authority (FCA) Listing Rules the UK
financial regulator requires public listed companies in all industries to disclose in their annual report
and accounts how they have complied with the Code, or explain where they have not complied with its
recommended practices.
Recommended practices listed in the Code and in the more detailed Turnbull Guidance which
accompanies it, include the following:
• Separation of the roles of chairperson and CEO.
• CEO employment contracts to have a time limit.
• The minimum numbers of non-executive directors on the board.
• Board subcommittees to be established (i.e. audit, remuneration, nomination).
Particularly important are the recommended practices on competence, risk management and internal
control. These specify that boards of listed companies should:
• be individually and jointly competent, and possess the relevant skills and knowledge to perform their
roles effectively;
• conduct a regular, thorough review of risks to which the company is exposed, including their frequency
and severity;
• specify the company’s risk appetite;
• agree and implement board policies on risk and control;
• establish prudent and effective internal controls (to enable risks to be assessed and managed); and
• review the effectiveness of the company’s systems of internal control and risk management and
formally report these at least annually.
The UK Corporate Governance Code is reviewed every two years. The September 2012 update required
public-quoted companies to invite tenders for external auditing every ten years and clarified standards
expected from annual reports. The September 2014 update focused on risks affecting long-term viability.
Organisations need to present information to the FRC to give a clearer view of solvency, liquidity, risk
management and viability for investors, who will be invited to actively respond. Boards of listed
companies have to demonstrate that executive remuneration is linked to the long-term success of the
company, rather than short-term objectives. The April 2016 update of the Code made relatively minor
changes to the section on audit committees, in order to clarify competency and reporting requirements
consistent with new EU rules for audits. It also underlined the need to comply with 2014 information
disclosure requirements.
Chapter 3
Useful website
You can keep up-to-date with developments in this area by visiting the FRC website www.frc.org.uk.
A3B Sarbanes–Oxley Act 2002

The Sarbanes–Oxley Act 2002 (full title: Public Company Accounting Reform and Investor Protection Act
2002) commonly known as SOX, was named after its sponsors Senator P. Sarbanes and Representative
M. Oxley. It established enhanced standards for all US public companies listed by the US financial
regulator, i.e. the US Securities and Exchange Commission (SEC), together with the accountancy firms
that audit them. It was brought in to clean up a stock market that had been shaken by the internet
bubble, combined with a succession of scandals involving major corporations, auditors and, in some
instances, securities analysts. It is rules-based, much stricter in enforcement than the UK Corporate
Governance Code and carries heavy fines and long terms of imprisonment for those who fail to comply
with its requirements.
SOX comprises eleven sections or ‘titles’. These are quite detailed but the most important points in each
are summarised below.
Title I – Public Company A quasi-public agency, the Public Company Accounting Oversight Board is
Accounting Oversight Board established to provide independent regulation of auditors, defining the procedures for
compliance audits and enforcing the specific mandates of SOX.
Title II – Auditor Standards for external auditor independence are set, including forbidding them
independence undertaking consultancy work on audited clients.
Title III – Corporate This mandates that senior executives take individual responsibility for the accuracy
responsibility of financial reports and the penalties for non-compliance.
Title IV – Enhanced financial This deals with enhanced reporting requirements for financial transactions including
disclosures off-balance sheet transactions, and stock transactions of senior management.
Title V – Analyst conflict of A code of conduct is set for securities analysts, which includes disclosure of
interest conflicts of interest.
Title VI – Commission This defines the authority of the SEC to censure or ban securities professionals from
resources and authority practising as a broker, adviser or dealer.
Title VII – Studies and reports This describes how investigations are to be conducted for enforcing violations of the
Act by public companies or auditors.
Title VIII – Corporate and This sets criminal penalties for fraud by manipulation, destruction or alteration of
criminal fraud accountability financial records and provides protection for whistle-blowers.
Title IX – White-collar crime The criminal penalties for white-collar crimes and conspiracies are increased.
penalty enhancements
Title X – Corporate tax returns The CEO should sign the company tax return.
Title XI – Corporate fraud and Corporate fraud and tampering with records are identified as criminal offences. The
accountability SEC is empowered to temporarily freeze large or unusual payments.
As you can see, SOX is different in approach from the UK’s Corporate Governance Code. It has less
emphasis on risk management and far more on ensuring the validity of financial reports to the
shareholders. This is not really surprising as it was drafted in a climate when the priority was to prevent
further management fraud.
Since SOX came into force in 2002, it has attracted both criticism and praise from interested parties in
the USA. Whilst tighter regulation of financial reporting and control has undoubtedly increased
confidence in the status and value of published corporate accounts, full compliance has proved costly to
implement and the Act is criticised for deterring smaller organisations from contemplating listings on the
New York Stock Exchange. Section 404 of the Act is often singled out for analysis: it requires that
publicly traded corporations use a formal risk control framework and that management and the external
auditor report on the adequacy of internal control on financial reporting.
Consequently, the Jumpstart our Business Startups Act, or JOBS Act, of 2012 (which aimed to make it
easier for growing US companies to go public, raise capital privately and stay private longer) also relaxed
Chapter 3
SOX compliance requirements. These requirements included exemption for new public companies from
section 404 reporting for a period of five years instead of two.
A3C Risk management implications

You can see that laws and regulations to improve corporate governance reinforce the principles and
practice promoted in this study text. They recognise that the work of a board is difficult to perform
effectively, not least because it must rely on reports by the executive management to keep it informed
about the true state of the company, and attempt to improve the processes that determine the way
organisations are internally controlled.
Most major organisations, particularly those in financial and related services, choose to comply with one
or other of the two codes summarised above, depending on whether their shares are listed in London or
New York. Of course, companies are expected to comply with both codes if they are listed in both
countries.
Consider this…
What are the implications for risk management of this trend towards detailed corporate governance standards?
Of course the primary effect is a significant rise in profile. Boards must ensure that risks to the company
are assessed and dealt with in an appropriate manner and this is perceived to be an extremely important
part of the board’s remit, particularly where large sums of money may be involved. Annual reports of
public companies are now likely to have significant sections devoted to risk management.
The other side of the coin is apparent if an organisation fails. Where did governance go wrong? Who was
responsible for not anticipating risks that led to failure? Investigations are more focused on whether or
not expected standards were upheld. Lawyers have a benchmark against which to pursue claims (and
damages) for mismanagement and subsequent stakeholder loss. Prosecutions of executives highlight
risk management deficiencies. We will return to these considerations in chapter 7, where we look at
some high profile organisation failures.
A4 Internal control
Consider this…
UK Corporate Governance recommendations emphasise the importance of risk management and internal control.
What is meant by internal control?
Internal controls are devices and procedures put in place to help ensure that management objectives are
met. For risk management purposes, internal control activities are policies and procedures that help
ensure risk responses are carried out. Examples are approvals, authorisations, reconciliations,
separation of duties, physical controls, IT controls and peer reviews.
Fundamental to effective internal control is the environment in which control is required. Standards,
philosophy and values of an organisation and the attitude and competence of managers and staff all
contribute towards the environment. Direction will come from the board, which must deploy time,
attention and resources to maintain the environment they require.
Other components of internal control are the risk management and audit activities which we discuss in
this study text. Risk identification, analysis and assessment against objectives are procedures for
deciding how risks should be managed. Information recording and communication is necessary to
coordinate activities and produce consolidated risk reports to help the board manage and direct.
Monitoring is necessary to check procedures are both efficient and effective. Internal audits provide
independent assurance on controls and recommend improvements where applicable.
Internal controls are particularly effective when a procedure is established, with well defined objectives
and specified rules. Accounting and financial control procedures fall in this category, which is why
internal control is often emphasised in corporate governance recommendations.
In auditing and accounting, internal control is defined as a process that is designed to help an
organisation to accomplish specific goals or objectives. Organisations can choose from a number of
internal control frameworks.
One of the most widely used frameworks is that published by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) in connection with risk classification. US
organisations, together with their overseas branches, tend to prefer COSO because compliance with it
Chapter 3
satisfies the US legal requirements for financial reporting as set out in SOX.
COSO defines internal control as a process, effected by an organisation’s board of directors,
management and other personnel, to provide ‘reasonable assurance’ regarding achievement of
objectives in the following categories:
• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.
• Safeguarding of assets.
COSO describes internal control as consisting of five essential components:
• Control environment.
• Risk assessment.
• Control activities.
• Information and communication.
• Monitoring activities.
The framework sets out 17 principles representing the fundamental concepts associated with each
component. By applying all the principles, an organisation can achieve effective internal control.
Note that although most of the components of internal control are reflected in risk management
requirements, a risk manager has other tools at their disposal, such as risk transfer, insurance and
continuity plans.
Useful website
www.coso.org/-erm.htm.
A4A Control self assessment (CSA)

Today’s ever-changing business environment requires a culture of dynamic risk management through
effective internal controls to ensure objectives are achieved. Organisations should continually assess
their risks and the effectiveness of their controls mitigating these risks.
Control self assessment (CSA) is a process applied systematically across an organisation at various
Control self
assessment (CSA) is levels. The approach and process is established beforehand, normally by risk management staff in
a process applied conjunction with an audit. CSA requires operational management and staff to self-review or self-audit
systematically across
an organisation at risk controls for which they are responsible and to communicate results up through the appropriate
various levels management line. The risk management department will then follow up or request further clarification
where needed.
CSA is used in combination with a monitoring process and the CSA process itself will be subject to
periodic audit to check it is delivering trusted and useful information. To work properly, people with
experience or training in these types of project are required to support, foster and own the CSA process.
Sufficient time and resources must be allocated to properly prepare for and carry out workshops and
subsequent follow-up. The methodology must be properly structured yet flexible, and should avoid the
creation of overly simple or confusing checklists.
CSA is a useful way of ensuring compliance with corporate standards right across an organisation,
including risk aspects of legislation and other compliance needs. Originally designed for financial
controls to support regulatory compliance, the process is flexible enough to apply to other risk areas. It
enables risk managers to understand and produce reports on current activity that may be required by the
risk department itself, insurers, the audit committee and by external regulators.
An organisation that applies CSA should be able to:

• obtain a clear and shared understanding of major activities and objectives of business units and
processes;
• foster improved awareness of risk and controls among management and staff;
• provide a flexible but structured approach to improving the organisation’s controls framework;
• enhance responsibility and accountability for risks and controls among management and staff;
• highlight best practices and opportunities to improve business performance;
Chapter 3
• standardise and benchmark processes, where the same functions are performed in multiple locations;
• help directors to meet their corporate governance responsibilities; and
• reduce the time and effort it takes for internal auditors to gather information on business units, and
provide quicker focus on areas requiring attention.
B Enterprise risk management (ERM)

In chapter 2 we saw that risk management in an organisation is an integrated process aimed at
identifying and controlling risks that may affect the achievement of corporate goals. It depends on:
• a clear statement of objectives from the board of directors;
• a systematic approach to risk identification in changing circumstances;
• an analysis of risks against criteria set by the board; and
• effective management of selected risks.
Responsibility for risk management remains with the board so there is need for a clear communication
and reporting structure. The purpose of this is twofold: to assure the board the system is working as
intended and to enable them to exercise necessary control.
The structure an organisation sets up to control risk management across the whole of its organisation is
ERM systems allow
known as enterprise risk management (ERM). As well as being a framework to control risk management all the risks in an
activities, ERM systems allow all the risks in an organisation to be looked at together and from different organisation to be
looked at together and
perspectives. This is known as a holistic approach. from different
perspectives
ERM has been recognised as an important element of strong corporate governance. Today its use in large
organisations is internationally supported by laws, regulations and compliance requirements. For large
or public organisations, ERM is no longer an option. Moreover, all public companies are required to
report on risk factors, and potential investors and their advisers will take into account how well risk
management standards are applied. Regulators demand effective ERM and stakeholders such as
lenders, customers, suppliers and staff organisations often ask for evidence that risk taking is under
control.
As a result it is important that not only must ERM systems be in place and working, they must be seen
and proved to be working by independent assessors. Regular audits are essential, not only to provide
assurance that processes function to specified standards, but also to monitor results.
However successful risk management is not just about compliance and assurance. There are a number of
benefits that successful risk management provides, including:
• better informed strategic decisions;
• successful management of change and higher operational efficiency;
• organisations can expect more accurate financial reporting;
• reduced borrowing costs; and
• improved competitive advantage.
Small and medium-sized organisations may not have the resources to implement full ERM systems and
may not have pressure from outside to conform. However, similar advantages can accrue for any
organisation prepared to analyse all types of risk on a regular basis, even if their systems are skeletal
and concentrate only on significant items.
A successful
ERM system
has two key
elements:
Chapter 3
First is a workable framework clarifying Second, personalising this framework, is a set

functional responsibilities and interactions, and of terms of reference for key staff. This clarifies
the systems for internal communication, individual functional responsibilities and
reporting and control individual requirements for communication,
reporting and control
The ERM framework is important. It shows how essential functions of an organisation combine to create
an integrated system for managing risk across the whole organisation. It specifies required information
flows and procedures for achieving them. It identifies where overlapping responsibilities might occur
and, together with the job descriptions, will clarify who is responsible for initiating action plans and
ensuring their success.
ERM is a dynamic management system which states that people be organised and trained to carry out
delegated tasks within specified boundaries and specified communication and reporting channels.
However, this takes place in an environment that is subject to continual change. Maintaining integrity of
the framework throughout a large organisation is often a full-time task, requiring constant monitoring of
the system to see if it is working and measurement of performance against intended results.
In a typical ERM system, a group risk management function would be responsible for:
• setting up and maintaining the ERM framework; and
• managing all risk management functions within the group.
The head of this function might be called chief risk officer, group risk manager or some equivalent title.
The chief risk officer would fulfil their responsibilities through a number of subordinate risk officers,
each with a designated area of interest and specified tasks to address. In large organisations a number
of risk officers could be supervised by an intermediate risk manager if appropriate.
Depending on the organisation, the group risk management can be a central coordinating and collation
unit, and will have the minimum number of staff required to operate efficiently. Individual function
managers within business units would still own processes, controls and technical aspects of all work
related to their function, but would liaise with group risk management when reviewing risk controls.
Figure 3.1: Enterprise risk management
Board of directors
Risk subcommittee Audit subcommittee
Group risk reports Compliance reports
Governance Governance
Group risk management Internal audit
Risk committees
Risk identification, Risk

assessment and Business units identification and
control assessment
We have seen that to maintain standards of good corporate governance, the board will need to be sure
that risk management functions are being carried out as they intended. A typical ERM framework,
therefore, might interpose a group audit function between the risk management function and the board.
The group audit function will carry out independent monitoring and performance measurements and will
be responsible for audit of all risk management activities, as well as for internal control and other
aspects of corporate governance.
Where an organisation is closely supervised or regulated by government rules, it normally risks losing its
licence to operate if it fails to comply with specific conditions. In these circumstances a separate group
compliance function might be added specifically to manage risks threatening compliance with
Chapter 3
regulations. It would operate at the same level as group risk management, but only be responsible for
those risks that fell within its remit.
We have seen that boards normally share their workload by appointing subcommittees to carry out
certain aspects of their work. These subcommittees comprise board members with appropriate expertise
as well as other expert representatives from anywhere within the organisation. A risk subcommittee and
an audit subcommittee would be two such committees, as in our example.
Example 3.1
The chief risk officer would regularly report risk matters to the chief executive officer (CEO) of the board, senior
management committees and to the board risk subcommittee.
The group compliance officer would have direct access to the CEO and chairperson of the board and would regularly
report compliance matters to the board audit subcommittee.
The head of group audit would have regular meetings with the chairperson of the board and would also report to the
board audit subcommittee.
These top level reporting activities are all designed to make sure the board can fulfil its responsibilities for
supervision of all functional and risk activities. There will of course be a series of supporting meetings and
committees throughout the organisation at more detailed levels. Terms of reference for these committees will be
spelt out in company procedures, which themselves will be subject to audit.
We will look at the role and responsibility of working committees later in this chapter. From a
management point of view a committee is a specified group of people, often from different functions,
who meet at regular intervals in a controlled environment to exchange information and coordinate
actions. Committees have the attraction of being able to encourage dialogue and initiative, compared
with more passive forms of communication such as shared databases or reports.
The risk subcommittee and the audit subcommittee are independent information channels to the board.
This prevents the board only getting a one sided view of operations from individual functions or the CEO.
By scrutinising all aspects and functions of an organisation from different perspectives, individually and
holistically, risks can be evaluated for action to be taken when required.
Note that the board may have a further independent information channel if external auditors are
employed. For larger companies, it is a legal requirement to employ external financial auditors, but there
is nothing to prevent an organisation paying for audits of other functions if it sees this to be to its
advantage.
An established ERM function can make a valuable contribution to strategy formation as well as managing
An established ERM
risks involved. With an understanding of strategic objectives, the tactics to be employed to achieve function can make a
them, and a list of perceived risks and opportunities, the ERM function has raw data on which valuable contribution
to strategy formation
recommendations can be based. as well as managing
risks involved
Note, however, that ERM systems are not established overnight. It can take several years to change the
culture of a large organisation and audits will try and establish how far this has been achieved. This will
be reported as a measure of the maturity level of the system and will be used to interpret and comment
on results.
We have seen that ERM affects every level, function and operational unit of an organisation and is clearly
fundamental to the way an organisation goes about achieving its objectives. It is a basic management
philosophy that can only be initiated and maintained by the board, who must deliberately take every
opportunity to emphasise its relevance and importance.
C Individual responsibilities
Depending on the size and structure of an organisation and reflecting its objectives and attitudes,
responsibility for risk assessment and control can be allocated in many different ways. Some
organisations treat risk control as an integral part of general management, making each manager
responsible for events in their own area of influence. Typically, such a structure would be supported by a
small centre of risk management expertise to:
coordinate and
maintain central maintain
m standards
Chapter 3
give procedural report on risk

perform training files and registers in line with best
advice management
performance industry practice
Other organisations might appoint specific managers responsible for different areas of risk, such as
health and safety, finance, compliance, business continuity, physical assets, quality assurance,
contracts and so on. Again, a small centre of risk management expertise might be employed.
Consider this…
How is responsibility for different areas of risk apportioned in organisations with which you are familiar?
Effective risk management will heavily depend on the ability of the central risk management
professionals to communicate with and persuade their various management colleagues to treat risk in a
coordinated manner. It will also require them to treat risk in accordance with senior management
expectations. This is regardless of which risk management approach is adopted by organisations.
It is difficult, if not impossible, to prevent overlap between various management responsibilities. For
It is difficult, if not
impossible, to prevent example, a risk department will want to be satisfied that all risks inherent in a supply chain are
overlap between minimised and one key element of this will be detailed terms of the contracts with suppliers, clearly the
various management
responsibilities province of a contract manager.
In the final analysis, responsibility for risk control throughout an organisation lies with the board of
directors. It is their task to try to apportion risk responsibilities so that effective risk control can be
established in a manner that fits in with the structure of an organisation and with capabilities,
personalities and expectations of its staff.
We have seen that the board of an organisation commonly appoint a risk subcommittee to fulfil their
responsibilities for risk management. The risk subcommittee promulgates policy directives and also
provides a forum for resolving inevitable differences in attitude and priorities between managers. In this
way, for example, important and necessary procedural changes can be ordered by top management if a
central risk management function provides convincing evidence of serious risk exposure and a practical
risk mitigation proposal.
A risk subcommittee will set out the structure by which they intend to manage risk in a written document
available for general reference. This is usually referred to as risk management architecture. This
document describes the risk management structure of the organisation, laying out lines of
communication for reporting risk management issues. Individual parts of large organisations will then
set up the detail of their own risk control procedures within this overall structure.
Whether it is called risk strategy, risk structure or risk governance, a document describing the risk
architecture will, as a minimum:
• specify the board member or subcommittee responsible for risk management;
• state in general terms how risk is perceived; and
• specify the roles and responsibilities of any senior risk professionals or departments.
It should also define a general framework for identifying, evaluating and reporting risks, specify an
authority to approve risk management related aspects of procedures, clarify the role of risk committees
and lay down guidelines for auditing and assurance. It should be made clear that the board expects
regular assurance that approved procedures are being followed and expected benefits are being
obtained.
The risk management architecture document should be reviewed at least every one to two years to
reflect major changes in an organisation or its environment. A risk management framework is supported
by individual job descriptions, which set out the duties and responsibilities of individual roles.
Risk management frameworks are designed to ensure that management decisions are based on good
The risk management
and consistent risk information, with a sound understanding of possible consequences and likely architecture
outcomes of alternative courses of action. This approach will be emphasised in job descriptions, with document should
be reviewed at
prominence given to risk management expectations and responsibilities. In addition, the job description least every one to
will clarify requirements for reporting, communication and control. two years
Typically, within their terms of reference, heads of departments will have primary responsibility for
managing operational risks and promoting risk awareness. As well as identifying, assessing and
prioritising current and emerging risks in their areas, they will clarify risk strategy, explain the board’s
attitude to risk and implement risk management processes in their department.
Chapter 3
Individual job descriptions and personal objectives include suitable risk elements so that staff:
recognise and understand risks that appreciate how risk management clearly understand their personal
relate to their individual roles and contributes to successful achievement responsibilities for reporting and
activities of objectives managing risk
If the risk management process identifies a risk that needs to be actively managed, the framework will
specify that this needs to be assigned to an individual risk owner. This risk owner should be responsible
for assessing and managing the organisation’s response.
C1 Chief risk officer

The importance of risk management in an organisation has been increasingly recognised over the last
twenty years. ERM system and corporate governance requirements both depend on effective risk
management frameworks. Formal and comprehensive systems of risk identification, analysis and control
are expected to contribute to strategic decision making as well as reducing consequences of risk.
If risk management is an integral part of strategic decision making then logic suggests the head of an
ERM function should be a board member. If this is not felt appropriate, then the position should be
sufficiently close to board level to reflect board authority and provide easy and regular access to board
members.
Here we are going to use the term ‘chief risk officer’ to denote the most senior professional risk manager
in an organisation. Particular roles and responsibilities attached to the position will of course vary
depending on the size and nature of an organisation and the business or social sector in which it
operates. The following provides a flavour of some or all roles, responsibilities and corporate
dimensions likely to be associated with such a position. Typically a chief risk officer, through their team,
will be challenged to:
• ensure risk management is at the heart of strategic decision making;
• supply appropriate risk management skills and expertise concerning any corporate involvement in
major initiatives or programmes;
• agree, establish and oversee a risk management framework across the organisation;
• raise ‘risk awareness’ across the organisation;
• communicate on risk matters with all business areas and appropriate external stakeholders;
• ensure all risk owners understand the risks they are responsible for;
• provide advice and support across the organisation to ensure effective risk management;
• identify risk trends and emerging risks of interest to the organisation;
• identify, analyse, assess and evaluate a range of individual risks across the organisation;
• maintain an up-to-date risk register;
• evaluate existing risk controls – highlighting any deficiencies and creating action plans for
improvement;
• implement cost effective risk controls or adjustment;
• identify and report on the most important risks faced by the organisation;
• prepare insurance programmes and business continuity plans;
• identify and report on significant changes in probability or impact of the most important risks faced by
the organisation;
• work within agreed budgetary constraints; and
• take overall responsibility for recruitment and development of direct reports including appropriate
training.
A chief risk officer will contribute to decisions about the direction an organisation is to follow and will be
A chief risk officer
will contribute to intimately involved in the detail of strategic plans. They could be actively or indirectly involved in many
decisions about diverse issues, for example merger and acquisition proposals, community programmes or supply chain
the direction an
organisation is to initiatives.
follow
The chief risk

officer will be
responsible for:
Chapter 3
establishing and maintaining an setting detailed targets and demonstrating whether those
effective ERM framework in line objectives within the board remit objectives have been met
with risk subcommittee
recommendations
One crucial objective will be to improve risk awareness in the organisation. The board will expect risk
culture to mature measurably every year.
Within the risk framework the chief risk officer will need to make sure that the most significant risks
faced by the company have been identified, analysed and assessed. They will be responsible for
initiating actions to limit impact of adverse risks and for making sure those actions are completed in a
timely manner. The chief risk officer will monitor all significant risks, maintain risk profiles and ensure
risk reporting to approved internal and external recipients meets their needs.
Identifying individual risk owners and making sure they carry out actions as required is one of the most
The essence of risk
management is to important aspects of the job. The essence of risk management is to identify and evaluate risks and make
identify and evaluate sure appropriate control actions are carried out. Risk identification responsibility is not confined to
risks and make sure
appropriate actions existing risks. The chief risk officer will be expected to bring important new and emerging risks to the
are taken attention of the board.
The chief risk officer will have financial constraints. They will have to work within a limited budget in
terms of activities and allocation of resources, and will be expected to justify risk management
expenditure in financial terms such as return on capital employed. Risk decisions have to be financially
credible and cost effective, especially in the context of risk control or adjustment.
One of the main attributes demanded by the job is ability to communicate effectively at all levels with
different interest groups. Internal communications will include, for example, business units, committees,
directors, legal, audit and compliance. External communications might include auditors, regulators,
shareholders and the media. Communications must have their content controlled and be appropriate,
timely, effective and through the right medium.
The chief risk officer will carry out their responsibilities through a team of direct subordinates, and will
need appropriate management skills. They will be responsible for professional development and training
of their team. As risk management culture spreads through an organisation, the chief risk officer may
also be expected to organise and take responsibility for educating and training other people across the
organisation on risk related matters.
C2 Risk manager
There is no formal definition of risk manager. You might have come across someone who describes
themselves as a risk manager or have seen an advertisement for a job with this label. Organisations use
the term in different ways, sometimes to describe an individual role, sometimes in the context of part of
another role.
A risk manager could have board status in some organisations, or a middle management or lesser role in
others. In some organisations the role may focus on a particular specialist area of risk, such as
operational, financial or IT risk. Some risk management roles are specifically concerned with audits.
Chapter 3
Responsibilities may include issues such as insurance programme management, business continuity,
health and safety and the like or specifically exclude these aspects. Scope of the task can vary widely
depending on whether an organisation is global, international or national, whether it is public or private
and whether it operates in the service, manufacturing or tertiary sectors.
Be aware
In this study text we have attempted to avoid ambiguity by using the term ‘risk officer’ to illustrate particular risk
management roles. Nevertheless, it is difficult to avoid the term ‘risk manager’ when looking to describe a person
who supervises a group of risk officers, but reports to a chief risk officer.
In smaller organisations all the people who report to a chief risk officer could be described as risk
officers or senior risk officers, but larger organisations may need an extra layer of management and
supervision, perhaps to reflect functional divisions or perhaps because of geographical considerations.
A global organisation, for example, may need an intermediate risk manager for each continent.
In this context, typical responsibilities would include the following:
• Establish and oversee the approved risk management framework across a designated geographical or
functional area of the business.
• Raise ‘risk awareness’ across a designated geographical or functional area of the business.
• Communicate on risk matters with designated business areas and external stakeholders.
• Ensure all risk owners in designated areas understand risks they are responsible for.
• Provide advice and support in designated areas to ensure effective risk management.
• Help identify risk trends and emerging risks of interest to the organisation.
• Identify, analyse, assess and evaluate a range of individual risks in designated areas.
• Maintain designated parts of an up-to-date risk register.
• Evaluate existing risk controls in a designated area – highlighting any deficiencies and recommending
action plans for improvement.
• Implement approved risk controls or adjustment.
• Help prepare insurance programmes and business continuity plans.
• Identify and report on significant changes in probability or impact of important risks.
• Work within agreed budgetary constraints.
• Recommend recruitment and development of direct reports including appropriate training.
• Day-to-day management and care of direct reports.
C3 Risk officer
Risk officer is the title given to a risk management professional who carries out selected duties under the
guidance and direction of the chief risk officer. After some time in the job a risk officer may be promoted
perhaps to senior risk officer, with a wider role and additional responsibilities to utilise the benefits of
experience. In large organisations a risk officer may report through an intermediate senior risk manager
or head of risk.
Different organisations may choose different titles such as risk manager or senior risk manager, possibly
with additional words to denote areas of responsibility, say operational risk manager, financial risk
manager or risk manager Europe.
help raise risk awareness

in specific areas of the
organisation
communicate on risk
help implement cost matters with specific
effective risk controls or business areas and/or
adjustment specified external
stakeholders
Chapter 3
help evaluate existing

ensure risk owners
risk controls in specified
Typically, a risk in designated
areas, highlighting any
officer may be areas understand
deficiencies and
tasked to: the risks they are
suggesting action plans
responsible for
for improvement
help identify risk trends

maintain appropriate
and emerging risks of
parts of an up-to-date
interest to the
risk register
organisation
identify, analyse,
assess and evaluate a
range of individual
risks in specified areas
These duties are a subset of those of the chief risk officer. Normally a risk officer would start by
familiarising themselves with one area or function of the business, reporting in detail to the chief risk
officer and perhaps sitting on one or two of the lower level committees. Progressive responsibility would
embrace more business functions and a wider communication role.
C4 Risk committees
In any organisation committees are established as forums to bring together experts or representatives
from different areas of the organisation to discuss common topics or objectives. Committees work best
when knowledgeable representatives are carefully selected to cover all aspects likely to be discussed
and when they are set up with clear guidelines and objectives.
The chairperson of the group has to ensure that all views are equally aired, that discussions remain
objective and that conclusions are properly documented in the minutes. Individuals should be
nominated to take responsibility for actions arising from meetings and there must be a procedure to
follow up results. Effective committee meetings need adequate preparation against a clear agenda and
unrestricted access to up-to-date, reliable information concerning topics to be discussed.
Risk committees can be useful at several levels in an organisation. We have seen the importance of risk
subcommittees representing and supporting main boards and their contribution to maintaining high
standards of corporate governance. At board level a risk subcommittee might be responsible through the
chief risk officer for establishing and maintaining an effective ERM system. They might be tasked to
ensure that risk management policies are embedded in all working procedures and would receive and
review risk reports and audits to monitor overall risk profile of the organisation.
At group or divisional level risk management committees might promulgate specific strategic objectives,
take responsibility for maintaining and reviewing risk registers and oversee detailed risk management
policies, procedures and culture within their area of influence.
At divisional level or functional management level in larger organisations, risk committees might actively
Risk committees
prepare and maintain risk registers, set detailed risk priorities, ensure risk elements of procedures are might actively
being followed and measure subsequent risk improvements. prepare and maintain
risk registers
Members of risk committees must be carefully selected for:
• their detailed knowledge of the functions being discussed;
• their ability to work well in groups; and
• their reputation in supporting risk management objectives.
Chapter 3
Generally, each committee will have at least one representative of a central group risk department, who
will keep the chief risk officer informed of important proceedings and pass information on group
standards and requests to the committee.
Information flow would be coordinated upwards through the various committee levels so that board
members receive a comprehensive, accurate and up-to-date picture of risk management activities
throughout the organisation.
Independent of this chain, a separate audit function will have its own risk committees to ensure that
approved risk procedures are actually being followed.
Group or divisional management will normally be responsible for approving all published work policies
and procedures, but they will expect and respect constructive comments and amendments from
appropriate risk committees.
Obviously, the number and composition of risk committees needed to effectively manage risk will vary
with the size, complexity, structure, objectives, policies, staff and culture of different organisations. The
same considerations will influence specific responsibilities allocated to individual risk professionals.
D Relationship between audit and risk management

Large organisations are typically concerned with two types of audit process: internal and external.
External audits are conducted by separate professional organisations to give independent assurance to
stakeholders that published information conforms to specific standards and is factually correct. All
organisations over a certain size, for example, have a legal requirement for external auditing of
published accounts. Here we are concerned with internal audit activities. Internal audits are carried out
within an organisation to provide assurance to the board that approved systems and procedures are
operating as intended.
According to the Institute of Internal Auditors (IIA) in its performance standards, the aim of internal audit
is to evaluate and contribute to improvement of governance, risk management and control process using
a systematic and disciplined approach.
This definition underlines the link between internal audit, governance and management of risk and
specifically includes the control process. Internal auditors independently assess whether procedures
and controls are working effectively and assurance they provide the board is an essential requirement
for strong corporate governance.
We have seen how a board fulfils its risk management responsibilities through a risk subcommittee. In
similar fashion, and at the same level of authority, the board appoints an audit subcommittee to fulfil its
audit responsibilities. From the board point of view, the purpose of internal audit is to provide
independent assurance that specified functions and procedures are operating effectively, and to point
out improvements that will enhance corporate governance capability.
The board expects internal audit to provide assurance regarding several key functions, only one of which
The board expects
is risk management. However, with the establishment of ERM systems and promotion of risk internal audit to
management as fundamental to both organisation culture and corporate governance standards, the provide assurance
regarding several key
profile of risk management audit has been raised. functions
Before they can start a risk management audit the audit team will have to familiarise themselves with
the risk management framework. They must understand terms of reference for the risk management
function and be quite clear about its objectives. They will need to review, access and fully appreciate the
way any risk management systems, processes and procedures are carried out so that they can evaluate
and test the effectiveness of arrangements in place.
Generally speaking, the audit team is looking to see if appropriate procedures are in place, if they are
being followed, and if the whole risk management system is meeting requirements of the board. They
will consider if recommendations for improvement need to be made. Reports will be prepared for the
audit subcommittee and for executive areas as required. Follow-up reviews, maybe six months later, will
check to see if recommendations were implemented and, if so, what improvements were obtained.
To decide whether, in its view, enterprise risk management systems and procedures are effective, the
audit team will consider if:
• significant risks are being identified and assessed, in particular those risks that could threaten the
existence or success of the organisation;
Chapter 3
• appropriate risk responses are selected in line with risk appetite decided by the board; and
• relevant risk information is captured and communicated in a timely manner across the organisation
and enables staff, management and the board to carry out their responsibilities.
As we saw earlier, it is impossible for an organisation to consider all risks it faces, so the audit team will
concentrate only on those that affect achievement of stated objectives. It will check that risk responses
(in broad terms to reduce, transfer or retain risks) correspond to agreed risk acceptance or tolerance
levels, and that the overall risk profile of the organisation is as required. Effective communication of risk
information is essential, both in written and verbal exchanges, and the audit team will be looking to see
that both internal and external recipients are receiving, in good time, all the information they need.
Evaluation of risk exposure is important. The internal audit will be looking to come to an informed
opinion about reliability of information and effectiveness of risk management operations. Inevitably,
they will also have to consider whether or not the organisation has complied with relevant laws and
regulations and with contract wording where this is appropriate.
The main purpose of internal audit of risk management is to provide independent assurance to the board
that an effective ERM system is in place and operating effectively. However, in order to carry out this
function, members of the audit team have to thoroughly understand the objectives and processes of risk
management.
They will have skills similar to those of the risk management team. As both teams are tasked with
recommending improvements to the risk management function, there is an inevitable overlap of
activities and potential personnel problems. Individual auditors may feel they have more to offer the
organisation than some of the risk management team they are auditing.
How can an organisation best harness skills of the audit team while retaining objectivity and impartiality
in the audit function? What sort of risk management issues should auditors be concerned with? Are there
risk management areas in which audit should never get involved?
The key issue is responsibility. A risk management function has responsibility for setting up and
maintaining an effective risk management system and is responsible for results it achieves. An audit
function monitors, comments and advises, but does not make risk management decisions and does not
take responsibility for any risk management actions. Any extension of the audit role must therefore be
confined to advisory work. Their skills can be harnessed as consultants but they must avoid line
management activities.
Audit functions will include:

Audit functions will not include:
assurance that key risks are

adequately reported and managed accountability for risk
management
assurance that risks are correctly

evaluated changing risk management
processes
assurance that risk management

processes are effective
setting risk management appetites
Auditors might promote use of their skills to help identify and evaluate risks in risk related coaching and
training activities, and in consolidating information for reports. This aligns with the trend we will discuss
later to coordinate or merge certain activities of risk management, audit and compliance functions, but it
does not change the underlying principle that auditors must be independent advisers.
Auditors have to keep these considerations in mind as they draw up their reports. Investigations must be
independent, observations clearly objective and recommendations purely for advice. It is up to the
recipients of reports to decide whether to follow the advice and implement recommended actions.
Auditors can be criticised equally for being too closely involved in operational detail or for being
Chapter 3
distanced and out of touch. Nevertheless, a professional and competent audit is a powerful check on the
operations it examines, and will help improve the effectiveness of the risk management process. It is a
vital part of the governance, risk and compliance management philosophy which we will discuss in
section F.
E Relationship between compliance and risk

management
Organisations whose existence depends on compliance with appropriate laws and regulations often
create a separate compliance function specifically to identify and control threats that might lead to
breaches of compliance.
As well as providing specific assurance that an organisation’s activities conform to external legal and
regulatory requirements of the areas in which they operate, compliance may be asked to consider
internal rules selected by the board. An organisation whose reputation depends on ethical or green
credentials, for example, may feel it critically important that any risk that might damage that reputation
should be specifically identified and controlled.
Typically, large organisations set out to act lawfully and to uphold moral values. Compliance must keep
up to date with existing and new legislation affecting any organisation operation. Compliance provides
policies, guidance, training and advice on compliance issues, as well as assurance that suitable
compliance controls are in place and effective. If an organisation has a published code of conduct,
compliance would be responsible for making all new employees aware of expected standards.
Organisation of a compliance function could mirror the organisation of risk management. The board
could appoint a compliance subcommittee to fulfil its responsibilities and a group compliance
department to oversee and coordinate compliance activities throughout the organisation. Compliance
responsibilities would be written into individual terms of reference for function managers, compliance
committees would be established and group compliance would collate reports. Alternatively, a second
subcommittee could be avoided by having compliance report to the audit subcommittee, putting the
emphasis on compliance systems rather than individual risk control.
In either scenario, the head of group compliance would be responsible for identifying and evaluating all
risks that threatened to result in non-compliance. They would also be responsible for providing
assurance that risks are being adequately controlled. They would also be expected to liaise with external
regulators and perhaps contribute to working parties commenting on proposed changes to legislation.
As well as reporting to the appropriate subcommittee it would be normal for them to have direct access
to the chairperson of the board.
Compliance activities are a subset of both audit and risk management activities, concentrating on a
Compliance activities
limited number of specific, but important risks. As such, people in a compliance function will have are a subset of both
similar skills, training and experience as those in audit and risk management functions. Moreover, audit and risk
management
compliance will be looking for compliance risks in the same areas and functions of the organisation. activities
Potential conflict is obvious. Line managers will get fed up with two or three sets of people asking similar
questions and the three functions may argue over ownership and priorities of individual risks. Duplicate
records might be kept and objective decision making prejudiced by internal professional rivalry.
F Governance, risk and compliance (GRC)

Risk management, audit and compliance activities are all responses to particular requirements
organisations have been forced to consider. Historically, each was introduced separately to address
individual concerns. However, as the main purpose of all three functions is to improve corporate
governance, it makes sense to try and eliminate inherent conflict and overlap by designing an
organisation structure that merges some of the functions of the three departments while still retaining
their crucial independence.
Attempts to create such an integrated structure have become known as governance, risk and compliance
Chapter 3
(GRC) frameworks. There is no internationally recognised definition of GRC but a paper by Racz, Weippl
and Seufert in 2010 proposed the following:
GRC is an integrated, holistic approach to organisation-wide governance, risk and compliance ensuring that an
organisation acts ethically correct and in accordance with its risk appetite, internal policies and external regulations
through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness.
Source: Racz, N., Weippl, E. and Seufert, A. (2010) A frame of reference for research of integrated governance, risk & compliance
(GRC). Berlin: Springer. Used with permission from Springer.
This definition captures the essence of GRC ambition, but uses the term ‘compliance’ to include audit
functions. In organisations where compliance and audit are separate entities, compliance relies on audit
to provide assurance of compliance processes, and audit can assist compliance by ensuring that results
from proposed compliance improvements can be measured. GRC encourages audit and compliance to
work closely together using the same strategies, processes and technologies.
Organisations with separate risk management, audit and compliance activities have difficulties
providing coherent information to the board to improve corporate governance. Different vocabulary,
approaches, systems, and documentation make it difficult to maintain a clear view of risks and their
dependencies, particularly risks that cross departmental boundaries. Risk management and compliance
investigations are duplicated and additional costs are incurred matching and consolidating separate
data records.
An objective of GRC is to rationalise information gathering and processing structures using common
technology to capture, store and process information. Organisation-wide training is also required to
introduce a common vocabulary across all risk management and assurance functions. Redundancy in
operations can be reduced by requiring risk management, audit and compliance to agree on the
definition and assessment of key risks and to coordinate their activities in meetings with operational
functions and on risk management/audit/compliance committees.
With a defined integrated architecture for information processing, supported by common GRC software
technology, risk, audit and compliance work with an agreed common database. There is less room for
misunderstanding and more scope for consolidating information from all three functions for upward
reporting. Monitoring and review become more efficient and it is easier to identify trends.
GRC cannot be introduced easily or quickly in a large organisation. Established professionals have to be
persuaded to change the way they work. The concept cannot be introduced haphazardly with individual
initiatives at working levels. If improvements in governance are to be obtained, the board must set out
clear objectives and strategic requirements so that an organisation wide architecture can be designed.
Only when the overall design is completed and approved can new systems and procedures be
introduced progressively at unit or operational level.
A GRC task force will be needed to promote the initiative piece by piece across the organisation, a
project that could take many years. This group will look for strengths within existing functions from
which other areas could benefit. Its aim is to develop shared processes and information within the
overall common framework. The task force will have to obtain acceptance of their efforts by
demonstrating immediate improvements in efficiency.
GRC is expected to improve governance and efficiency by aligning strategy, processes, technology and
GRC is expected to
improve governance people. Measuring efficiency improvements can be relatively straightforward. Costs of new IT hardware
and efficiency by and software plus costs of the task force project must be more than offset by savings in total department
aligning strategy,
processes, technology budgets for risk management, audit and compliance (including budgets in operational departments for
and people cooperating and interfacing with these activities).
Measuring improvements in corporate governance will be more subjective, although some

measurements can be made. Is there accountability for risk and compliance? Are costs being reduced
when risks materialise? Have there been less breaches of compliance with external legislation or internal
requirements safeguarding reputation? Are trends and new and emerging risks being identified? Does
risk information help with strategic planning? Do the board feel they know the risks when they make key
decisions?
You can see from this description that GRC is an emerging trend, something that large organisations are
likely to consider as external pressure from governments, shareholders and other stakeholders
increases. In a GRC environment, risk management can no longer be considered in isolation from audit
Chapter 3
and compliance activities, as it must share the same technology systems and procedures. However, the
principles and processes of risk management activity still apply. Both independent and integrated risk
management operations have the same objective in identifying and controlling risk as an aid to better
corporate governance.
Question 3.2
Organisations may consider integrating audit, compliance and risk management activities in a single GRC system.
What are they hoping to achieve?
G Risk appetite and risk tolerance

We saw earlier that recommended practices on competence, risk management and internal control
associated with UK corporate governance code of practice requires the board, among other tasks, to
specify the organisation’s risk appetite and set policies on risk and control. The board have to provide
guidance to help managers decide what type and level of risks they can take as they go about their
business. This is done by setting boundaries on risk appetite and risk tolerance. We will explain what
these terms mean in the following sections.
G1 Risk appetite
We keep mentioning risk appetite, but what is it? In simple terms it is a statement of an organisation’s
attitude to risk. How much of what sort of risk is an organisation willing to take? HM Treasury uses the
following definition:
Risk appetite: the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in
time.
Source: HM Treasury (2004) The orange book: management of risk – principles and concepts. Available at http://bit.ly/2I6xuIq
[Accessed February 2018]. This material is under Crown copyright.
Risk appetite must consider all types of risk and in terms of both threat and opportunity. As well as
Risk appetite must
setting limits on the amount of ‘downside’ risk an organisation is prepared to accept, the appetite policy consider all types of
must allow for controlled risk taking where anticipated long-term gains outweigh potential short-term risk and in terms of
both threat and
losses. The last thing you want is a risk policy that promotes excessive caution and discourages opportunity
innovation and change.
This is why it is important to define risk appetite and communicate the policy to line managers and
decision-making staff. Managers must be clear on the level of risk it is legitimate for them to take and
what attitude is expected if additional risk taking is requested. Levels must not stifle creativity and
ability to take advantage of perceived opportunity, but on the other hand must be restrictive enough to
prevent significant risks being accepted without knowledge and approval of the board. In a large
organisation, risk appetite will need to be defined for different levels of management and functions, with
a formal escalation process where managers encounter risks beyond their level of decision.
Consider this…
What are the advantages of defining risk appetite?
Defining risk appetite provides a framework for informed decision making. It shows the contribution of
various business elements to the overall risk profile, highlights risks that need attention and promotes
consistency of business decisions. It also provides a basis for audits and investigations.
What does a risk appetite policy statement look like? This will vary from organisation to organisation,
however a typical solution is a presentation in matrix form. This has advantages in that it can be
arranged to align with major risk categories selected by the organisation.
One way of illustrating risk appetite is to adopt a simple numerical classification, a scale of (say) 1 to 5,
where 1 is risk averse, 5 is risk hungry and there are three levels in between. For each risk category we
select we can then add some explanation to clarify what each level relates to so we have a basis to help
other people make decisions. All management have to do is indicate the numerical risk level in each
category that the organisation is willing to tolerate.
Figure 3.2 is an example of a risk appetite policy outline, covering three risk categories and five levels of
Chapter 3
appetite.
Figure 3.2: Risk appetite policy outline

Risk category Level of risk appetite
1: Risk averse 2: Minimum risk 3: Limited risk 4: Managed risk 5: Risk hungry
Reputation No risks to Tolerance for risks Tolerance for risks Tolerance for Support for
reputation unlikely to affect with small or local risks to obtain calculated risk
tolerated. reputation. effect. reward, provided taking to obtain
risks are properly significant
managed. potential
benefits.
Financial No loss tolerated. Tolerance only for Tolerance for Tolerance for Responsible
unavoidable loss. small risks in well-reasoned investment risks
Take lowest cost pursuit of risk. encouraged.
option. Value for money expected gains.
always required. Resources for Speculative
No wasted opportunities. resource
resources. allocation
allowed.
Operational Use well-proven Avoid innovation. Limited Well-managed Innovation and
methods. innovation. innovation new thinking
Only essential supported. encouraged.
Avoid technology system changes. Minor system
changes. changes tolerated. System changes Always explore
Strict delegation considered to use of new
Limit delegation. controls. Minor decisions meet objectives. technology.
can be delegated.
Non-critical Devolved
decisions can be decision making
delegated. encouraged.
A risk appetite policy outline can be treated as a discussion document to be continually refined in the
light of management comment. It will change over time as an organisation changes and develops, and
accepts new challenges and commitments. The comments for management guidance can be expanded
and refined according to the needs of the organisation, experience of effectiveness and feedback from
managers as to how helpful the guidance was in arriving at actual decisions.
G2 Risk tolerance
We have defined risk appetite as the amount of risk an organisation is prepared to tolerate, and we have
used the word tolerance freely in our risk appetite policy outline. Risk appetite policy is a guide that can
be used for both existing risks and for new and emerging risks. It describes those risks that an
organisation is actively willing to take. Risk tolerance describes those risks that the organisation might
be able to put up with.
Example 3.2
Once it has determined levels of risk appetite, an organisation can decide which risks it has appetite for in each risk
category it defines. For example, an investment bank might allocate appetite level 5 to financial risk but a more
cautious level 2 for reputational risk. An organisation writing software for computer games might allocate 5 to
operational risk and perhaps 3 for financial risk. Of course in a practical situation, the risk categories will not be as
broad as our example. Different categories of financial risk will be allocated their own risk appetite levels.
We can then use these risk appetite guidelines to decide whether particular risks can be tolerated or not.
More usefully we can decide at what level a particular risk can be tolerated. Could a risk be tolerated if
its probable impact or frequency were less than currently predicted? This approach gives us a framework
for informed risk management decisions. Can we allocate resources to manage the risk to bring its
expected effects down to a tolerable level?
In chapter 5 we will be looking at techniques for measuring and comparing the impact that risks might
have on organisation objectives if they mature. The other important characteristic of risk is how often it
is likely to occur. Risks to avoid or manage are obviously those that have a high impact and are expected
frequently.
Chapter 3
If we arrange risks in order of impact and frequency we have a method of identifying which risks to
investigate first. Then we can use our risk appetite information to draw a line above which risks cannot
be tolerated, and the board or chief risk officer needs to take action. We might also draw extra lines,
lower down the impact/frequency scale, to identify blocks of risks where decisions are the responsibility
of different levels of management.
H Risk aware culture

Every organisation has its own way of doing things. If you become involved with several organisations
you will immediately notice differences in the way people behave, in the attitudes of management and
staff and the general approach to business performance achievement. Two similar hotels, for example,
can have radically different standards of guest service even though their business objectives are
ostensibly the same.
The way people behave in any given situation at work is strongly influenced by the customs and
practices of their organisation. Organisation culture is a collective description reflecting typical
behaviour patterns of people who work there. As customs and practices are developed, encouraged or
discouraged by management, so can behaviours and attitudes be altered. In the context of risk
management, organisations must decide how they want staff to deal with risk and set out to create and
sustain a supporting culture.
Example 3.3
We can illustrate the effect of different cultures with a simple example. Suppose you can choose who supplies a vital
component of a key product for your organisation. You have an established and reliable European supplier, but have
identified a Chinese source that offers not only a cheaper alternative but one that might make your product attractive
in additional market areas. The risk is that you know little of the Chinese company except what you have been able to
read on the internet and from informal conversations with trade organisations and business network contacts. You
switch to the Chinese supplier, but several months later its premises are destroyed by flood and the company ceases
trading. Do you expect immediate personal blame for taking too much risk or do you expect sympathy that things
went wrong and a constructive discussion to try and prevent a similar situation developing in the future?
A good risk culture will result in risk awareness and assessment being an accepted and integral part of routine
management procedures. Staff will be aware of risks inherent in their ongoing activities and the level of risk with
which their management are comfortable. They will understand the importance of following risk management
procedures and will implement supporting controls.
The Health and Safety Executive (HSE) has identified activities that promote a risk aware culture. These
can be remembered by the acronym LILAC which stands for leadership, involvement, learning,
accountability and communication.
LILAC
Leadership in terms of Involvement of Learning from events Accountability of Communication with

clarification of strategic stakeholders at all with effective training individuals but with free discussion of
and personal risk stages of risk shared efforts to objectives, methods
objectives management prevent reoccurrence and results
Various initiatives may be used to enhance risk awareness culture in an organisation. One obvious route
Various initiatives
is promotion of an awareness campaign, supported with training aids, literature and poster displays. may be used to
More effective might be the introduction of more rigorous risk identification and control procedures enhance risk
awareness culture in
supported publicly by senior management and with regular board level reviews. A long-term objective an organisation
would be to fully embed risk consideration as an integral part of everyday procedures at all levels in an
organisation.
Maintaining this culture will require continuous training support, particularly for new recruits. It will also
need a continuous review and monitoring programme to ensure not just that procedures are being
followed, but that required results are being achieved. Review and monitoring are audit functions but
will be conducted in liaison with the risk department to ensure that recommended improvements to the
framework or procedures are practical and will be implemented.
Everyone in an organisation is involved in a dynamic risk management environment and should be made
aware of success when measurable gains are obtained. Has the ERM system improved corporate
performance? How did ERM contribute to achieving corporate goals? What advantages did individual
departments or functions record? Were there fewer incidents than last year, fewer insurance claims, less
downtime from incidents, fewer health and safety issues to resolve? Is return on investment as
Chapter 3
expected? Key contributors can be rewarded with prize awards or bonuses and ERM efforts
acknowledged when strategic goals are achieved.
I Risk maturity
Generally speaking, organisations with effective risk management processes can expect less unexpected
losses and better selection of future opportunities. The more risk management principles become
embedded in organisation culture, the more effective are the processes, leading to greater
expected gains.
A qualitative indication of progress in developing risk awareness in an organisation can be obtained by
regularly assessing the current level of risk culture. Processes of observation, audit and interviews are
used to evaluate the extent to which risk culture is embedded in organisation procedures and practices.
The result is a classification in terms of risk maturity, where various levels of maturity are defined by
descriptions of different risk control structures and perceived attitudes to management of risk. Levels
might range from ‘no formal risk policy or risk control structure, individuals making their own risk
choices with little or no consideration’ to ‘clearly defined written risk policy and established review
structure, individuals routinely consider risk and know what behaviour management expects’.
Organisations may develop their own risk maturity model for this type of assessment or use one of the
A simple model
known as the 4Ns is general framework models available. A simple model known as the 4Ns is currently being promoted. This
currently being has four levels of maturity labelled as naïve, novice, normalised and natural, with corresponding
promoted
descriptions for each of these levels. The HM Treasury Risk Management Maturity Model is another
example, which can easily be adapted for commercial businesses.
For our example we will use a model with five levels of maturity ranging from initial to strategic. These
levels correspond to observable features of risk management behaviour as follows:
Level 1: Initial • Risk management objectives and policies not, or badly, defined.
• Risk management activities uncoordinated and fragmented.
• Ad hoc processes and procedures.
• People generally unaware of risks until they occur.
• No formal procedure for improving risk management processes.
Level 2: Uncoordinated • Risk management objectives and policies not, or badly, defined.
• Risk management established in parts of the organisation, but uncoordinated.
• Some written processes and procedures.
Chapter 3
• Only easily identifiable risks addressed (e.g. hazard, regulatory, financial).
• No consolidated risk reporting or risk process improvement strategy.
Level 3: Intermediate • Outline risk policy published, linked to governance.
• Risk management established in all business units, with published processes and
procedures, including monitoring and improvement activities.
• Operational risks identified and managed.
• Common risk types coordinated between business units.
• Risks related to strategic objectives.
Level 4: Coordinated • Policies cover most aspects of risk management and governance.
• Risk management integrated across all business units, with common technology
support, internal audit links and formal improvement activities.
• Consolidated risk reporting to the board.
• All relevant risk types identified and assessed against strategic objectives.
• Risk treatment strategies coordinated across the organisation.
Level 5: Strategic • Policies define all aspects of risk management and governance.
• Risk management integral to, and integrated across, all activities and business units.
• Risk management activities consider opportunities as well as negative risks.
• Risk management actively contributes to strategic plans.
• Risk management recognised as contributing to competitive advantage.
Organisations will use levels and words appropriate to their size, structure and aspirations. They can
Organisations will use
then apply tests to see how far implementation of their risk management policies has progressed. It is levels and words
accepted that greater risk management system maturity reduces the impact of undesirable events and appropriate to their
size, structure and
will reduce risks involved in forward strategies and plans. Remember, however, that it does not in itself aspirations
guarantee improved business performance.
Key points
Corporate governance and internal control
• Overall management and direction of any organisation is the responsibility of a small group of people who accept
certain roles and responsibilities in line with corporate legislation.
• The board exists to give overall direction. It must act in a lawful manner to further the shareholders’ interests.
• A board cannot ignore its responsibilities regarding risk management. It needs to specify risk policy, thoroughly
review risk exposures and define levels of risk it is prepared to accommodate.
Chapter 3
• A common approach with regards to supervising risk is to appoint a risk subcommittee.

• The risk subcommittee will act with board authority, setting policies and making risk decisions as required.
• The way a board sets up an organisation to achieve its objectives, together with the systems it puts in place to
manage and control that organisation, is known as corporate governance.
• The UK Corporate Governance Code provides a code of best practice for companies listed on the London Stock
Exchange. It is overseen by the Financial Reporting Council.
• SOX established enhanced standards for all US public companies listed by the financial regulator.
• CSA is a and systematic process requiring management and staff to continually audit and report on risks and risk
controls for which they are responsible. Improved awareness and accountability for risk leads to better corporate
governance.
Enterprise risk management (ERM)
• The structure set up to control risk management across the whole organisation is known as enterprise risk
management.
• ERM systems allow all the risks involved in an organisation to be looked at together and from different perspectives.
This is known as a holistic approach.
• ERM has been recognised as an important element of strong corporate governance. Today its use in large
organisations is internationally supported by laws, regulations and compliance requirements.
• The ERM framework is important. It shows how essential functions of an organisation combine to create an
integrated system for managing risk across the whole organisation.
• ERM is a dynamic management system which states that people be organised and trained to carry out delegated
tasks within specified boundaries and specified communication and reporting channels.
• In a typical ERM system, a group risk management function would be responsible for:
– setting up and maintaining the ERM framework; and
– managing all risk management functions within the group.
• An ERM function can make a valuable contribution to strategy formation as well as managing risk involved.
Individual responsibilities
• Depending on the size and structure of an organisation and reflecting its objectives and attitudes, responsibility for
risk assessment and control can be allocated in many different ways.
• Some organisations treat risk control as an integral part of general management, making each manager responsible
for events in their own area of influence.
• Effective risk management will heavily depend on the ability of the central risk management professionals to
communicate with and persuade their various management colleagues to treat risk in a coordinated manner.
• It is difficult, if not impossible, to prevent overlap between various management responsibilities.
• In the final analysis, responsibility for risk control throughout an organisation lies with the board of directors.
• A risk subcommittee will set out the structure by which they intend to manage risk in a written document available
for general reference. This is usually referred to as risk management architecture. This document describes the risk
management structure of the organisation, laying out lines of communication for reporting risk management issues.
• The risk management architecture document should be reviewed at least every one to two years to reflect major
changes in an organisation or its environment.
• A chief risk officer will contribute to decisions about the direction an organisation is to follow and will be intimately
involved in the detail of strategic plans. They could be actively or indirectly involved in many diverse issues.
• A risk manager could have board status in some organisations, a middle management or lesser role in others. In
some organisations the role may focus on a particular specialist area of risk.
• A risk officer is a person who carries out selected duties under the guidance and direction of the chief risk officer.
• In any organisation committees are established as forums to bring together experts or representatives from different
areas of the organisation to discuss common topics or objectives.
Relationship between audit and risk management

• Large organisations are typically concerned with two types of audit process: internal and external.
• External audits are conducted by separate professional organisations to give independent assurance to stakeholders
that published information conforms to specific standards and is factually correct.
• Internal audits are carried out within an organisation to provide assurance to the board that approved systems and
procedures are operating as intended.
• The board expects internal audit to provide assurance regarding several key functions, only one of which is risk
management.
Chapter 3
• Evaluation of risk exposure is important. The internal audit will be looking to come to an informed opinion about
reliability of information and effectiveness of risk management operations.
Relationship between compliance and risk management
• Organisations whose existence depends on compliance with appropriate laws and regulations often create a
separate compliance function specifically to identify and control threats that might lead to breaches of compliance.
• Compliance must keep up to date with existing and new legislation affecting any organisation operation.
Compliance provides policies, guidance, training and advice on compliance issues, as well as assurance that
suitable compliance controls are in place and effective.
• Organisation of a compliance function could mirror the organisation of risk management.
• Compliance activities are a subset of both audit and risk management activities, concentrating on a limited number
of specific, but important risks.
Governance, risk and compliance (GRC)
• Risk management, audit and compliance activities are all responses to particular requirements organisations have
been forced to consider.
• Attempts to create such an integrated structure have become known as governance, risk and compliance (GRC)
frameworks.
• Organisations with separate risk management, audit and compliance activities have difficulties providing coherent
information to the board to improve corporate governance.
• An objective of GRC is to rationalise information gathering and processing structures using common technology to
capture, store and process information. Organisation-wide training is also required to introduce a common
vocabulary across all risk management and assurance functions.
• GRC is expected to improve governance and efficiency by aligning strategy, processes, technology and people.
Risk appetite and risk tolerance
• Risk appetite is the amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point
in time.
• It is important to define risk appetite and communicate the policy to line managers and decision-making staff.
• Defining risk appetite provides a framework for informed decision making.
• Risk tolerance describes those risks that the organisation might be able to put up with.
Risk aware culture
• Organisation culture is a collective description reflecting typical behaviour patterns of people who work there.
• Various initiatives may be used to enhance risk awareness culture in an organisation.
• Maintaining this culture will require continuous training support, particularly for new recruits. It will also need a
continuous review and monitoring programme to ensure not just that procedures are being followed, but that
required results are being achieved.
Risk maturity
• Generally speaking, organisations with effective risk management processes can expect less unexpected losses
and better selection of future opportunities.
• A qualitative indication of progress in developing risk awareness in an organisation can be obtained by regularly
assessing the current level of risk culture.
• Processes of observation, audit and interviews are used to evaluate the extent to which risk culture is embedded in
organisation procedures and practices. The result is a classification in terms of risk maturity, where various levels
of maturity are defined by descriptions of different risk control structures and perceived attitudes to management of
risk.
• Organisations may develop their own risk maturity model for this type of assessment or use one of the general
framework models available. A simple model known as the 4Ns is currently being promoted. This has four levels of
maturity labelled as naïve, novice, normalised and natural, with corresponding descriptions for each of these levels.
Question answers
3.1 Supervision of the process of risk assessment and ensuring necessary actions are adopted to mitigate against
those risks.
3.2 GRC is expected to improve governance and efficiency by aligning strategy, processes, technology and
people.
Chapter 3
Self-test questions
1. What is corporate governance?
2. What sort of devices and procedures can be used for internal control?
3. What is ERM and why is it desirable?
4. Can you outline a typical organisation structure within an ERM framework?
5. State five key responsibilities you would expect a chief risk officer to have.
Chapter 3
6. What is the difference between audit and compliance functions?
7. What is the difference between risk appetite and risk tolerance?
8. What activities support a risk aware culture?

Helping you
with your
research
From reports and articles that can
be referenced as part of coursework
assignments or dissertations, to reports
and statistics, our online knowledge bank
provides a wealth of useful information.
Join today at www.cii.co.uk/join

and access all of the following:
• Articles and lectures – covering claims, underwriting,

broking, life & pensions, mortgages and personal finance
• Library services – the members’ specialist library staff
will guide you in your learning path
• Research databases – law, regulatory, risk and
compliance such as i-law and Axco Insight Compliance
• Discovery search – search for millions of ebooks,
articles, reports and hard copies. Covering general
insurance, life and pensions, financial planning and
risk management
• Reports and statistics – covering market trends
and analysis with supporting statistics
Find out more

www.cii.co.uk/knowledge
Tools and techniques 1:
4
risk identification
Chapter 4
outcomes
Learning objectives
Introduction
Key terms
A Why do we need risk information? 3.4
B What sort of information do we need? 3.4
C Sources of internal information 3.4
D Sources of external information 3.4
E Collecting data 3.4
F Reliability and change 3.4
G Methods of risk identification 3.4
Key points
Question answers
Self-test questions
Learning objectives
• describe different sources of internal and external information;
• describe how to collect internal and external information;
• discuss how reliable information may be;
• explain how various risk management tools and techniques can be used to identify risk; and
• discuss the main advantages and disadvantages associated with the risk identification techniques
outlined.
Introduction
In chapter 2 we established that effective risk identification is the first step in the risk management
process. In this chapter we will look at the information needed to do this and consider a range of
questions:
• Why do we need it?
• What type of information do we want?
• Where does it come from?
• How do we get hold of it?
• Is it reliable?
• Does it change?
• What do we do with the data we collect?
We will explore different ways of examining and processing information, with specific reference to
organisation charts, flow charts, checklists and questionnaires, physical inspections, fault trees and
Chapter 4
hazard and operability (HAZOP) analysis. We will also look at brainstorming to see if it is useful.
Key terms
Brainstorming and Checklists and Databases Fault trees
workshops questionnaires
Flow charts Hazard and operability Historical risk reports Organisation charts
(HAZOP) studies
Physical inspections
A Why do we need risk information?

Suppose you are one of the most senior managers in an organisation. You and your colleagues have to
make difficult decisions affecting the future of the organisation. You have already decided the
organisation needs to grow from its current operating base but now face a number of questions:
• What type of new product are we going to sell?
• What markets do we target?
• How much investment will we need?
• What structure is best?
• How are we going to support our customers?
• Will cash be available?
• What are our options if it all goes wrong?
Questions like these are not easily answered and each decision you make carries a risk that the outcome
is not going to be what you expected. Obviously, the more you know about the risks you face the more
chance you have of making the right decisions needed to meet your objectives. The same argument
applies all the way down the management chain. Everywhere a decision is to be made, if people
understand the risks they face they can take precautions to avoid them, or at least, reduce the effects if
those risks materialise.
We can see then that risk management is not a separate unit within the organisation but is integral to,
and indivisible from, strategic and operational management.
To be effective, comprehensive, trusted and relevant risk information is needed. It has to be quantified
and communicated in a way that helps people make better decisions.
Consider this…
How are key risk management decisions made in your organisation or in one which you are familiar with?
Chapter 4 Tools and techniques 1: risk identification 4/3
B What sort of information do we need?

It may seem obvious that the first information we need is a list of risks. From that starting point we can
begin to ask questions about those risks and try to arrange them in some order of importance. We only
need to list risks that affect our organisation, but we do need to identify as many of those risks as
possible. The more risks we recognise the better prepared we can be.
Remember that an organisation can be affected by both external and internal risks. In addition, you will
Risks need to be
realise it is a significant challenge for a risk department to identify all activities that may give rise to risk. identified in a logical
In order for risk departments to achieve this they will need to identify risks in a logical and cost-effective and cost-effective
manner
manner.
Aon has conducted a survey of the risk management strategies of a number of organisations every two
years since 2007. The respondents answer questions on, among other things, the methods they use to
identify and assess the major risks they face, the most important external drivers to strengthen risk
management, and what they perceive to be the main benefits of investing in risk management.
Chapter 4
The 2017 survey consolidates responses from 1,843 organisations from 33 industry sectors in over 60
countries. They are a mix of public and private organisations, and government and not-for-profit entities.
One of the highlights of each report is the top ten risks facing organisations. The respondents were
asked which risks (out of a list of 55) gave them the greatest cause for concern. It is interesting to see
how the top ten risks have changed from 2007 to 2017.
The top ten risk concerns given by the organisations consulted are captured in table 4.1.
Table 4.1: Top ten risk concerns facing organisations

2017 2015 2013 2011 2009 2007
1. Damage to Damage to Economic Economic Economic Damage to
reputation/brand reputation/brand slowdown/slow slowdown slowdown reputation
recovery
2. Economic Economic Regulatory/ Regulatory/ Regulatory/ Business
slowdown/slow slowdown/slow legislative legislative legislative interruption
recovery recovery changes changes changes
3. Increasing Regulatory/ Increasing Increasing Business Third party
competition legislative competition competition interruption liability
changes
4. Regulatory/ Increasing Damage to Damage to Increasing Disruption or
legislative competition reputation/brand reputation/brand competition supply chain
changes failure
5. Cyber crime/ Failure to attract Failure to attract Business Commodity Market
hacking/viruses/ or retain top or retain top interruption price risk environment
malicious codes talent talent
6. Failure to Failure to Failure to meet Failure to meet Damage to Regulatory/
innovate/meet innovate/meet customer needs customer needs reputation legislative
customer needs customer needs changes
7. Failure to attract Business Business Failure to attract Cash flow/ Failure to attract
or retain top interruption interruption or retain staff liquidity risk or retain staff
talent
8. Business Third party Commodity Commodity Distribution or Market risk
interruption liability price risk price risk supply chain (financial)
failure
9. Political risk/ Computer crime/ Cash flow/ Technology Third party Physical damage
uncertainties hacking/viruses/ liquidity risk failure/system liability
malicious codes failure
10. Third party Property Political risk/ Cash flow/ Failure to attract Merger/
liability damage uncertainties liquidity risk or retain top acquisition/
talent restructuring
Failure of
disaster
recovery plan
Source: Aon (2017) Global risk management survey: 2017.
Available at: http://aon.io/2FgmMgy. Used with the kind permission of Aon. [Accessed February 2018].
Consider this…
Can you think of another two general headings of risk faced by your organisation? Or think of a risk you are familiar
with that could be added to the above table?
External events shape perceptions of risk importance. Note the effect of the 2008 financial crisis.
Generally, it is those risks which threaten the objectives and deliverables of an organisation that are
seen as greater threats than the financial cost of damage.
Damage to reputation remains the number one risk in 2017. Organisations see an increasing number of
high-profile product recalls and company scandals. Also, the power of social media to pick up, amplify
and distribute even throwaway comments from minor staff makes control of reputation increasingly
difficult. Increased regulation translates to increased administrative costs and governance requirements,
but it is the growth in individual and class action prosecutions that concern organisations, as the blame
and compensation culture keeps spreading. Cyber crime has risen up the table in the context of
worldwide, major data losses, hacking of sensitive email accounts, and malicious attacks designed to
destroy or disrupt critical services.
Chapter 4
The rise in political risk is seen as due to events like Brexit, the election of Donald Trump, and the
popularity of political protectionist movements in response to immigration issues and widening social
divides.
The risks in this table are risks any organisation may face. This is by no means a definitive list or one
which encompasses all issues a risk management department may need to consider. However, it does
provide a flavour of the potentially wide remit of a risk department and the extent of information
required, both internally and externally, to manage such risks.
C Sources of internal information

We can see that if we are going to identify risks in many different areas, we will need to have intelligence
sources right across our organisation, and we will need to have external sources as well. What are these
intelligence sources? We will look first at internal possibilities.
people The main observation

sources of
internal
information are:
meetings databases
committees documents
We will now look at each of these sources in more detail.
C1 People
You will remember from chapter 3 that each line manager in an organisation is usually expected to
manage risks in their own area of operations as part of their normal duties. This may be written explicitly
in terms of reference or a job description or may just be implied as being normal custom and practice for
the job in question. A useful starting point then is to ask each manager ‘What risks are you managing?’
Are there other personnel expected to focus on risk as part of their wider responsibilities? These too will
be a useful source of information. It is still important if they only consider one or two aspects of risk as
part of their role.
As well as those personnel associated with audit and compliance functions we looked at in the last
chapter others that may have management of risk considered to be a part of their role can include:
• design engineers;
• facilities managers;
• project managers;
• legal officer;
• product development manager; and
• company secretary.
Another source of useful information from colleagues is information from those individual risk
professionals with, amongst others, responsibility for security, fraud and compliance, the insurance
programme, health and safety and business continuity. This is regardless of whether or not they are
integrated in the risk team.
C2 Meetings
Organisations have formal meetings to coordinate their activities. Some meetings will be at fixed periods
Chapter 4
Organisations have
with a similar agenda each time, while others will be ad hoc to discuss a particular matter needing formal meetings to
resolution. The outcome of formal meetings will normally be recorded in a document known as minutes, coordinate their
activities
even if the document is just a record of decisions taken or actions required. Properly written minutes will
allow people absent from the meeting to learn about key decisions or activities that were made.
Some meetings will be of more concern to the risk department than others, and it may be necessary to
have a representative present to access detail. For others, reading the minutes should enable judgments
to be made if anything is worth following up. As most important decisions are taken or ratified at formal
meetings, they are a vital source of regular information about ongoing activities. The risk department will
of course organise meetings specifically to discuss matters affecting risk and disseminate minutes for
more general information.
C3 Committees
A nominated group of people holding meetings for a particular reason is known as a committee. The risk
department should be involved in all committees that discuss risk.
As we saw in chapter 3, some organisations have a hierarchy of risk committees, from those discussing
day-to-day operational risks involved in a particular location or operating area right through to board
level strategic risk assessment. A board risk subcommittee will be authorised to fulfil board
responsibilities regarding risk.
Larger companies may also have an equivalent audit subcommittee. The purpose of an audit
Larger companies
subcommittee is to stand back from the organisation’s functional executives and take a view on the may also have an
behaviour of its managers and the effectiveness of business controls. equivalent audit
subcommittee
Some regulatory authority requirements and guidelines encourage an audit committee to be in place. As
this committee is discussing strategic risk controls, the risk department should be present or, at the very
least, be required to report on risk exposures to that committee. Cooperation and a good relationship
can bring benefits to both parties.
Question 4.1
List four sources of internal information.
C4 Documents
We have seen that useful risk information may be contained in minutes of appropriate meetings. What
other useful documents will there be? The answer will vary according to the organisation, but examples
may include the following:
Auditors’ Insurance Procedures Historical risk

Proposal papers manuals
reports documents reports
C4A Proposal papers

Proposal papers are documents produced to support requests for approval. They set out background
Proposal papers are
documents produced information leading to the request and the implications of its approval. Predicted benefits will be
to support requests emphasised and the investment needed will be detailed. The papers may or may not highlight any risk
for approval
involved.
Examples would be proposals to:
• develop a new product;
• build a new facility;
• invest in a new IT system;
• enter a new market;
• sell a complex product at a special price;
• approve an advertising campaign;
• alter a pension scheme; and
Chapter 4
• buy another organisation etc.
Consider this…
Can you think of more types of requests where proposal papers would be prepared?
C4B Auditors’ reports

We discussed the role of auditors in risk management in chapter 3. Auditors’ reports are documents
recording the findings of audit activity. Large organisations are required by law to have an annual
financial audit by a qualified external accountant. Audit bodies normally have representation from
outside the function or area under scrutiny. At board level this is often a non-executive director or an
external specialist consultant. As we have seen, some regulatory authorities within UK financial services
look at audits as evidence of good management control, and have their own requirements and
expectations.
However audits are not confined to financial affairs, quality audits are common as are audits to ensure
conformance with written working procedures. Non-financial audits will be internally authorised by
senior managers or the board.
The purpose of audits is to check that proper output is being produced, whether accurate financial
information or full specification product. The audit report will comment on reliability of procedures,
checks and controls and may highlight unnecessary risk for management attention. Audits give directors
confidence that they can trust information presented to them and a measure of the probability that
planned outcomes will be achieved.
Risk departments need to work closely with auditors in areas of common concern. For example, there
Risk departments
need to work closely may be controls in place to ensure that funds are not transferred from the organisation without ensuring
with auditors in areas that the recipient has earned the exact amount and is entitled to receive those funds at that time and in
of common concern
the format used. Both auditor and risk department will be concerned to ensure these controls are
effective as they are both interested in prevention of fraud.
C4C Insurance documents

Insurance is all about assessing risk and the probability that particular risks will materialise into claims.
The policy schedule is the place where the policy is made personal and specific to the insured. Within
the schedule are shown the variable details of the policy, as follows:
• Insured’s name.
• Insured’s address.
• Policy period.
• Premium.
• Details of the subject matter.
• Sum insured or limit of liability.
• Territorial limits, if any.
• Policy number.
• Reference to special exclusions, conditions or aspects of cover.
Insurers will often conduct surveys before quoting a premium to insure particular risks. These will
Insurers will often
normally contain a risk analysis as background to insurance options. The fire and rescue service and the conduct surveys
Health and Safety Executive (HSE) may also have completed surveys of individual factory or office sites. before quoting a
premium to insure
particular risks
Surveys are sure to make comments about exposures and may include recommendations to improve the
control of risk. The surveys may, however, be focused narrowly on one aspect of the risk only or, indeed,
the insured risk only. Risk departments need to maintain a broad perspective and recognise any such
limitations in these documents.
C4D Procedures manuals

Procedures manuals are documents that set out the procedures and methods to be followed by
personnel working in various areas. If they are managed properly, they should reflect the considered
experience and requirements of both workers and management. They will also have been checked to
conform to quality, ethical, safety, welfare and other overall objectives. Risk departments must take a
detailed interest in procedures as these are where procedural risk management is implemented.
Chapter 4
C4E Historical risk reports
Individual managers and the risk department will both maintain records about individual risks. Some
may be informal, others formal, properly documented and stored. If the information can be retrieved it
can be analysed to build a picture of historical risk assessment and risk incidence.
Obviously, the most useful information will be that collected under risk management auspices, including
a detailed incident log. However, individual managers may have commissioned investigations, for
example on IT security, other security or internet exposures. All of these documents are useful
background reading provided the risk professional retains that broader view on their value and on any
limitations in their scope.
We have not made an exhaustive document list. Risk information may be hidden in the mass of routine
paper and electronic mail that passes round the organisation on a daily basis. For example, a job
advertisement may indicate the strategic direction where a particular unit is heading.
C5 Databases
We have separated databases from the general heading of documents because databases imply
Many organisations
continuously updated information sources, whereas documents are essentially snapshot reports keep records in
associated with a specific date. Many organisations keep records in database form simply to make use database form simply
to make use of search
of search facilities and for ease of record retrieval. A common example would be a health and safety facilities and for ease
incident log. Loss and near miss databases are other examples, especially in financial service of record retrieval
organisations.
C6 Observation
Our list of internal information sources would not be complete without mention of personal observation.
Trained risk professionals recognise risks and hazards as they go about their daily business. Other
people will have noticed the same problems and pitfalls but perhaps not appreciated their full risk
significance. A good risk professional will reflect on their observations and make notes prompting
further investigation.
D Sources of external information

You will remember that a multitude of external factors affect the risks an organisation carries, and so to
evaluate these risks it is necessary to have external information sources. What kind of sources hold
information we could use?
There is no definitive and exhaustive catalogue of external information; however some examples of
potential sources are listed below. Fortunately, it is no longer a difficult and time-consuming process to
obtain information from such sources as all reputable and reliable organisations these days have
websites available to access.
Government
organisations or
organisations
linked to the
Government Business and
Conferences professional
institutions
Company Insurers and

reports related
Sources of organisations
external
information:
Chapter 4
Newspapers
and Databases
magazines
Emergency
Consultants
services
D1 Government organisations
Government organisations and organisations linked to the Government publish a wide selection of
material, usually concentrating on general risk information of interest to multiple organisations or
general information on specific risk categories.
Useful websites
Home Office www.gov.uk and search for ‘Home Office’.
Environment Agency www.gov.uk and search for ‘Environment Agency’.
D2 Business and professional institutions

Business and professional institutions publish useful information on best practice, standards, audits,
management and governance issues. They also contain opinion, hold surveys and publish case studies
of topical corporate incidents. Many issue magazines and newsletters to their members, and some
commission research. Some have libraries and many issue regular articles on risk matters.
D3 Insurers
Insurers will keep records of historical claims and usually will be happy to discuss individual claim files
and the lessons to be learnt from incidents that gave rise to claims. There is common interest to reduce
future claim frequency and size.
Insurers also publish general risk-related material, including research findings. Organisations that are
closely associated with services offered by insurers, for example, chartered loss adjusters or reputable
solicitors, often publish information concerning particular risks and aspects of their management.
D4 Databases
Various organisations often have common interests in reducing certain types of risk. All public transport
organisations, for example, have a common interest in promoting safe travel. Insurers have common
interest in reducing insurance fraud. Retailers have common interest in stock protection methods. Such
groups of organisations might organise between themselves to maintain joint databases of useful
information.
Loss data sharing consortia are common in financial institutions to help reduce operational risk. For
example the Association of British Insurers’ ORIC (Operational Risk Consortium) database is a
quality-controlled loss database to support risk management activities for insurers. ORIC holds
information on operational risk, i.e. losses due to failed people, processes, systems or external events. It
aims to improve the risk measurement and modelling skills of its members. Loss events and near misses
are reported by its members in risk categories that are consistent with the Basel II accord.
D5 Emergency services
Chapter 4
The emergency services can provide information on risk and trends in risk. The crime prevention
The emergency
department of the local police service is always willing to discuss trends in crime and give advice. It may services can provide
be necessary, however, to build relationships with specialist departments within these services. These information on risk
and trends in risk
units can include those with responsibility for major fraud, kidnap and terrorism. In the City of London
and elsewhere, there are crime liaison groups where police and other organisations come together to
share views and experiences.
D6 Consultants
Consultants range from knowledgeable individuals with special skills to subsidiaries of insurers or
brokers and global corporations with vast resources and contacts. They offer different specialised
services but per head are relatively expensive to employ. Some market systems or software are designed
to assist with specific risk management issues.
The very nature of a risk professional’s responsibility calls for a huge spread and depth of technical and
other knowledge. It is very hard to acquire this knowledge and then to keep all that information always
up to date. Consultants can bring focused, current information, specialist skills or just additional
resources to a project.
Employing consultants, like any other outsourcing activity, is in itself a risk and should be subject to
stringent cost benefit assessment. Particular attention is needed to contract terms determining
responsibility for detrimental outcomes after using information or following their advice.
Useful websites
Deloitte www.deloitte.com/uk.
KPMG www.kpmg.com.
PricewaterhouseCoopers www.pwc.co.uk and www.pwc.com.
D7 Newspapers and magazines

Risk professionals can learn from every incident reported in the media. Look for quality in-depth reports
Risk professionals
that have been properly researched. The subject of an article may be a plane crash, leaked information, can learn from every
an earthquake or a major crime incident. Risk departments take great interest not only in how an incident reported in
the media
incident was caused, but also in how the damaged organisation handled the impact of the incident. The
public mostly notices how a damaged organisation handles media interest.
Newspapers are good sources of information on the general environment in which an organisation is
operating, but remember you need to read several newspapers or journals to reach a balanced view.
Between them they should give advance notification of planned or proposed changes to infrastructure,
legislation and taxes. Business publications may alert you to risk changes from competition, new
inventions and social fashion trends.
As well as newspapers there are lots of magazines and academic journals that are partially or largely
devoted to aspects of risk in a national or international context. Some of these are available by
subscription. Some restrict online access to members of particular associations or affiliations. Note that
some journals and magazines change their title over time and some have only a limited lifetime of
publication.
D8 Company reports
All publicly quoted companies, and many other organisations, publish annual reports and statements of
accounts. The chairperson’s statement alone can provide both facts and clues about an organisation’s
activities and objectives.
With the focus on corporate governance, large companies will be keen to demonstrate proper
management and risk awareness. The annual report may therefore contain a substantial analysis of key
corporate risks and predictions of potential damage if these risks were to materialise.
D9 Conferences
Conference companies set up lectures and workshops with different specialities and subjects. Often the
speakers are industry thought leaders and those who can usefully share information with delegates on
how their own organisation manages risks. Formal conference proceedings may be published on the
internet or in conference papers available to delegates and for accredited research.
If you have the opportunity to go to a conference you may get more information from talking to fellow
Chapter 4
delegates than you get from the formal presentations. Conferences have the advantage of bringing
together people interested in specialist subjects in a non-confrontational environment.
Question 4.2
List four sources of external information.
E Collecting data
E1 How do we collect internal information?
Earlier in this chapter we saw that internal information is available from people, meetings, committees,
documents and observation. However, how do we get hold of this information so we can use it? One of
the best ways to start is to go on a tour.
E1A A tour
A tour of an organisation is time well spent for any risk professional. The tour should include visits to the
A tour of an
organisation is time various ‘shop floors’. It should include interviews with key operational and facilities managers. Get to
well spent for any risk know as many as you can and try and make them your friends. With the right relationships in place,
professional
these people will be able to explain openly what their unit does, how it does it and where, in their view,
lie their exposures. They should also be able to provide organisation charts and process flow charts for
those areas in which they are involved.
Continuing dialogue and information sharing with these people can have important value that continues
as long as they are both employed. Often a manager will be able to point out a document, policy or
potential risk area for the risk professional to pursue. However, they will not initiate conversations
unless they feel comfortable with sharing sometimes sensitive information.
Information gathered from the tour will be the starting point for understanding risk and impact. The risk
department can bring these probably differing views and comments together and consider them as a
whole. They can also begin to identify interdependencies across individual operational units, and form
an overview of the organisation and its risks.
For example, a clerk in an accounting department may produce figures routinely for another department,
with little importance placed on their precise accuracy and punctual delivery. Just one of the recipients
of those figures, in an entirely different department, may be responsible for supplying figures to a
government department or regulator. Those figures, unknown to the clerk, may form part of a total that,
in turn, is information on which licences to trade depend. Banks, for example, need regularly to provide
figures on liquidity to the Bank of England as a condition of permission to trade.
Although losing the approval of regulators is one of the fastest and most public ways an organisation
can die, that clerk cannot be expected to see the ‘big picture’ unless it is explained. Of course line
management already should have done this, and maybe the process is explained in a procedures
manual. Nevertheless, it is often the risk department that highlights a procedural risk, particularly where
practices or personnel have changed in or around a long-established unit.
We have talked about the risk professional making personal visits to different sites across the
organisation. There are additional and very important ways that similar information can be collected
without a personal visit, by ensuring that risk information finds its own way back into the risk
department.
E1B Automatic information gathering

An organisation faces many different exposures to risk and has many different stakeholders that can be
affected by those risks in different ways. It will be clear, therefore, that any procedures set up to gather
information automatically needs to be thoroughly thought through. Trusted information is the lifeblood
of a risk department and the gathering of that information needs to be a structured and uniform process,
with the end objective always clearly in mind.
To enable routine risk information collection there needs to be a proactive management information
system developed specifically for use by the risk department. Necessarily, this work is most often carried
out within the risk department itself, but should fit within the organisation’s overall controls and
Chapter 4
governance.
The process begins with an effective method of ensuring that all necessary information is brought into
the department and is digested and turned into a useful management tool in a properly structured way.
It is a process too fundamental and important to risk management to be left to chance or indeed to
casual anecdotal conversations.
To be effective, procedures for collecting risk information must be clearly documented and issued with
To be effective,
the authority of the managing director or chief executive officer. Routine requirements should be procedures for
reflected in relevant procedures manuals and standing instructions. A simple rule, for example, would collecting risk
information must be
ensure that minutes of specified meetings and all audit reports are always copied to the risk clearly documented
department.
There must be recognised procedures for collecting specific information about risks that materialise into
incidents, and for recording potential hazards reported by individuals. These procedures must clarify
how incidents are to be logged and what supporting data is required. A specific person must be
appointed in each area to see required information is supplied and that individual must be aware of and
acknowledge this responsibility.
We have already noted that it is an enormous task to identify and keep track of risk data in a large,
possibly multinational organisation. For this reason data that is collected must be carefully selected. It
must be reliable, complete and accurate, with a system in place to prevent falsification, alteration or
loss. Most of all, it must be useful and used in subsequent analysis and reports. It is no use collecting
data that has no risk management value.
We will look at how risk data is stored and analysed later. At this stage it is sufficient to recognise that
we are, inevitably, going to use computing tools. We should keep this in mind when we collect data and
collect as much as possible in machine-readable form or at least in a form that facilitates manual data
entry. Of course one way of reducing risk department workload is to get originating areas to transmit risk
data by filling in computer screen forms.
We have noted that it is important that the risk department forms good relationships with operational
managers throughout an organisation. Besides being a source of information, it is these managers that
will influence the attitude of people that are nominated to report risk data. This in turn will directly affect
the quality of the risk information they collect.
Sometimes, useful risk data can be collected completely electronically, particularly where plant or
processes are highly automated or digital sensors are involved. Security camera operation might be an
example of this or flight data ‘black box’ recording. Obviously, the less human intervention there is the
more reliable the data is likely to be.
E1C Collecting information from documents

Collecting information from documents is a specialised activity requiring particular skills. It is relatively
Collecting information
easy to extract information of interest from a single document and make notes, a procedure you will be from documents is a
entirely familiar with. However, faced with hundreds or thousands of documents in different formats and specialised activity
languages the task can be somewhat daunting. How do we extract relevant bits and put them together in
a way that makes sense?
First the risk professional must carefully select the documents that are likely to contain the sort of
information needed. We have already discussed what type of documents might be available. Then
procedures must be put in place to ensure that the department routinely gets copies. Next there must be
resources to scan this wealth of words and paperwork and extract the bits that are material to risk
decision making. The process may be manual or fed by an organisation-wide or supply chain software
system that guides and allows managers to input their risk information remotely.
We will discuss in section G3 the role of checklists and questionnaires. These are particular types of
document produced internally to collect specific information from selected people in a form suitable for
machine processing.
Selected documents will include minutes of relevant meetings, but there will be some meetings a risk
professional will prefer to attend. These will include meetings specifically called to discuss risk, but also
key policy meetings and meetings where strategic options are likely to be discussed. Attendance is
necessary to pick up background information and concerns.
Information taken from documents cannot always be accepted at face value. Writers have their own
Information taken
from documents reasons for choosing the words and phrases they use. If you read reports of a topical event in different
Chapter 4
cannot always newspapers you will see how the same facts can be differently presented, and historical researchers are
be accepted at
face value all familiar with written conflicting evidence.
There are also circumstances where publishing risk information might alter the risk concerned. Security
risks are vulnerable in this respect and some commercial risks, and this generally means that
discussions on these topics are deliberately excluded from the minutes of meetings. Readers must
decide for themselves if sources are complete and reliable but as a general rule, it is wise to separate
fact from hearsay and opinion. It is also important to solicit several independent records of any
information on which important judgments are to be based.
E2 How do we collect external information?

Historically, external information was collected by word of mouth, from manuscripts and drawings; then
printed material, books and newspapers followed by radio and TV. These sources can still be useful,
particularly a well-stocked or specialist library.
But today our best source of external information is via the internet. Vast quantities of information are
available from people and places all over the world selected by powerful search engines using key words
and phrases. Retrieval is practically instantaneous and automatic language translators are available.
Data collected in this way comes right on to your desk in digital form so you can decide what is useful
and transfer it easily to your own data store.
You will have to make your own decisions whether or not to subscribe to information sources that
require payment. As well as particular internet sites, subscriptions are normally needed for specialist
journals and magazines.
External information collected on paper has to be scanned, sorted and processed in exactly
the same way as paper information collected internally. Information from the internet comes
in machine-readable form.
Be aware
It is important to remember to keep your own risk notes in electronic form so they can be easily sorted and added to
the database if appropriate.
We talked about using questionnaires to solicit answers to particular questions. External surveys are
used extensively to measure customer satisfaction and to collect information for marketing use. Certain
organisations might find a use for similar surveys of selected clients to collect their reaction to specific
risk issues.
Consider this…
Think of some risk-related questions that might be handed to patients as they are discharged from hospital.
So we have talked to people, collected data and documents and recorded the personal observations of
members of the risk department. How do we put all this information together to make sense and support
arguments for risk management controls? Is there something else to consider before we start?
Well before we start processing our data we still have two of our original questions to address: is the
data reliable and does it change?
F Reliability and change

F1 Is our information reliable?
We have stressed that information used for risk assessment must be accurate and trusted. Processing
unreliable data leads to wrong conclusions being drawn, followed by bad management advice and wrong
decisions being made. We must take positive steps to make sure our data is trustworthy and be able to
demonstrate to any interested people that these controls work.
If we cannot guarantee our data sources are reliable, this must be explicitly stated in all subsequent
reports and recommendations based on that information; explaining why we think the data is likely not
to be trustworthy. For example, it is important to remember that not everything that is on the internet is
fully correct, impartial and factual. Are sources commercially or politically biased?
It is not sufficient to put in place written procedures on how data is collected. We need documented
Wherever possible at
audits to demonstrate those procedures are being followed. Wherever possible at least two independent least two independent
Chapter 4
people should be involved to reduce the chances of intentional data corruption. Extra care should be people should be
involved to reduce the
taken collecting data that might be seen as being sensitive in the sense that its recording might chances of intentional
eventually affect people’s welfare or jobs. data corruption
A risk professional must be aware of the possibility of deliberate information falsification, even when not
targeting fraud-related risks. People have all sorts of reasons for trying to look good, to provide
optimistic results, to hide particular risks. Other people may have personal issues, disputes or grudges
to resolve.
Take advantage of opportunities to compare data from similar sources, to check sensible data ranges
and to investigate unexpected deviations. Check the way data is transmitted, particularly from remote or
overseas locations. Is the communication system reliable? Could instructions or results have been
misinterpreted in translation? Do the results of subsequent analysis look feasible or sensible?
With sensible precautions and audits, there will be a high probability that base data is reliable and can
be trusted, particularly if it is internal data collected under risk department procedures. This data can be
analysed to provide prime results with less reliable data used for support or background material.
F2 Does our information change?

You may think this is a silly question, but of course data changes. However, in a risk analysis
environment we need to look more closely for implications. Only by doing this can we identify any
changes in threat or detect potential impact changes to be reflected into decisions made.
For example, a change in information technology infrastructure could mean that the effect of a particular
type of damage or loss would be very different across the organisation. Alternatively, a business
manager may decide to use the information that emerges from the technology for a different purpose or
in a different way. Again, a failure may have a very different impact on that manager’s part of the
organisation and even beyond.
It is a considerable challenge to capture and highlight those data elements that have serious risk change
It is a considerable
implications. The challenge is more difficult if an organisation changes as soon as its risks are challenge to capture
understood. Currently there are very few organisations that are not experiencing fundamental change. and highlight data
with serious risk
Change can be in personnel, products and marketplaces, or in the many different ways in which change implications
products or services are delivered.
The challenge is even greater where an organisation needs to understand the sensitivities of a critical
supplier that is a very different type of business from its own. For example, the risk professional of a
public service authority may need to understand the exposures of a commercial organisation to which it
has outsourced critical responsibilities.
So the risk management department must gain and keep up to date their understanding of risks and
their impact. This may be across a multinational organisation with various subsidiaries, products and
services, cultures and power bases. Furthermore, the risk function needs to be aware of risk and
changing risk amongst suppliers of goods and services on which the organisation depends, especially
where these supplies have critical quality and time demands.
Sometimes it is necessary to investigate deep into the detail of a function, and yet at the same time,
keep the overall picture of matters of importance and impact in mind. The risk department must ensure
that important changes are not missed.
Even a minor change in a contract wording, or a sale to a new type of customer, can change the risk
profile significantly. Consider the manufacturer of nuts and bolts that finds a new customer who, in turn,
makes parts for a US manufacturer of aeroplanes. The potential for damage and loss will be dramatically
higher if that part fails within an aircraft as against, say, within a washing machine.
Obviously, risk departments must keep adequate detailed records in a form that facilitates information
search, retrieval and analysis. They must also keep records of analyses performed that led to critical
decisions being taken. This will allow the same analysis to be performed using different data or a
different analysis of the same data. They must also keep an audit trail of significant decisions and
actions, together with the basis on which these decisions were made. Such a record will provide base
points against which future changes can be measured and handled.
G Methods of risk identification

In this section we will look at methods and techniques that will help us to organise and understand the
Risk data has to be
examined in its information we have collected. We have already seen that in order to be able to make sense of collected
Chapter 4
overall context risk data, a risk professional needs to understand in detail how an organisation is managed and how it
proposes to go about meeting its objectives. Risk data has to be examined in its overall context.
organisation
charts
hazard and
operability
(HAZOP)
studies flow charts
Methods of risk
identification:
fault trees
checklists and
questionnaires
brainstorming
and physical
workshops inspections
G1 Organisation charts
Most organisations have a formal organisation chart. If not, the risk department could benefit by
producing one. The chart is useful as a demonstration of the organisation’s activities and organisational
structure. It can be restricted to functions within the organisation itself, or can be extended beyond the
organisation to reflect where there are critical suppliers among third parties or other group departments.
A typical organisation chart will start with a summary of the way in which the different sectors of an
organisation have been put together. One brief example is given in figure 4.1.
Figure 4.1: Organisation chart
Stakeholders
Board
Risk Audit
subcommittee subcommittee
Chapter 4
Risk
Marketing Finance Production Personnel Services Legal
management
Sales Accounts Purchasing Factory 1 Factory 2 IT Compliance
Research and Supplier

Cash control Distribution Distribution Maintenance
development management
Organisation charts show who reports to who, so you can see at a glance the route that important
decisions take as they escalate through the organisation. Each layer of management has an appropriate
allocation of decision making and responsibility, the biggest decisions made at the top of the chain by
the board of directors. A risk department may need to follow that same decision-making route whenever
there is an exposure on which risk management resources and expenditure are needed.
Recommendations may not be popular. Therefore, there is a need to know where a decision can best be
made, empowered and at the extreme, enforced. The risk team may need considerable people skills to
sell ideas and convince reluctant audiences.
The example shown in figure 4.1 is a typical overview of an organisation. As the risk department focuses
on one part of the organisation, there may be a need to develop a more detailed organisation chart
within that particular sector.
G2 Flow charts
An organisation chart in itself cannot give a clear picture of risks carried. Also it cannot show in detail
how the impact of a risk incident will be felt throughout an organisation. A flow chart will begin to
achieve these aims.
A flow chart will look at an organisation differently. It pictures the route taken by all crucial ingredients
of the final product through to completion and final delivery. These processes could apply whether that
‘final delivery’ is a supermarket building, settlement of an insurance claim, a piece of furniture or a
credit approval within a bank.
Take an example of a factory producing cars. The products and services that together form the
ingredients for the completed vehicle can come from a host of different workshops, different ways of
delivery to the assembly lines, through to quality controls and preparation for delivery. A flow chart
would show that route and could therefore illustrate possible bottlenecks or single points of risk of
failure. The flow chart could, more importantly, show where the most crucial dependencies are within the
process.
A flow chart, somewhat simplified, could look something like the one in figure 4.2.
Figure 4.2: Flow chart of a factory producing cars
Delivery by road to distributors
Contracted lorries Quality control Credit control
Packaging materials Packaging

Chapter 4
Labour Production line Power
Health and safety Labour relations Raw materials 1 Security etc.
Labour supply Labour training Raw materials 2
Raw materials 3
plus
Up to this point, a flow chart has been considered from the ‘nut and bolt’ stage through to the delivered
vehicle. The flow chart can also move forward in time to the completed business transaction. For
example, if the manufacturer cannot deliver the vehicles to the distributor (who would then receive the
cars and pay for them) the manufacturer will suffer potentially devastating damage. Therefore, the flow
chart adds further value by highlighting any market exposures at the delivery end.
Figure 4.3 is a typical flow chart of the delivery cycle of another type of business – a supermarket.
Figure 4.3: Delivery flow chart for a supermarket
Customer
Staff rotas Checkout technology Credit card authorisation
Store ambience
Staff supply and training Shelves replacement
and cleaning
Chapter 4
Restocking IT systems Vehicle fleet management
Data transfer store

Fuel/maintenance etc.
to warehouse
Stock controls and

replacement warehouse
Etc.
From these flow charts, the risk professional can begin to see where the supply or delivery chain can be
broken. Crucial, single dependency links in the chain that may otherwise be missed can be highlighted
for further investigation.
Possible areas of investigation might be to identify where:
• there are ingredients or recipients that could fail and where later investigation showed that there is no
quick alternative source;
• the failure may have an impact further up the supply chain well beyond that envisaged by the unit
supplying the part. For example, in a production line system of manufacture the failure to supply
enough rear light lenses in time could close down a vehicle factory altogether; and
• there may be some interdependencies between departments that could otherwise be missed.
In the supermarket example, an inability to authorise credit cards could close the doors or at least
significantly reduce the sales in that supermarket. The risk department may be able to estimate the cost
per hour of such failures. This could be dramatic if the failure was in a central computer or
communications system that services all supermarkets in the chain simultaneously. Further investigation
down this route would no doubt also register the dependency on the bank and its technology that makes
credit card acceptance decisions. This will raise in turn the need to be satisfied about the bank’s own
ability to maintain service during a period where a problem of its own is being experienced.
The logic of the flow chart is an essential tool wherever there are a range of products and services that
are necessary key ingredients of the final product.
In large organisations flow charts can be extremely large and complicated. If the chart cannot sensibly
be divided into manageable sections then consideration should be given to producing several charts,
each for a different type of information. It may be possible to consider data separately from physical
goods for example, or produce a flow chart of verbal information passed at regular meetings.
G3 Checklists and questionnaires

We have touched on the use of questionnaires as a method of collecting risk data. Questionnaires can
also be used to start quantifying risk.
Example 4.1
Similar questions might be directed to heavy machine operators in a workshop environment or a group of forklift
truck operators in a warehouse, or cabin crew in an airline. Suppose we asked questions like: ‘Which of the
following hazards do you consider most dangerous? Indicate your answer by ranking each on a scale of 1 to 5, 5
being the most dangerous.’
The questions could be standard, only the choice of hazard different. The questionnaire could be re-circulated after
risk management action had been taken in order to assess the effects.
Checklists and
Chapter 4
questionnaires are
straightforward,
commonly used tools.
They are useful:
as an ‘aide-memoire’ to the risk if the risk team need to delegate to bring information that may have
team directly information gathering to others, been gathered in different places
for example, where the sources back together in a common
and range of the area are so large format. One common format will
that it would not be practical for simplify comparisons and
them to accumulate this analyses of the information.
information personally
Preparing a questionnaire needs a great deal of care and thought if the required information is to be
collected in a useful manner. A disadvantage of giving a questionnaire to another person to complete is
that their answers will be directed by the questions. They may not appreciate the need to add additional
information that could, in that particular circumstance, be crucial. Another danger is that while the
author knows clearly what is intended by the wording of a question, is it precisely clear to those who
need to answer it? Could there be two interpretations?
Trial runs with representative people are an important part of questionnaire design. The feedback can
help in the final design before release to the wider audience. It is also necessary to plan distribution and
collection of the forms, and to ensure appropriate authorities and instructions are in place so that forms
are actually completed. People need some incentive to cooperate in form filling and the risk team will
have to persuade them that their time is usefully employed.
The benefit of checklists and questionnaires is that they can be an extremely efficient way of getting
Checklists and
questionnaires can be basic information from a large number of different locations and people. A risk department will recognise
an extremely efficient both the limitations and the value of this information. They can then add further information from other
way of getting basic
information from a sources, and can begin to take a view on priorities for further research or attention.
large number of
locations and people Information from completed questionnaires can be added to what the risk professional already knows
about the activities of a unit and its previous loss history. A safety questionnaire of a factory may, for
example, most usefully be read when past claims experience is also known.
A questionnaire and a checklist are often indistinguishable, the only difference being in how they are
used. Usually, a questionnaire is sent to someone else to complete. A checklist is something that simply
prompts a professional or another to give answers in a particular way. Questionnaires often use
checklists to limit possible answers to a question so that the results are more easily analysed by
computer.
A common use of a checklist is the survey report forms used by risk surveyors. Such a checklist can be
focused on an individual exposure such as safety around individual items of machinery or a building. It
can look at more general topics such as security procedures, or whether the location as a whole meets
the established risk and safety standards of the organisation.
A good questionnaire, and indeed checklist, will solicit a series of simple answers that can be processed
easily by computer, but it will also allow sufficient space for the user to complement these answers with
comments, opinions and suggestions. The checklist may also be in sections, with the user completing
only the sections that are relevant to the exposure being studied.
The design of a checklist needs to take account of the technical skills of the user. A typical fire survey
form, for example, that is designed to be completed by a skilled and experienced fire surveyor, is not
much more than an ‘aide-memoire’ and a tool to enable the report to be completed in a common format
with others.
A questionnaire to be completed by a factory manager, whose skills are not in risk management, needs
to be constructed differently. Such a questionnaire will need an introduction. This introduction can
explain any background, the objectives of the exercise and the potential use of the information that is
being gathered.
In summary, questionnaires and checklists have an important place in the risk professional’s armoury,
but care needs to be taken in their design and use.
Chapter 4
Table 4.2: Advantages and disadvantages of checklists and questionnaires
Advantages Disadvantages
A cheap and efficient way of collating large amounts of Can be completed by someone who may not be skilled in
information. the subject of the questionnaire.
Simple and easy to use. Can be completed by someone who may not understand
precisely the objectives and ultimate use of the answers.
A useful way of updating information for current use and Can focus the user’s attention simply on answering the
for monitoring trends against previous surveys. questions themselves, without keeping the overall reason
for the questions in mind, causing the task to be seen as
just a ‘form filling’ exercise, as opposed to an opportunity
to take that ‘wider perspective’ mentioned earlier, which is
so important to risk management.
Can be adapted to individual areas of risk interest. Can be at risk of being ambiguous to the reader, however
careful the design.
Useful for putting diverse sources of information into a Can be at risk of being completed too quickly, and thus,
common format. without much thought, by someone who considers that
their own time is better spent elsewhere.
Can be at risk of being completed by someone who may
have their own reasons for suppressing risk information.
G4 Physical inspections
We talked earlier about touring an organisation. There are very few methods as useful as going,
physically, to look at an area that is being studied. This inspection not only allows a very clear and
personal picture of the environment at risk, but it allows face-to-face conversations with people on site.
It is not always possible to visit every single part of a large organisation to see what is going on or to
It is not always
witness all changes as they occur. Also it is not possible for an individual to possess every technical skill possible to visit every
needed to fully evaluate what they see there. It is, nevertheless, an important discipline to visit sites as single part of a large
organisation to see
often as possible. Frequently the physical picture bears little resemblance to a picture created by what is going on or to
paperwork carried out in an office. witness all changes
as they occur
There are, however, specialist risk surveyors who can be brought in to carry out these inspections and
report back, adding their professional assessments to the report. They may be employees of the
organisation or supplied by an insurer or by third parties under contract. They will have among them a
range of surveyor specialists with fire, security, health and safety, business continuity or engineering
backgrounds or with other specialist skills in areas such as chemistry, pollution, asbestos, pressure
vessel engineering, marine engineering etc.
Other organisations may send surveyors to visit sites to satisfy agendas of their own. This might apply to
stakeholders such as insurers, fire and rescue services, the Health and Safety Executive (HSE), local
authorities and others. These reports are very useful but they are prepared for particular purposes and
may not embrace all the questions that a risk professional needs answering.
There is a clear advantage when a risk environment and its people are visited, particularly by someone
who has the specialised knowledge to take a professional view of what is seen. In addition, a formal
survey report will normally conclude with recommendations to improve the risk or reduce the impact. The
survey fulfils the dual role of identifying risks, and also begins the job of managing them.
There are, however, some drawbacks:
• A surveyor can see only those exposures that are present and visible on the day of the survey. It is a
snapshot in time and can capture only the activity of the day. While questions can be asked, the
survey cannot reflect fully all changes that are being planned and are subsequently implemented.
Consider this…
Should a surveyor surprise the relevant site management or give a warning of the visit?
• A survey programme can be expensive in its use of both time and money, especially when surveys are
needed across many different units in distant places. Also, a programme of repeat visits is needed,
with a frequency that depends on the level of concern and the pace of change under way. This does
Chapter 4
add to the costs, although such expenditure may be considered valuable, even essential, in individual
cases.
• A survey can raise confidence unrealistically. A surveyor sent by the insurer, unless otherwise
negotiated, will usually consider only risks that are insured. The risk management team need to
remember that many of the greatest exposures to the organisation may be those risks that are not
insured.
• Some of an organisation’s greatest risks can be those where third party suppliers provide key
ingredients and services. The organisation may have difficulty obtaining authority to conduct detailed
surveys in third party premises unless this permission is negotiated within the original agreement.
• Risk should be the responsibility of each and every manager throughout an organisation. Regular visits
by risk surveyors could, if not carefully managed, encourage unit managers to believe that they can
abdicate responsibility for risk to the surveyor.
Question 4.3
Risk professionals are encouraged to go and look at an area under study. Why is this important?
Useful website
Royal Institution of Chartered Surveyors www.rics.org/uk/.
G5 Brainstorming and workshops

Brainstorming sessions, sometimes called workshops, involve a group selecting a topic for discussion
and recording as many ideas as they can as quickly as possible. Sessions are relatively informal and
unstructured. The focus is on freedom of expression and quantity of ideas rather than quality. The ideas
are collated and refined as a separate exercise.
Logically the person who understands a particular risk the most thoroughly is the local manager or
operator affected by the risk. There is a wealth of knowledge, experience and understanding within an
organisation’s own employees. This knowledge can be found at all levels, not just with key managers.
These people are also those who, as part of their day-to-day work, carry responsibility for safety, profit
and loss management and the continuation of delivery and quality. Sometimes this responsibility for
continuity is clearly expressed within contracts of employment; sometimes it is simply implied.
A ‘brainstorm’ can be at any level within an organisation. A senior risk professional could bring together
selected managers and employees and facilitate a discussion about risk and consequences.
Occasionally a professional facilitator may be used whose role is to keep a careful balance between
time, the agenda and the direction of conversation flow.
Sometimes meetings are arranged in the style of a normal business meeting with a chairperson (the
facilitator) and an agenda. Meetings can also be arranged as an exercise where specific scenarios are
described. Participants are then expected to say how these scenarios might unfold, how damaging they
might be and how they could or could not be managed. This is sometimes described as a desktop
exercise and is commonly used to help develop continuity plans.
Desktop discussions can highlight risks and threats and their potential impact on a particular division of
an organisation. The discussion can also explore interdivision dependencies and the importance of
these. Alternatively, the agenda may be limited to a specific exposure, say the dependency and
resilience of third party suppliers in the production chain. There is a wide playing field and it is
important to enter such discussions with a clear agenda and specific outcomes in mind. During the event
the chairperson needs to ensure an effective balance between staying with the agenda and gaining value
from free-ranging discussion.
An alternative to desktop discussions is to simulate incidents for people to manage through. Such
An alternative to
exercises are expensive and only appropriate in particular circumstances, usually when loss of life is at desktop discussions
stake. The military and emergency services regularly have exercises to simulate incidents such as a is to simulate
incidents for people to
battle site, a major fire or a passenger transport disaster. They may use real equipment such as disused manage through
training planes and trains on a special site. Organisations from the chemical and oil businesses and
many others have also used this method.
Exercises have an inherently useful purpose in familiarising people with an incident situation so that
Chapter 4
they cope better if faced with a real emergency. As with desktop exercises, participants must feedback
thoughts and ideas that can be studied and used to help manage future risk.
Brainstorming groups gain best value if risk professionals join them as full members or as observers or
as advisers. Such a risk professional could be the health and safety manager, the compliance manager
or similar.
The concept of brainstorming can be extended to groups of people who meet regularly as risk
committees to share experiences, and concerns, about a particular risk environment. They may choose
to brainstorm a particular item of concern as part of their meeting.
Question 4.4
How can brainstorming assist the risk management professional within an organisation?
G6 Fault trees
Fault trees are similar to flow charts, but are aimed at different objectives. Flow charts illustrate the
chain of events that bring together materials and resources to create and deliver a finished product. A
flow chart reveals the source of critical parts. Fault trees investigate what could cause supplies to cease
and consider the likelihood of that happening.
Consider the meaning of non-delivery. Deliveries to or from an organisation always need to be of a
quality that meets the organisation’s expected or contracted standards. In effect, delivery of
unacceptable goods is the same, for the purposes of this study text, as no delivery at all.
it can look at a flow chart from the

point of view of risk and begin to
assess the chance of a supply chain
being broken
A fault tree, therefore, can achieve
two things:
it can look at the risk within a process

or piece of machinery and take a view
on the potential for damage
The fault tree does not look at the process leading to the end result. Instead it tries to understand the
potential for a failure to deliver that which is critically needed, and then looks backwards to search out
the possible cause of that failure. Of course, this may be a single cause or a combination of causes.
G6A Fault trees and supply chains

Consider the flow chart described earlier in figure 4.2 that showed the routes by which ingredients and
resources came together to build a car. Where do the pieces come from? The required ingredient or
service may come from elsewhere within the organisation, or the responsibility to supply may have been
outsourced to a third party organisation. The problem of non-supply will be the same whatever the
source and needs to be understood and managed.
Fault tree analysis begins with each ingredient then considers whether that ingredient could fail to arrive
in a timely way at the point of inclusion and, if so, takes a view on the consequences. The premise is
that a production line is an integrated evolving process whereby there is one time only and one place
only for each part to be added.
In our example of a motor vehicle production line, a door lock clearly cannot be added before the door
arrives. Also there is not any easy place later in the production line for parts to be added once they
eventually arrive. The complete cycle of manufacture of one vehicle could be within one day. Completed
vehicles may not be left on the factory premises but removed immediately to distribution centres.
Cost considerations may have resulted in the decision to keep a minimum level of ingredients, or
perhaps no stock at all, within the factory. The risk is therefore that failure of a single ingredient to arrive
can close down the entire production line.
A fault tree will identify such an exposure and its criticality. It will prompt the risk department to look
carefully at that source of supply and ask:
What could cause that supply not to arrive in time?

Chapter 4
How are those exposures being managed?
Are there alternative resources the supplier can use?
Should the organisation reduce its single risks, perhaps at extra cost, by sourcing materials from more than one supplier?
Are the patents, design models, licences and other necessities legally and physically available to the organisation
so that the supplier can be replaced quickly by another?
When examining what could cause a supply to fail, the risk professional may also wish to review the
quality and resilience of the supplier’s factory. The risk professional may look at the supplier’s own
policy in sourcing materials, any critical labour dependencies, shipping practices, continuity planning
and even the supplier’s financial stability.
Other questions might be as follows:
Is there a political risk in the

Does the supplier have one Is there a dependency on
country where raw materials
factory or more? overseas shipping?
come from?
Are those alternatives of

Is continuity planning in place adequate quality and can they What are the alternatives if a
and exercised? arrive in time to meet critical supply fails?
business pressures?
An organisation might wish to reduce the potential for single points of failure by sourcing ingredients
from two or more entirely different suppliers. The risk of a simultaneous failure by two suppliers is much
less, particularly if geographically separate. It may be considered to be an acceptable risk. The risk
department may still need to know that the suppliers themselves do not have a single dependency.
An organisation will maintain a high focus on high dependency/low availability ingredients. Such an
ingredient could be a specialist or bespoke product on which the organisation’s own production line has
a high and urgent dependency. It will be essential not only to look at these dependencies but also at
what other events may cause failure or loss.
These are just some of the questions that need to be asked to gain a view of risk and dependency. All
these questions are equally valid within the organisation as they are for a supplier of critical parts. The
issue is the continued supply of quality ingredients, not whether they are sourced internally or from an
external organisation.
G6B Fault trees and risk within a process or piece of machinery

The second use of fault trees is to look at the possibility of a failure within a process or piece of
machinery itself. When considering this aspect of risk, it is necessary to examine the technicalities of
what may trigger a damage or loss.
Example 4.2
An engineer knows that a pressure vessel will explode once the pressure within the vessel exceeds its design load
plus any margin of error that was built in by the designer. However, what could cause that pressure to increase?
Presented graphically to one layer alone, it could look like this:
Chapter 4
Potential damage
Tank explodes
Relief valve overpowered
Pressure increases
Human error
This fault tree follows a single chain of events. A fault tree can also illustrate where a combination of
events can act together to cause damage or injury. This combination of events can appear from within
different arenas and even from quite different areas of management responsibility. They may bring
together two totally unrelated incidents, e.g. a mechanical failure (pump fails) and poor training to cause
major impact as shown in figure 4.4 below.
Figure 4.4: Combination of factors
Damage
Tank explodes
Relief valve
Pressure rises
fails
Excessive Water Lack of

Pump fails Human error
input pressure fails maintenance
Inadequate
Poor training
records
G6C Advantages of the fault tree approach

The concept of a documented fault tree enables a risk professional to consider, from the particular angle
of risk, the chain that makes up the process of delivery of goods or services. It then considers the risks
to each link in that chain.
The concept is valid for a simple presentation of the dependencies that lie within the whole chain of
events that lead through to that delivery. It is valid, quite separately, for a more focused look at one
process alone or even one particular piece of machinery.
The fault tree can, in one statement, bring together quite different threats to delivery; some scientific,
some human, some political, some geographic and many others.
The fault tree can highlight individual exposures for further research and attention. It can help a risk
The fault tree can
highlight individual manager to prioritise attention to those risk incidents most likely to occur or those risk incidents that
exposures for further would have the most significant impact.
research and
attention
The fault tree approach can be used in different ways, by mathematicians, engineers and scientists
through to health and safety and continuity managers. Fault trees can be long or short, simplistic or
Chapter 4
highly technical and computerised, as is needed for a particular understanding. Whatever approach is
used, the underlying principle remains the same.
A fault tree can highlight quite different types of event that could happen together to create damage or
loss. Such diverse connections are unlikely to be recognised by individuals working on one aspect of the
delivery chain unless they use a fault tree or similar approach.
G7 Hazard and operability (HAZOP) studies

A method of quantifying risk that can work well alongside the fault tree is called the hazard and
operability (HAZOP) study. At its simplest, this can be development of a fault tree that has identified a
key piece of equipment on which the organisation’s ability to deliver depends. Complex HAZOP studies
require significant computing resource.
HAZOP studies are rigorous, detailed and usually contain computerised fault tree analyses of safety
critical systems or system components, often conducted during their design.
The concept is thought to have originated in the chemical industry and it is a qualitative enquiry
into the operation of a plant from the point of view of hazard. A chemical plant can be extremely
complex and have many different parts. The HAZOP is an attempt to break this complexity down into
manageable parts.
What is the part

intended to
achieve?
The HAZOP What deviations

What could be the study are possible from
consequences of addresses four the ‘usually
those variations? key questions: expected’ delivery?
What could be the

causes of those
variations?
G7A Intention
One example of the use of a HAZOP study would be to address risks within a pressure vessel
supplying power to a shipyard. This pressure vessel is designed to work at a routine design level
that provides optimum value and economy. The vessel needs to be able to deliver pressure, within
the range defined by:
• the minimum pressure required to keep other machinery working; and
• the maximum pressure for safety.
The key risk intentions are safety and supply of a minimum level of pressure down the delivery chain to
other identified machines. A failure in either of these intentions will cause damage.
G7B Deviations
In normal circumstances, the vessel will deviate from time to time from the optimum design pressure.
This is to be expected. The deviations that are of concern to the risk department are those which take
Chapter 4
those pressures into the two main danger areas: inadequate pressure to achieve the purpose and
danger of explosion. These ‘maximum’ deviations can then be plotted. The plotting would embrace both
the specifications of the manufacturers of the vessel itself and the specifications that state the minimum
pressure needed by machinery further down the line.
There is a margin of deviation that is acceptable, defining in turn the ranges beyond that which are
clearly unacceptable.
This example has been chosen partly because of its importance to both safety and production. In the UK
and many other countries, pressure vessels and lifting machinery are subject to statutes that demand
regular safety inspection by qualified engineers.
G7C Causes
A risk department needs to look beyond simple statements of unacceptable deviation by asking two
important questions:
• What event or cause could cause a deviation to that degree?
• What combination of events could cause a deviation to that degree?
Thus a HAZOP designed around a single pressure vessel can bring out multiple causes. There could be a
failure in the pressure vessel itself, or a failure in key parts such as valves, especially the safety valve.
Causes could be organisational – inadequate maintenance programme, human error, poor quality
maintenance and quality control – or related to the environment on which the vessel itself depends. The
cause could be simply administrative, e.g. a failure to place this item of machinery onto the inspection
schedules.
The cause may be further down the chain, e.g. fuel not reaching the vessel. That failure of fuel could be
caused by failure of fuel valves within the machine, or deliveries from the supplier.
G7D Consequences
A HAZOP type study is most appropriately carried out on a piece of equipment that is understood to be
important or to possess safety dangers. In other words the equipment is important to the safety of
employees, visitors or neighbours, or is a key part of a chain of events that delivers the final product or
service.
HAZOP studies are often designed specifically to identify potential worst case scenarios. What is the
worst disaster this plant could cause?
Explosion is the one simplest to envisage. It is, however, not quite as straightforward as that. The
scientist will be able to explain the likely force of an explosion of a pressure vessel of the size being
considered, so the explosion itself can be pictured. However, what would the impact be of that explosion
in that precise spot?
The following questions all need consideration:
Would lives be at risk?
Is the plant positioned so that an explosion would bring down the floor above? Are there other buildings nearby?
What is on that floor? What is in the neighbouring areas?
Is there any other explosive material (such as LPG tanks, petrol tanks) nearby that could transform a minor explosion into a
major one?
Chapter 4
Are there any special features affecting safety or the emergency services due to the location, e.g. if the vessel was on
an oil rig?
Would the effects of an explosion be different in different weather conditions?
The first task is to ensure that questions like these are asked in a structured way, that guesswork is
removed and that answers come back from a trusted source. With the answers, or even with part
answers, decisions can be made about which risks to tackle first and then how the risk events
(deviations) and consequences can be contained within ‘commercially acceptable’ boundaries.
An important feature of the HAZOP study is that it can be, and is best, applied at the design stage. If the
designer of equipment or of an office or factory environment can understand these risk features then
they may be able to reduce the number of risk incidents or ‘design out’ some of the worst consequences.
Example 4.3
A very simple example at layout stage could be consideration of the place allocated for skips to hold waste
packaging material awaiting collection. A risk-conscious designer will position them at the far end of the yard where
a fire in that skip – technically described as a deviation from the norm – could not spread to reach the main office or
factory buildings. The skips, too, would be positioned inside a secure area, away from vandals who may set fire to
them. This example illustrates that not all HAZOPs need to be technical.
A more complicated design feature would be when aircraft designers ensure that all engines have totally independent
sources of control and fuel supplies and that there is no exposure to them all from one single structural failure
anywhere in the aircraft. The crew and passengers, therefore, can be confident that the failure of one (or more)
engines would not remove all power supply. Training pilots to respond to engine failure would be part of the wider
process of risk management and be reassuring to the organisation, the pilots and passengers alike.
Key points
Why do we need risk information?
• The more you know about risks you face, the more chance you have of making the right decisions needed to meet
your objectives.
• To be effective, comprehensible, trusted and relevant risk information is needed. It has to be quantified and
communicated in a way that helps people make better decisions.
What sort of information do we need?
• We need to list as many risks as possible that affect our organisation. The more risks we recognise the better
prepared we can be.
• An organisation can be affected by both external and internal risks.
• It is a significant challenge for a risk department to identify all activities concerning an organisation that may give
Chapter 4
rise to risk.
• Risks need to be identified in a logical and cost-effective manner.
• It is those risks that threaten the objectives and deliverables of an organisation that are seen as greater threats than
the financial cost of damage.
Sources of internal information
• Sources of internal information include people, meetings, committees, documents, databases and observation.
• Risk committees are the link between the board and all other functions. Audit committees also discuss risk.
• Other documents with risk information include proposal papers, auditors’ reports, insurance documents,
procedures manuals and historical risk reports.
• Trained risk professionals recognise risks and hazards as they go about their daily business.
Sources of external information
• Sources of external information include government organisations, business and professional institutions, insurers,
databases, emergency services, consultants, newspapers and magazines, company reports and conferences.
• Government organisations publish general risk information, often sorted in specific categories.
• Business and professional institutions publish useful information on best practice, standards, audits, management
and governance issues.
• Insurers keep records of historical claims.
• Various organisations often have common interests in reducing certain types of risk. They might organise
themselves to maintain joint databases of useful information.
• Emergency services can provide information on risk and trends in risk.
• Consultants can provide focused current information, specialist skills or just additional resources.
• Newspapers and magazines can produce quality, in-depth reports on major incidents. There are lots of magazines
and academic journals that are devoted to aspects of risk in a national or international context.
• Company annual reports may contain a substantial analysis of key corporate risks.
• Conferences bring together experts and specialists in particular fields.
Collecting data
• Touring an organisation and talking to people is the starting point for understanding risks and their potential impact.
• Management must enforce procedures that automatically send useful risk information to the risk department.
Routine data collection must be reliable and complete.
• Collecting information from documents is a specialised activity requiring particular skills. The risk professional must
carefully select the documents that are likely to contain the sort of information needed.
Reliability and change

• Processing unreliable data leads to wrong conclusions and wrong decisions being made.
• Steps need to be taken to ensure that any data that is collected is reliable and trustworthy.
• In any organisation risks and/or their impact can change at any time.
• Risk departments must keep adequate detailed records in a form that facilitates information search, retrieval and
analysis.
• Risk departments must also keep an audit trail of significant decisions and actions, together with the basis on
which these decisions were made. Such a record will provide base points against which future changes can be
measured and handled.
Methods of risk identification
• Techniques to help identify risks include organisation charts, flow charts, checklists and questionnaires, physical
inspections, brainstorming and workshops, fault trees and HAZOP studies.
• Organisation charts show who reports to who, so you can see the route important decisions take as they escalate
through the organisation.
Chapter 4
• Flow charts show how goods and services come together to achieve a final product. They highlight critical links
and dependencies within the process.
• Checklists and questionnaires are an efficient way of collecting useful information from many people, even in
different locations. They need proper preparation and are most useful in conjunction with data from another source.
• Physical inspections are better than desk studies for gaining a real appreciation of risks. Specialised surveyors will
know how to evaluate risks in particular types of operation.
• Brainstorming is a technique to help a group of people share knowledge and develop ideas, and as such can be
focused on risks.
• Fault trees highlight possible causes of failure to deliver end product. They allow probability of failure to be
investigated and managed.
• HAZOP studies are rigorous, detailed and usually contain computerised fault tree analyses of safety critical systems
or system components, often conducted during their design.
Question answers
4.1 Any four from the following:
• people;
• meetings;
• committees;
• documents;
• databases; and
• observation.
4.2 Any four from the following:
• Government organisations or organisations linked to the Government;
• business and professional institutions;
Chapter 4
• insurers and related organisations;
• databases;
• emergency services;
• consultants;
• newspapers and magazines;
• company reports; and
• conferences.
4.3 Frequently the physical picture bears little resemblance to a picture created by paperwork carried out in an
office. A visit also allows face-to-face conversations with people on site. As well as identifying risks, surveys
normally result in recommendations to improve their management.
4.4 There is a wealth of knowledge, experience and understanding within the organisation’s own employees. The
‘brainstorm’ is one way of tapping into that understanding.
Self-test questions
1. Why should risk departments take a detailed interest in procedures manuals?
2. Why are large companies including risk information in their annual reports?
3. What makes routine procedures for collecting risk information effective?
4. Why are checklists and questionnaires useful tools for gathering information?
5. What is the difference between a flow chart and a fault tree?
6. What are fault trees used for?

Chapter 4
Tools and techniques 2:
5
assessment and
measurement of risk
outcomes
Learning objectives
Chapter 5
Introduction
Key terms
A Risk assessment 3.4
B Risk categorisation 4.2
C Measuring impact 3.4, 5.4
D Measuring probability 1.2, 5.4
E Risk ranking 3.4
F Risk appetite and tolerance 3.4
G Risk control 3.4
H Risk registers 3.2
Key points
Question answers
Self-test questions
Appendix 5.1: Extract from a sample risk register
Learning objectives
• explain why we need to assess risks;
• discuss categorisation of risks;
• explain the basics of probability theory;
• explain the concepts of risk aggregation and correlation;
• explain risk control techniques; and
• explain the purpose, contents and limitations of a risk register.
Introduction
In chapter 4 we looked at ways of identifying risks that an organisation may face. This chapter is
concerned with risk assessment, examining risks to understand their causes and effects, comparing
different risks and arranging risks in order of importance.
We will see how to build risk information into a useful database (commonly referred to as a risk register)
and establish criteria to help make decisions and choose appropriate methods of risk control. We need
to know which risks need attention and which risks can be tolerated or ignored. Armed with this
information, we can set priorities, plan mitigating actions and produce meaningful reports.
We will see how to arrange risks by type, allocating them to specific risk categories. Assessing risks of
the same general type makes comparisons easier.
We will discuss how to measure the damage that could result if each risk materialised. Can we quantify
impact and the consequences it will have on the organisation? Can impact always be described in
monetary terms?
Frequency is important. How often is a particular incident likely to occur? We will look at probability
theory and discuss when it can be usefully applied.
Combining impact and probability gives a measure of the overall size of the risk. Can we use this
Combining impact and
probability gives a information to compare risks in different categories?
measure of the
overall size of the risk Having assessed and measured risk, do we know what actions to take? We will explore how to assess
risks alongside the aims and objectives of an organisation, using risk appetite policy to decide which
Chapter 5
risks can be tolerated. We will look at possible actions. What alternatives are available for risk control?
How do we choose?
All this information has to be recorded and stored in a logical, easily accessible and understandable
form. As we go through this chapter we are building a risk register, collecting data that lists and
describes risks, records assessments and measurements, tracks action plans, and forms the basis of
reports. Properly organised risk registers are essential for effective risk management. They provide
consolidated base data for audits, reviews and reports. They are the link that allows risk management
theory to be applied in a practical situation.
Key terms
Dow Fire and Explosion Numerical definition of Numerical definition of Probability theory
Index impact probability
Risk aggregation Risk appetite and tolerance Risk assessment Risk categorisation
Risk control Risk models Risk ranking Risk registers
A Risk assessment
Example 5.1
Imagine you own and run a small garden nursery, growing bedding plants from seeds and selling them in a shop on
the corner of your land. The business has grown to become a miniature garden centre supplying a range of
gardening tools and supplies. When a new office complex opened across the road you expanded your garden centre
to include a coffee shop and now serve a variety of snacks and hot meals. You are concerned about the fire risk
from the extended kitchen but before spending money on that you want to know if it is the most important risk to
your business. For example, winter power failure would wreak havoc in the greenhouses and a major incident at the
nearby airport could have disastrous consequences, but are these things likely to happen? You can identify a
number of risks but how do you weigh one against the other?
It is only when we understand all possible consequences of an incident that we can decide how to
manage the underlying risk. Do we accept it or try to reduce or avoid it? Each of these options involves
cost. We have to spend money to reduce or avoid risk, or accept risk and work out how to pay for
potential damage. We need to know if it cost-effective to spend money on a particular control.
Chapter 5 Tools and techniques 2: assessment and measurement of risk 5/3
An extension of this process is available if we can measure benefits as well as damage. For example,
removing or reducing air pollution risk should improve health or save lives. If we can put a figure to the
value of these benefits we can then compare proposed risk controls on a cost-benefit basis. Costing
benefits is not easy, and in areas like health and safety, can be extremely emotive. Another problem
arises where costs are borne by one organisation or group and the benefits are felt by another. In our
example of air pollution, a power station operator may stand the cost while most of the benefit is to the
local community.
Of course real life decisions are not that straightforward. Cost-efficiency or cost-benefit data is only one
Cost-efficiency or
of the pieces of information we need. Once we have identified potential risk scenarios we need to cost-benefit data is
evaluate all possible consequences to understand to what extent they are, or are not, a problem. The only one of the pieces
of information
‘cost’ may not be measurable in financial figures but may be devastating to our organisation. We need to we need
examine each exposure and understand, quite precisely, what could happen and how often it could
happen.
Are there tools and techniques to help us quantify our risks? Yes, there are, however, as always, when
we use tools we need to remember their limitations. Tools are only useful if they help us achieve what
we are trying to do. Risk assessment is a set of working tools used to examine threats that may bring
damage or loss to an organisation, its responsibilities and its objectives. The purpose of examining
threats is to stimulate decisions as to how those threats are to be managed.
We use risk assessment tools to encourage quality decisions that in turn lead to activity. In a small
organisation you may be able to make those decisions yourself, in a large organisation you will have to
Chapter 5
persuade others to take actions you recommend. Risk analysis is not an academic exercise and it is not
peripheral to operational or strategic management. It is integral to, and indivisible from, overall effective
management of an organisation.
It is worth reminding ourselves of some fundamental principles:
• When we assess risk we should involve business managers as they know the business best.
• We need to bring different types of information together to form a risk picture; some messages by
themselves can be misleading.
• Remember ground rules may be changing around managers as they work so keeping track of those
changes is a proactive need, not simply reactive.
• Our objective is to enable risk information to be clearly presented and communicated back to the
board and managers, in order that risk can be understood and acted upon.
We have to keep records that will support our work and allow others to monitor its effectiveness.
To collect and present a clear picture of risk to assist management decisions we first need to understand
and describe identified risks, both qualitatively and quantitatively. We need to compare risks so we can
rank them in order of importance. We also need to know which risks management consider important so
we can highlight them in our reports. Also, it would be useful to be able to collect risks of the same type.
For example, financial risks could be discussed with the finance director; IT risks can be discussed with
the IT manager and so on. Finally we need to assemble a view of significant risks to which the
organisation is currently exposed.
We know that to distinguish and catalogue risks for comparison we need to quantify the damage that
could result if each risk materialised. We also need to estimate how often a particular incident is likely to
occur. Combining impact and probability gives us the basis for risk comparison and ranking. We will see
later in this chapter that this combination is often referred to as exposure, because it is a measure of
possible loss to which an organisation is exposed.
Risk assessment is not complete without exploring options for risk control. We need to see what risk
Risk assessment is
reduction precautions are possible. We have to record our analysis and recommendations, taking into not complete without
account known management views on the level and type of risk they consider acceptable. exploring options for
risk control
Once decisions have been taken, we need to record them along with the name of an individual who has
agreed to take responsibility for seeing that appropriate action is completed. Other housekeeping is
essential. Risks and their analyses must be associated with dates so that changes can be tracked over
time. Also, certainly for the more important recommendations, a full audit trail should be kept so that
background to decisions can be revisited and reviewed.
Risk data must be kept in an easily understood and accessible file and in a form that allows for
information to be used in related exercises, such as risk modelling and stress testing. The database
must accommodate change and allow for measurements to assess effectiveness of controls. As we build
up our risk pictures we must bear all these points in mind.
Size and complexity of data to be stored and intentions as to its management and future use will
determine what software tools are to be used. Choices will range from a simple spreadsheet approach
through relational databases to complex corporate risk management systems.
Risk analysis is a continuous process of investigation, discussion and review. During discussions there
Risk analysis is a
continuous process of will be plenty of opportunities to make people more aware of risk, and to help managers understand
investigation, exposures being carried. Hopefully, this will improve routine decisions and also help managers who
discussion and review
need to convince other stakeholders that they operate effective controls.
B Risk categorisation
B1 Principles and benefits
We have seen that the objective of enterprise risk management (ERM) is to identify, analyse and control
all the risks associated with an enterprise. This is an ambitious target, and quite impractical without
some method of organisation and data reduction to make sense of the deluge of risk information we
collect.
A widely adopted approach is to first put risks into categories and then look within each category to
determine which risks are important, and which risks can be ignored. This is known as risk
categorisation. In this way, different risk appetite criteria can be applied to determine cut-off points in
each category according to the nature of risks involved and their effects on objectives of the enterprise.
Chapter 5
Remember that there is no point using resources to investigate and control risks whose impact is less
than the value of resources employed.
Risk categorisation systems are important because they enable an organisation to identify
accumulations of similar risks and clarify potential for applying common risk control strategies. They
help organisations identify which strategies, tactics and operations are most vulnerable to anticipated
threats. This allows for preparation of an overall risk profile of the organisation that can be updated on a
regular basis and used to alert the board to the need for intervention when required.
B2 Difficulties with categorising risks

You will remember in chapter 1 we discussed problems defining risks and risk categories. What groups
or categories should we choose? Which definitions will we use to describe risks, our own or those of a
regulator or professional institute? External considerations may govern our choice. Stakeholders such as
regulators, lenders or auditors may expect or demand that risks are analysed in a certain way and that
predetermined categories are used. If so, does this encourage comparison and reaction from
competitors in our chosen markets? Can any of the risks change over time and move from one category
into another?
Categorisation is not a simple process. Do we consider the type of event that occurs or look at the cause
of that event? What happens if there was more than one cause? How do we account for interdependent
risks? Do we use subcategories in our classification process, and if so what should these be? Once we
have decided on our categories can we use this information in different reports?
Organisations decide which categories to use after considering what the information will be used for.
Obviously if there are regulators involved, primary choices will be determined by their requirements.
Otherwise, the main purpose will be to facilitate risk management and provide useful information to
the board.
Discussions to determine the type or mix of classification system that is most appropriate to the needs
and requirements of the organisation should crystallise thoughts about the definition of risks an
enterprise wants to adopt. They will explore which significant risks or clusters of interrelated risks will be
of potential interest to various stakeholders and regulators.
B3 Approaches to risk categorisation

A good categorisation system will allow risks to be looked at in various ways. Typically, broad
A good categorisation
system will allow management categories such as operational, tactical and strategic, will be subdivided into functional
risks to be looked at areas and then further divided by attributes of the risk. Attributes could include measurements or
in various ways
estimates of impact, frequency, time to materialise, or primary cause. All risks must be compared using
the same set of attributes.
It is worth spending time experimenting with different categorisation systems before making a final
Chosen categories
decision. Chosen categories should cover all identified risks yet minimise the risk of overlap. They should cover all
should be consistent with organisational structures so that lines of authority are not confused and allow identified risks yet
minimise the risk of
risk priorities to be mapped into management actions. Category names should be recognisable, overlap
consistent with what most people understand by the words, to facilitate communication and
understanding. The number of categories should be large enough to allow fine tuning yet small enough
for the risk ranking task to be manageable. Where applicable, categories should also be consistent with
any databases that may be used to assist the risk ranking process.
In chapter 1, section F, we discussed the link between cause, event and effect. Attempts to classify risks
by cause have proved difficult in practice, particularly when more than one cause can contribute to an
event. Although causes and effects can be used, events normally form the basis for categorisation.
One critical distinction is the timescale of a risk, the time between cause and effect. Risks whose impact
is felt a number of years after the cause(s) are generally related to strategy, having potential to
undermine fulfilment of strategic objectives. Medium term risks will impact in months and are generally
associated with projects, processes, change programmes, acquisitions and the like. Risks with
immediate potential to disrupt current operations are clearly operational risks. Long-term risks may
relate to opportunity as well as threat.
Organisations should be aware of the most commonly used risk classification systems, and choose a
model similar to the one that best fits their objectives. The framework would be adopted as a template
on which to base their own work. Sometimes a combination of two systems will be a more appropriate
Chapter 5
solution. There is no risk classification system that is universally applicable to all types of organisations.
B4 Risk categorisation systems

Various interest groups have put forward ideas for risk categorisation, designed round the interests of
their members (see table 5.1). Some are particular to a group but many are designed with broader
application in mind. As yet there is no internationally recognised standard, so may it be useful to create
one. We have seen that organisations, as well as individuals, can have widely different perceptions of
risk, and therefore different criteria for categorisation.
Typically, organisations operating in a specified market can find common principles and these can be
Common themes can
refined and developed into a general standard method for classifying risk. Common themes can be seen be seen across
across different classification systems, but market specialisation and technical terminology ensure that different classification
systems
most systems are sufficiently different that they are of practical use only in their intended market area.
Look at the following list of risks, devised by the actuarial profession to help categorisation in
insurance-related organisations. It is very much industry specific and not intended to be a standard for
people working in this field. It is published in the hope that common terminology will reduce the
possibility of confusion in discussing these types of risks:
• market risk;
• credit risk;
• insurance and demographic risks;
• operational risk;
• liquidity risk;
• external risk;
• frictional risk; and
• aggregation and diversification risk.
Market risk addresses fluctuations in asset values or liabilities caused by stock market movements.
Credit risks are derived from failure of counterparties to fulfil contractual obligations. Insurance and
demographic risks relate to experience not matching underwriting expectations. Operational risks cover
fluctuations in the cost and efficiency of production and sales operations or inadequate/failed internal
processes, people and systems or external events.
Consider this…
Some risks may be hard to classify. For example, in which category would you put a) global warming, b) rogue
trading and c) anti-fracking demonstrations?
Preserving the liquidity ratio at minimum cost is important enough in insurance to warrant a separate
category as is the risk that external events, for example might prevent future strategies being realised.
The term ‘frictional risk’ covers the effect of changes in legal, accounting, regulatory or credit agency
requirements or any similar event that puts up costs above those that would otherwise be required.
Finally, aggregation and diversification looks at the risk of insurance claims not falling into planned
distribution patterns. Each main category is subdivided into several highly technical divisions.
Another industry specific categorisation is defined in the Basel II banking regulations. Below is a list of
official Basel II events:
• internal fraud;
• external fraud;
• employment practices and workplace safety;
• clients, products and business practice;
• damage to physical assets;
• business disruption and systems failures; and
• execution, delivery and process management.
In this context, examples of internal fraud would be misappropriation of assets, tax evasion or bribery.
External fraud might be theft of information, hacking damage, third party theft or forgery. Under clients,
products and business practice examples would include market manipulation, improper trade, product
defects, fiduciary breaches and account churning. Execution, delivery and process management includes
data entry errors, accounting errors, failed mandatory reporting and negligent loss of client assets.
Chapter 5
Other categories could be common to most organisations. Employment practices and workplace safety
covers discrimination, workers’ compensation and employee health and safety. Damage to physical
assets includes natural disasters, terrorism and vandalism. Business disruption and systems failures
cover utility disruptions, software failures and hardware failures.
Other published categorisation systems tend to have broader categories. The names and definitions
diverge, reflecting origins and objectives of the various systems. Table 5.1 shows a number of category
names and five published systems that use them.
Table 5.1: Common category names

BS31000 COSO AIRMIC/Alarm/IRM FIRM PESTLE
Compliance 9
Economic 9
Environmental 9
Ethical 9
Financial 9 9 9
Hazard 9
Infrastructure 9
Marketplace 9
Operational 9 9 9
Programme 9
Project 9
Reporting 9
Reputation 9
Sociological 9
Strategic 9 9 9
Technological 9
COSO reporting, for example, is mainly concerned with the US legal requirements to report accurate
financial data. Financial risks are normally concerned with internal financial controls, risks related to
money management, asset values, credit availability, liquidity and financial profitability.
The FIRM classification uses infrastructure to include core processes, marketplace to reflect business
plans and opportunities, and highlights reputation as a key risk concern. The first two categories are
internal risks and the latter pair external. The classification focuses on the effect of risk on corporate
objectives and stakeholder expectations and aims to highlight key dependencies.
PESTLE (which stands for politics, economics, social, technological, legal and environment) breaks down
PESTLE breaks down
the external environment in which an organisation operates. It is promoted to be used in conjunction the external
with the SWOT analysis (strengths, weaknesses, opportunities and threats) when creating and reviewing environment in which
an organisation
strategic plans. It has been used for a number of years in various contexts such as market research and operates
strategic analysis, primarily for exploring external factors influencing an organisation.
Several systems comment on the use of project management techniques to operate across companies or
line management disciplines to achieve specific results. Projects could be anything from introducing a
new IT system or launching a new product range to building a nuclear reactor. All projects have a generic
requirement to deliver an end product to specification within a specified timescale and budget. Any
project risks could therefore be classified under the three headings of specification, timescale and
budget, listing anything that could threaten required achievement in these areas.
If risk categories and subcategories are carefully selected, compilation of annual reports and other
publications for investors becomes easier, boards are presented with information in a more
comprehensible form, and questions from regulators, media and other stakeholders are more readily
answered.
Chapter 5
Question 5.1
Often there is a time delay between cause and effect of a risk. How does this timescale help us with risk
classification?
C Measuring impact
We have seen that if we want to compare and manage risks we need to measure consequent losses or
Losses or gains
gains if risks materialise. Also losses or gains due to an incident cannot always be measured simply in due to an incident
financial terms. Damage to assets can usually be quantified, as can damage to revenues and cash flows. cannot always be
measured simply in
It is more difficult to attach monetary values to personal consequences such as injury and loss of life or financial terms
to things like loss of reputation, confidence and destruction of brand value. Intellectual property losses
and the cost of defaulting on legal obligations are similarly hard to evaluate. Gains may be equally hard
to quantify. Estimates might be made for the financial benefits of entering new markets, introducing new
products or for making acquisitions. However, it is hard to place a value on things like reputation or
accumulation of technical expertise.
Despite these inherent difficulties, it is necessary for risk evaluation to adopt some criteria that will
allow risks to be compared and prioritised. First we need to consider some of the issues involved as
damage can be seen in quite distinct and different ways.
C1 Health damage, injury or loss of life

In Western society we take the view that no unreasonable risk to human beings is justified and UK
legislation imposes duty of care responsibilities on organisations. This is backed up by detailed and
extensive health and safety requirements and regulations. Risk is not confined by an insurance policy,
and any activity or lack of activity that results in personal health or injury damage can be very expensive
if subsequent litigation occurs.
Other cultures and societies may place different value on human life and health or have different
religious backgrounds. In these areas minimal health, safety and life protection measures may be
standard practice and losses from personal incidents accordingly less onerous. Organisations with
global spread have difficult moral judgments to debate and decisions they need to make but often
avoid. Political or legal considerations in an organisation’s home country can lead an organisation to
declare a policy but internally allow different interpretations of this policy in different trading areas. A
risk department needs to be aware of internal political tensions and record the basis of key
recommendations and decisions.
C2 Asset loss
Most asset losses can be measured in monetary values and a risk department will be concerned, as are
insurers, with concepts of indemnity. The issue is not just insurance specific, as a risk team will be
looking to determine what monies are needed to return the organisation back to the position it enjoyed
before the risk incident.
Assets recorded and summarised on the balance sheet will have readily accessible accounting values
that can be used. Other assets will require conversation with relevant departments to assess the
financial effect of resulting loss of business if those assets are devalued.
C3 Time and resources

For some risks lost time is the most critical element of damage. Failure to meet delivery schedules can
For some risks lost
time is the most cause penalty clauses to be invoked, clients to move elsewhere and loss of reputation.
critical element of
damage Another critical issue can be loss of resources or tying up resources on damage limitation, crisis
management or communication issues. The cost here is not just the cost of resources used, but also the
cost of lost business opportunities that could have been exploited had those resources been available.
C4 Business survival
Any risk that threatens the survival of an organisation needs high priority attention even if the
probability of it materialising is remote. For these risks a single incidence is unacceptable unless
Chapter 5
adequate defences are in place.

Some survival risks may be high monetary value incidences of common risks, such as physical damage,
fraud or misuse of funds, but others may not be measurable in financial terms. All business is based on
confidence and loss of confidence can have severe consequences. Examples of issues that could affect
confidence are damage to the credibility of a brand, concern with regulatory approvals and licences,
security of intellectual assets, and mistrust of strategic direction. An organisation must retain the
confidence of all its stakeholders with their different, sometimes overlapping and conflicting, types of
interest.
Associated with confidence is reputation risk. In many businesses damage to reputation directly results
In many businesses
damage to reputation in loss of potential income, and depending on the size and diversity of operations, could result in
directly results in loss closure, divestment or loss of market value leading to subsequent takeover. Examples of organisations
of potential income
critically dependent on maintaining reputation include entertainers, consultants, charities, financial
advisers, computer manufacturers, software suppliers, authors, manufacturers of safety critical products
and specialist retailers.
Credit, solvency and liquidity risks must all be controlled if an organisation is to survive. Affairs must be
managed so that assets exceed liabilities and the organisation does not run out of cash. Loss of credit is
equivalent to running out of cash if the organisation relies on borrowing for day-to-day operations.
Third party damage is another survival risk. Some organisations, notably those involved in nuclear power
operations, aviation, chemicals and oil exploration and transportation, can cause widespread human
and environmental havoc if things go wrong. Consequential damages and restoration costs could prove
unsustainable.
C5 Defining impact
An organisation must decide how it is going to quantify the impact of risk. What information does it
expect from the analysis and how is that information going to be used? Of course initial decisions and
practices will be modified and refined as risk management experience accumulates.
If we cannot measure impacts in financial terms what options are available? Generally, the solution is to
attach codes to the risk that flag its importance in broad qualitative terms. Risks that threaten the
survival of the organisation, for example, might be allocated a code that ensures they come top of any
comparison analysis. The codes could allow for broad categories of assessment such as intolerable,
high, medium and low, allocated after discussion with appropriate managers. A life-threatening risk in
this scheme would be flagged as intolerable. Red, amber and green codes are also very common.
Having decided how to record non-financial impacts we need to allocate money values to the remaining
risks. What ground rules do we use?
One debate might be whether impacts are to be recorded as ‘net cost’ to the organisation (e.g. after any
One debate might be
insurance claims are met or recoveries from any other risk financing have been made) or ‘gross’ (i.e. to whether impacts are
include sums even though they may eventually be recovered). to be recorded as
‘net’ or ‘gross’ costs
to the organisation
Further considerations may be around whether to calculate maximum possible loss or maximum
probable loss. Maximum possible loss means it is impossible for the quantum of a loss to exceed the
stated figure. Maximum probable loss means it is only probable that the loss will not exceed the stated
amount.
As an example, the maximum probable loss due to a fire in a building fitted with sprinklers and within
ten minutes of a fire station may be estimated as a certain number of floors. Sprinklers, however, have
been known to fail. There may be environmental or safety reasons or a police security cordon that would
mean that a fire and rescue service might not be able to operate as expected. The maximum possible
loss, therefore, could still be the entire building.
An organisation must decide which definition of monetary value is best suited to its needs. It must also
decide how accurate its money values are likely to be. It is no use speculating about a range of possible
impacts and then hoping to assign accurate valuations. We are looking to allocate financial impacts into
broad categories and bands similar to the non-financial events, but quantitative rather than qualitative.
C6 Aggregate loss
It is not just the cost of a single incident that needs quantifying, but also total costs that may be incurred
Chapter 5
by multiple incidents of the same type over a period of time. Losses must be aggregated when a risk
results in simultaneous multiple incidents of damage. Crime losses, fires, deaths, weather damage,
contract default and many other losses can happen more than once in any specified time period. The
financial reporting year of the organisation may be a useful reporting period, or the period may extend
over the shorter or longer timescale of a particular project.
C7 Risk aggregation
We must also consider and quantify the possibility that a risk incident may cause damage to an
organisation in more than one way simultaneously.
Example 5.2
A plane crash can damage an airline in many different ways as follows:
• Physical loss or damage of an expensive aeroplane and its contents.
• Liability claims from passengers.
• Liability claims from employees.
• Increased insurance costs.
• Loss of revenue until a replacement aeroplane can be sourced.
• The cost of sourcing another aeroplane.
• Liability claims for injury and damage to property on the ground.
• Reduction in staff morale and confidence affecting workforce performance.
• Loss of brand name and trust causing a drift of customers to other airlines.
• Reputational damage that can cut ticket sales for a long period.
• Where different subsidiaries or departments have interdependencies, a failure in one can impact right across the
group. For example, legislators might ground other aircraft in the fleet until the cause of the crash is fully
established.
• Claims from various stakeholders and public authorities alleging boardroom failures.
• In extreme cases, the possibility of individual or corporate manslaughter prosecutions.
Example 5.2 highlights the need to understand in detail the objectives of an organisation, its strategies,
organisation and dependencies. Only by keeping the overview in mind can you hope to allocate
meaningful values to those risks that have multiple consequences.
D Measuring probability
Numerous methods and formulae exist that use historical data to analyse mathematically the probability
and impact of risk. These methods do have significant value. It is important, however, to recognise the
danger of becoming so involved in these formulae and in the analysis process itself, that the primary
business objective is forgotten. Clear vision is needed throughout about aims of the analysis and
whether the source, range and accuracy of the figures will lead towards achieving those aims.
We cannot always use historical data to predict future trends. If nothing has changed since data was
collected then historical records will be a good guide to the future, but this is very rarely the case. Due
allowance has to be made for ongoing and expected changes that may affect data. Examples across an
organisation could be changes of product, personnel, working practices, market, technology, turnover,
regulation or a host of other factors. In chapter 4 we looked at the way in which data can be collected.
If an organisation is new or is planning for a future completely different from its past then the only help
we are going to get is from the experience of our risk management experts. This will be in addition to any
general published risk management data and information we can find about organisations with
parameters and objectives similar to our own.
In the UK and elsewhere, there are dramatic changes in the way organisations are creating and delivering
their products or services. Important external influences too are now affecting the risks they carry.
Among many things these can range from changes in legislation to new scientific knowledge and
alterations in the cultural, business and physical environments.
It is important to remember that loss experiences change the perception of risk, so we have to be careful
Chapter 5
with our comparisons. Examples of previous loss events include the:

• Bhopal disaster in 1984;
• Chernobyl nuclear power plant explosion in 1986;
• King’s Cross fire in London in 1987;
• Piper Alpha explosion in 1988;
• Exxon Valdez incidents in 1989;
• St Mary Axe IRA bomb in 1992;
• World Trade Center attacks in New York on 11 September 2001 (commonly referred to as 9/11); and
• 2008 financial crisis.
All these events changed our perceptions of certain risks (pollution, terrorist attack etc.) and will impact
long into the future.
Nevertheless, in many circumstances properly recorded historical events are the best guide we have to
In many
circumstances the future. Often, we can modify calculated expectations by taking into account known changes and
properly recorded trends that might affect future behaviour. However, we have to be sure our historical data is accurate
historical events are
the best guide we and useful. We have to understand what the input criteria are, check them in terms of quality and then
have to the future take a view on their value in relation to the actual objective in mind. Slight inaccuracies or variables in
input data, when subjected to statistical processes, can produce output that is totally misleading.
Mathematical development of statistical analysis is outside the scope of this study text. However, we
need to understand the principles of what is involved. The theory depends on there being a minimum
number and spread of core incidents to enable the laws of averages to be applied and for clear and
usable trends to emerge. We cannot apply these methods to single or infrequent occurrences. Graphs
show the distribution of measurements recorded and mathematical formulae reveal data from the graph.
Statisticians learn to recognise different shapes and trends and can advise which tools are likely to be
most appropriate in individual circumstances. As a general rule, however, the risk analyst is likely to find
basic tools adequate as other considerations and changes will be more important than mathematical
precision. For example, professional statisticians and survey companies will always qualify their output
with a perceived margin of error that should be assumed by its readers. This margin is crucial to
understanding the statistics and formulae. Such an error margin, say +/–5%, may destroy the value of
these statistics in particular applications.
The prime use of historical data analysis in risk management is to determine expected values or ranges
of value for particular ongoing risks. If there were 20 collisions of forklift trucks in a warehouse in each
of the last three years and no major alterations in size, throughput or working practices, then we can
expect about 20 collisions next year.
Remember that statistical analysis only resolves part of the picture. Results must be used in conjunction
Results of statistical
with other information, particularly if we plan to intervene with risk management initiatives or changes in analysis must be used
working arrangements. For example, if the average value of each stock theft in a supermarket last year in conjunction with
other information
was £80 then next year we can expect £80 plus inflation. If we plan to stock higher value items next year
we may want to make further adjustment. Anything we know about the organisation and its environment
must be considered when we interpret our statistical results.
D1 Probability theory
The theory of probability sets out to illustrate likelihood or probability as a numerical value. We calculate
the likelihood of an incident occurring and present that exposure in mathematical form.
Conventionally, probability is expressed as a figure between 0 and 1. A measurement of 0 indicates the
event is impossible, i.e. will never occur within the given period of time that is being discussed. A
measurement of 1 implies the event is a certainty. Allocating a number between 0 and 1 represents how
likely it is that a risk incident will occur, again within a given period of time such as an insurance year, a
financial year or another designated period of time. A rating of 0.001 means that it is very unlikely that
risk will occur, whereas a rating of, say, 0.85 means very likely. You might also see probability expressed
in percentage terms (10%, 50% etc.) though this is not common practice amongst statisticians.
Although this concept seems straightforward, setting a probability rating requires considerable skill,
based in part on the statistical evidence from past events and an understanding of changes that have
been made since and are likely in the future since history rarely repeats itself exactly. Where there are no
Chapter 5
readily available or trusted statistical foundations, rating must begin with the understanding and
experience of the risk professional, supported by operating managers and other advisers as appropriate.
Where past statistics can be used, straightforward extrapolation of past figures can be taken into the
future. If an oil company consistently has about 30 injuries a year among its workforce of 30,000, the
injury rate is one employee per 1,000 persons employed per year, or 0.001 of the workforce. If there are
no expected changes in the risk profiles, they have an injury probability rating into the future of 0.001. If
a lorry or taxi fleet of 400 vehicles has been experiencing 149 accidents per year, the probability rating in
unchanged circumstances would be 0.3725.
The theory can be developed to look at accidents at different cost levels in order to understand the
probability of accidents occurring in the future at those different levels. In other words, there could be a
probability rating of a loss costing up to, say £100,000 in any one period of, say, 0.125. The probability
rating of a loss costing up to £1m may be much less at 0.0125.
Experience within a car fleet could be an area for probability assessment in such a mathematical form.
Table 5.2: Probability rating of drivers within a car fleet

No. of drivers Accidents Probability
All drivers 1,000 316 0.316
Drivers aged under 25 150 68 0.453
Drivers aged 25–30 330 125 0.378
Drivers aged 30–35 340 90 0.265
Drivers aged over 35 180 33 0.183
Table 5.2 gives a probability rating of drivers, in each age band, having an accident in the coming year.
One outstanding piece of information here is that amongst the drivers that are under 25 years of age,
almost every other one has an accident in each twelve-month period. Amongst the drivers who are over
35, only about one in six has an accident every year.
Consider this…
Are there any other facts from table 5.2 that would give you cause for concern?
D2 Combining probabilities
So far we have considered the probability of one event in isolation occurring within a given period of
time, but an organisation will come across situations where there is a need to combine probabilities.
Example 5.3
For instance, suppose you want to illustrate mathematically the probability of a fire occurring in two factories in the
same year. This could affect decisions made about risk financing and also bring out issues about the failure of one
factory to replace the deliveries of the damaged one.
For this example let’s assume that the two factories are sufficiently far apart to be considered as two entirely
separate risks. The probability has already been established individually at 0.01 for the London factory, and 0.025 for
the Bristol factory (higher perhaps because of the type of process or raw materials in use). Clearly there is less
likelihood of the two fires happening in the same year than one fire only. Therefore, multiplying the probabilities and
assessing the likelihood of the two fires in one year gives a result of 0.00025.
This result is valid for independent factories but beware that one cause may affect both factories at the same time,
i.e. there may be correlation between the two risks. If the factories are close to each other, the result of a fire in
one may deny access to the other. If they both have a common dependency, say a supply of raw materials from one
source, power supplies, water etc. then exposure is common, not separate, and the two probabilities should
be added.
By studying combinations of risk, it may be possible to take action to avoid certain combinations and so
lower expected total loss.
Chapter 5
Consider further our example of the management of a fleet of vehicles (table 5.2). Historical analysis can
disclose where a combination of factors can lead to higher probability. For example, a fleet manager may
want to see how the combination of young drivers and high performance type cars come together to
raise loss experience. Figures could be analysed to illustrate past experience of those types of cars in
the fleet and compared again with:
• the total experience of young drivers who drive them; and
• all drivers who drive them.
The implication is that these trends will continue at a cost to the organisation, unless some measures
are taken to change the pattern of risk. The patterns could be changed by excluding young drivers from
the fleet or by denying them access to higher-powered vehicles. This would need changes to existing
policies and may mean that raising the average driver age increased standing costs of salaries and
benefits.
If sufficiently detailed historical data is available, probability combinations could be examined and data
used to support other risk management initiatives. Analysis of past accidents by vehicle type might
provide some guidelines for future procurement specification, although risks would be expected to
change anyway as new vehicles are introduced with better safety features. Alternatively, the fleet
manager may propose to introduce assisted parking electronics, selective engine governors or better
training for particular driver profiles.
D3 Probability and frequency

Probability tells us the chance that something might happen in a chosen period of time. This information
is particularly useful when considering infrequent high damage risks. Comparing probabilities means a
risk that is more likely to happen can be handled more urgently than one that is less likely to happen.
Remember, however, that probability indicates only how often something is likely to happen. It does not
predict when something will happen or if it is likely to happen imminently.
Sometimes it is more useful to look at frequency, which is an expression of how often an event may
occur. Frequency and probability are of course related. An event with a probability of occurrence in one
year of 0.2 can be expected to occur once every five years. Frequency is commonly used, for example,
when evaluating most general insurance products.
Be aware
You should be aware that despite their technical difference, the terms ‘probability’ and ‘frequency’ are often
interchanged in free text descriptions. For example, later on we will describe probabilities in terms of frequency, as
this is how it is usually done.
D4 Risk aggregation and correlation

In our plane crash example (example 5.2), we saw how a single incident could lead to multiple effects. In
our factory fire example (example 5.3), we saw how two superficially separate risks in practice could be
interrelated. These are simple illustrations of risk aggregation and correlation. In practice, many risks
have multiple possible causes and effects, which are all correlated in different ways.
Typically, a risk incident will occur because something has set off a chain of events leading to loss or
Typically, a risk
damage. A simple example would be metal fatigue that causes a failure of a critical flight function in the incident will occur
control of an aircraft. That loss of control leads, in turn, to a crash causing damage and loss of life. because something
has set off a chain of
events leading to loss
Additionally, a combination of causes, happening concurrently, may cause a damaging incident. In our or damage
example it may be that the metal was adequate to retain control of the plane in normal weather
conditions, but extra demands made during unusual storm conditions brought about failure of control,
and then the crash (figure 5.1).
As we saw in chapter 1 when looking at risk and effect it is important to remember that there may be a
combination of two or more otherwise unconnected causes that together bring about damage. A risk
management department will need to understand those dependencies and model the chain of single
events, or converging chain of different events, which could bring about loss.
Figure 5.1: Causal diagram illustrating combination of causes
Chapter 5
Metal fatigue
Plus Loss of control Plane crash
Severe weather
Cause Event Effect
D5 Numerical definition of probability

Now we have looked at all the elements affecting the values we use in our impact and probability
assessments, we can proceed to decide exactly how we complete our risk models. Remember that we
have decided financial valuations can only be estimated usefully into fairly broad bands. The same
arguments apply to probability calculations. The calculated numbers look precise but uncertainties in
assumptions and base data mean we can only reasonably use them as a guide.
For example, an organisation with a factory in a known flood risk zone from a nearby river will logically
address this risk, say, before the risk of a plane colliding onto their property, especially if they were not
under any airport approach or even a flight path. A simple high, medium or low probability may suffice,
or a more detailed definition with more degrees of measurement may be needed. Exactly how much
thought and detail is reflected in the subdivisions will depend on the importance management attach to
risk assessment, availability of relevant historical loss data, time available, and whether action is
expected as a result. Assessments must take into account likely future changes, either within the
organisation or to its environment.
Activity
Can you think of ten reasons why you might not live to the age of 75 and assess their probability in, say, four bands?
Were your answers guesses or supported by statistics? Did you take personal lifestyle factors into account?
Our objective is to assess all identified risks in a consistent way and describe them in a common format
so that any audience across an organisation can relate easily to the importance of one risk against
others. We can do this by allocating numerical codes to our bands of probabilities and valuations.
Remember that some aspects of impact cannot be quantified so we still have to accommodate free text.
Table 5.3 is an example of numerical definition of probability.
Table 5.3: Numerical definition of probability

1. Frequency lower than once in ten years
2. Once in ten years
3. Once in five years
4. Annually
5. More than five times a year
Now we have reduced our detailed calculations to a single number that can be inserted into tables. On
the face of it, a risk in band 4, say, may demand priority of attention over those thought to have
probability ratings of 3 or less. However, we cannot just look at probability or frequency; we have also to
consider impact.
Any risk classification must take on board the severity of its impact on an organisation’s people,
operations and responsibilities. If a risk event were to have devastating effects, then this potential
impact may be far more important as the motivation for an organisation to adopt a combination of
relevant risk management measures than probability may ever be. The only issue with such risks is that
they can happen; not how often. Taking no risk management action in such cases may not be an option
open to the organisation even if it has not experienced the incident before or has done so infrequently.
D6 Numerical definition of impact

Chapter 5
The same classification principle can apply to quantifying impact. If a risk manager can establish a
consistent definition of different levels of impact, it becomes possible to apply that level rating across
the organisation. The example in table 5.4 uses a numerical structure of four levels and has established
definitions of each level.
Table 5.4: Numerical definition of impact

Level Definition
1. Negligible
• All problems can be resolved with no external impact whatsoever.
• Financial losses: capital below £75,000, revenue local impact only.
2. Marginal
• It takes up to one day to reinstate customer-facing services.
• Financial loss: capital below £750,000, revenue 10% local targets, 3% group targets.
3. Critical
• It takes up to three days to reinstate customer-facing services.
• Fines by regulatory authorities.
• Loss of confidence within the client base and other stakeholders.
• Loss of confidence within the workforce.
• Credit rating fall one half point or more.
• Financial loss: capital below £7.5m, revenue 50% local targets, 10% group targets.
• Unacceptable health and safety risk.
• Health and safety approvals for a building withdrawn.
• Risk of share price falls of up to 10%.
4. Catastrophic
• It takes more than three days to reinstate customer-facing services.
• Loss of regulatory or licence approval.
• Illegality within a business operational area.
• Loss of confidence in the brand name by the general public.
• Loss of confidence in the brand name by shareholders.
• Financial loss: capital above £18m, revenue 25% group targets.
• Credit rating fall one full level or more.
• Risk to life.
• Risk of share price falls of up to 25% or more.
You will notice that this table accommodates both financial risk estimates and our requirement for free
text descriptions of risk impact. We look right across all possible consequences before allocating a risk
to one of our chosen categories. Different organisations will choose different criteria and may change
their definitions in view of experience or change.
For example, table 5.5 captures an internal risk faced by an organisation relating to fraud by its
own staff. It suggests some causes for such a risk to materialise and assessment of its possible
consequences, here described in purely financial terms. It also captures a numerical definition of
probability and a numerical definition of impact. The last two columns in particular will start to allow an
organisation to begin to compare different types of risks it faces. Adding broad measures of assessed
impact and probability to our analysis of causes and consequences helps selection of risks for
further work.
Table 5.5: Internal fraud risk – impact and probability

Risk No. Risk Cause(s) Consequences Impact Probability
1. Fraud by staff • Lack of financial Maximum probable loss: 3 3
controls.
• Assets: < £1m
• Poor contractual
controls. • Money: £100,000
• Poor management
information.
Chapter 5
• Infrequent audits.
• Staff morale.
• Poor recruitment
controls etc.
E Risk ranking
When risk information has to be published or presented, a risk department may bring probability and
impact together by multiplying the two to create an overall risk factor indicating the size of the risk. In
the internal fraud risk example in table 5.4 therefore, you would multiply the probability factor of 3 and
the severity factor of 3 to give a risk factor of 9. This would compare with, say, a kidnap risk that would
have a much lower probability of 2 in certain circumstances but an impact grading of 4, i.e. catastrophic.
The risk factor would then be 8.
A risk factor determined by multiplying probability by potential loss is a quantified measure of the
possible loss to which an organisation is exposed as a result of some activity or event. Exposure is a well
understood concept in business, often calculated for such things as liability issues, property loss or
damage, or product demand variations. In insurance, for example, exposure is regularly tracked in
respect of outstanding claims.
For risk ranking this approach allows risk management to present a comparison of all risks using a single
number but it does hide the distinction whether a high level of exposure is due to a high probability or
impact value. An incident that has a maximum possible loss of £1m, but would only happen once in ten
years, may have the same numerical assessment (4 × 2 = 8) as a loss of £100,000 happening twice a
year (2 × 4 = 8). They could be very different risks, calling for very different decisions. Our example
above is just such a case. It would be very simplistic to say that the fraud risk is more important than the
kidnap risk.
A better presentation approach would be to build a graphical demonstration of risk. An easy way to do
this is to use a simple matrix format. Each risk can be given a risk identifier number (see the left-hand
column in table 5.5). The risks, represented as numbers, are positioned in a matrix according to the
assessment of impact and probability (figure 5.2).
Figure 5.2: Probability/impact matrix

5
4 Risk 10 Risk 3 Risks 7, 8

Probability 3 Risks 1, 2, 5
2 Risk 11 Risk 4 Risks 6, 9, 12
1 2 3 4
Impact
Our example risk, staff fraud identified as risk 1, has a probability factor of 3 and an impact factor of 3. It
would, therefore, appear in the matrix box as shown. Clearly risks nearer the lower left of the matrix are
less worrying than those towards the right and upper part of the matrix. Risks 7 and 8 logically,
therefore, should receive priority attention.
You can see that, on face value, a simple matrix presentation is a useful way of illustrating the relative
importance of a number of risks. In practice, however, typical risk matrices must be treated with a great
deal of caution.
First, with only a few categories this means that identical ratings can be allocated to quantitatively very
Chapter 5
different risks. Second, errors can result in higher qualitative ratings being allocated to quantitatively
smaller risks. Third, qualitative rankings are subjective rather than objective. Interpretation varies with
different people, leading to different category allocations.
A further problem arises because the headings in risk matrices are not aligned with organisational or
decision making structures so risks in any particular square cannot be allocated in bulk to one particular
person to manage.
Nevertheless, if people recognise these inherent limitations, matrices can provide a useful focus for
effective risk management discussions.
E1 Risk comparison
We have seen how different risks can be compared by reducing their prime characteristics to a simplified
numerical classification, and presenting the results in a table or matrix form that can be easily
understood. By using a combination of different descriptive texts and numbers that reflect levels of
importance, experienced risk professionals can readily allocate appropriate classification codes to
widely different risks in this way.
The process of comparing different risks and presenting them in an order of priority for the use of
resources is generally known as risk ranking. Risk comparison has a larger connotation as there are
other reasons for wanting to compare risks other than to allocate resources. One example would be
benchmarking. We might want to compare different risks across organisations to gauge the attitude to
risk prevalent in a particular industry sector and compare a particular organisation to the norm.
Risk comparisons are also useful for presentation purposes and to support arguments or explanations,
Risk comparisons are
useful to support for example why a particular course of action has been chosen: ‘We have done nothing about this
arguments or because the risk of it happening is less than your chance of winning the national lottery’. People
explanations
compare unfamiliar technical risks to common familiar risks to give their audience a feel of the overall
size of the risk involved.
As people who rank and compare risks are rarely in a position to make subsequent decisions,
particularly in large organisations, most comparisons are selected with the aim of persuading others that
their recommendations or conclusions are correct. Material needs to be prepared and presented
carefully to achieve this objective. A careless graphical representation or risk comparison choice can
destroy the credibility of an argument even if it is logically correct. Risk professionals are strongly
advised to familiarise themselves with communication and presentation techniques if they want their
recommendations to be accepted. Methods of presenting risk rankings and comparisons are only limited
by the imagination of the presenter and any limitations of the audience.
Activity
There are many examples freely available on the internet. Type ‘risk ranking’ into any of the major search engines
and the choices available will contain sites with images of typical slide suggestions. Websites are also available with
advice on which type of risk comparisons generally encourage trust.
E2 Risk factor indices

We have seen that it is convenient to adopt a numerical classification of impact so that risks can be
more easily compared. It follows that if we could standardise a classification system different
organisations could compare the risks they carry. In practice a standard system is only useful if
organisations use them in a consistent way. Nevertheless some standard classifications have been
attempted and are called risk factor indices.
One particular index worth mentioning is the Dow Fire and Explosion Index. This Index is designed to
Dow Fire and
classify particular hazards that lie within a process in a factory. It applies a predetermined factor number Explosion Index is
to hazards within that process that are known to increase overall risk of damage. Adopting an industry- designed to classify
particular hazards
recognised standard facilitates risk comparisons between similar but disparate sites. that lie within a
process in a factory
The Dow Fire and Explosion Index is not a perfect tool and needs engineering knowledge to use. On the
other hand the calculation process is straightforward using a standardised spreadsheet format much
like filling in a tax form. It has proved to be useful in determining plant layouts and separation between
vessels in chemical process plants. It allows the effect of different loss mitigation strategies to be
Chapter 5
assessed.
The probability of fire or explosion may be affected by the presence of one or more of: dust, pressure,
flammable material, heaters, hot oil etc. With a factor number applied that recognises the presence (or
especially the combination) of these elements, a picture of the likelihood of an incident can emerge. The
factor numbers have been developed beforehand by engineers and experts of fire sciences.
The Dow Fire and Explosion Index reflects surrounding materials and construction. By multiplying the
first (hazard) factor by the second (materials) factor, it is possible to take a view on potential percentage
damage to the surrounding area.
Figure 5.3: Dow Fire and Explosion Index calculations for a selected chemical plant
process
Determine material factor

Measure of flammability and reactivity of
materials used and adjusted for
temperature conditions
Calculate hazards factor

General hazards, e.g. enclosed process,
access, drainage etc.
Special hazards, e.g. toxic materials,

corrosion, leakage, low pressure operation,
rotating equipment
Chapter 5
Fire and explosion index

= materials factor × hazards factor
Calculate damage factor

Determine area of exposure and maximum
Reflects combination of hazards and
probable property damage
material
Calculate loss control credit factor

Determine actual probable property Loss mitigation features, e.g. process
damage control, material isolation, fire protection
etc.
Determine maximum probable days outage

and therefore cost of business interruption
The Dow Fire and Explosion Index is just one example showing how a risk can be reduced to a factor that
is comparable with others. Such comparisons help build a picture or risk profile of an organisation and
are useful when risks are competing for attention, money and other resources. Limitations of this
strategy have been mentioned and must be borne in mind when using the results.
Risk factor indices are likely to be of best value when used to support decisions about priorities and
resources to be applied to events that happen reasonably frequently. They can also be used to estimate
likely total cost of a type of incident over a period of time. This is helpful when looking to justify cost
effectiveness of expenditure or other measures to protect against an exposure.
F Risk appetite and tolerance

An organisation can use probability/impact matrices to illustrate its tolerance to risk. The matrix can be
used to separate, graphically, those risks that are acceptable and need no action from those that are not
acceptable and require attention.
We saw in chapter 3 that the extent to which an organisation will tolerate risk is known as its risk
Normally, an
appetite. Is it risk hungry or is it risk averse? Normally, an organisation will have different appetites for organisation will have
different types of risk. If we have chosen our risk classification system well, we will be able to reflect different appetites for
different types of risk
these different appetites in a series of matrices, each covering one type of risk.
Remember, the risk policy has to be determined at the top of an organisation by the board or its risk
subcommittee. It is inherent in strategies the board pursues and influences objectives it sets. The
process of describing risk policy often alters board thinking and may lead to objectives being changed.
In chapter 3, figure 3.2 is an example of a possible table outlining risk appetite policy. Management
could choose from one of five levels to indicate its appetite for risk in each risk category it defined. For
example, an investment bank might allocate appetite level 5 to financial risk but a more cautious level 2
for reputational risk. An organisation writing software for computer games might allocate level 5 to
operational risk and perhaps level 3 for financial risk. Of course in a practical situation, the risk
categories will not be as broad as our example. Different categories of financial risk will be allocated
their own risk appetite levels.
We can use risk policy guidelines to decide whether particular risks can be tolerated or not. More
Chapter 5
usefully we can decide at what level a particular risk can be tolerated. Could a risk be tolerated if its
probable impact or probability were less than currently predicted? This approach gives us a framework
for informed risk management decisions. Can we allocate resources to manage the risk to bring its
expected effects down to a tolerable level?
Let us return to the probability/impact matrices we developed in figure 5.2 and see how we can use them
to illustrate tolerance to risk. For clarity we will consider a group of risks in a selected category,
identified on a six-level impact/probability matrix as in figure 5.4, and add tolerance information in line
with risk appetite policy.
Figure 5.4: Probability/impact/tolerance matrix

Escalation line Tolerance line
Impact
1 2 3 4 5 6
Probability
6 Risk 1 Risk 10
5 Risk 4 Risk 12
4 Risks 2, 3 Risk 9
3 Risk 6 Risks 8, 11
2 Risks 5, 7
1 Risk 13 Risk 14
Green Amber Red
The tolerance level is indicated by a tolerance line as shown. Here the upper right nine squares have
been identified as intolerable, indicating that risks 10 and 12 must be avoided or their effects managed
to bring the risks into the lower left area. The purpose of a tolerance line is to separate those risks which
are acceptable and need no action from those that are not acceptable and require attention. This is a
simple yet powerful presentation technique that offers instant risk comparison with a graphical
illustration of risk levels an organisation is prepared to carry. Each risk category will have its own matrix
representation reflecting different risk appetites that have been defined.
A matrix representation like this can be further extended to indicate decision-making levels in a
multi-tiered organisation. We have added a second line to figure 5.4 which we have called an escalation
line. Such a line can be used to indicate that decisions on risks in the additional nine squares it blocks
off to the upper right can only be made at a defined level of management, say site manager or divisional
director. In this case the original nine squares might be reserved for decisions by the board. Of course
further lines can be added for additional management tiers as required.
F1 Risk management representations

When we add tolerance and escalation lines to risk probability/impact matrices we are adding
information for risk management purposes. If we find it useful, we can take this kind of illustration
further. Suppose, for example in figure 5.4, we colour the upper right squares red, the centre squares
amber, and the lower left squares green. Immediately we have a ‘traffic light’ colour code we can apply
to any risk for illustration purposes. Red risks are prohibited, green risks tolerated and amber is
acceptable only with caution (specific approval). We can use more colours (yellow and blue are common)
if we need a finer resolution. Such approaches are very often used.
You can see that coloured codes and diagrams help to visualise risks and their implications.
Re-evaluating and plotting the same risks on a similar chart perhaps three months later will show clearly
how effective were the risk management actions taken.
There are many variations on this illustrative theme, but a common objective is to highlight the relative
importance of identified risks and show the difference that risk management action can take. Exactly
how you represent this information depends on the audience you are trying to influence. For example, a
Chapter 5
presentation to the risk subcommittee will have to detail the precise nature and cost of resources
needed to reduce specific risks if you intend on asking for a budget extension.
G Risk control
Many controls can be deployed to treat risks.
Risk controls can be divided

into four broad classes:
Preventive – measures Corrective – measures Directive – controls to Detective – after the

to stop a risk happening to limit scope for loss ensure a particular aim event measures to
or an unwanted and reduce any is realised identify when an
outcome arising undesirable outcomes incident has happened
that have come about
once the loss or
damage has
materialised
Most controls implemented in organisations are preventive controls, which are designed to reduce the
possibility of undesirable outcomes. A common example is separation of duties. To prevent irregularities
in purchasing departments, for example, the person responsible for placing orders for required goods
and services should not be the one who authorises the payment of invoices. Similarly, a checkout
operator is not the person who checks till contents at the end of each day.
Another preventive control is to limit specified actions only to authorised personnel. For example, only
suitably qualified and trained people would be permitted to sign off designs, authorise price quotations
or perform certain operations. Unwanted publicity can be prevented by allowing media to access only
trained press officers.
At a higher level, preventive controls could be strategic decisions to avoid certain types of activity.
Examples would be a government deciding not to include nuclear power in its national energy policy or a
property insurer excluding risks from floods.
Consider this…
Can you think of preventive controls a financial services organisation may wish to adopt?
Corrective controls are designed to correct undesirable outcomes which have already occurred. They are
a means of recovery against loss or damage. An example would be contract terms that allow a supplier
to recover goods that have not yet been paid for from a customer whose business is in receivership or
administration. Continuity planning is another corrective control. Organisations plan for business
continuity and recovery after events which they could not prevent.
Insurance is a form of corrective control as it facilitates financial recovery when an insured risk
materialises. Insurance transfers the consequences of risk to the insurer. Risks and/or consequences
can be transferred to other organisations by contract, for example when operations are outsourced.
Whether such measures are corrective or preventive will depend on precise wording of the contract and
its interpretation under governing law.
Directive controls are instructions or regulations designed to ensure that a particular outcome is
achieved. They are important when people’s behaviour can prevent an undesirable event. Directive
controls are commonly associated with health, safety and security. Examples are requirements to wear
protective clothing while performing dangerous duties, or that staff are trained to certain skill levels
before being allowed to work unsupervised.
Checklists, worksheets and test schedules are directive controls. They are designed to ensure all critical
aspects of a task have been properly addressed and completed. Such instructions are particularly
important in assembly, maintenance, testing and repairs of components of systems where utmost
reliability is essential. The aviation industry, for example, relies on correct and thorough engine testing
and maintenance to keep its aircraft flying. Other examples would include nuclear power and oil and gas
Chapter 5
exploration.
Detective controls are designed to identify unwanted occurrences that have already happened and are,
therefore, only appropriate when it is possible to accept the loss or damage incurred. Stock or other
asset checks are examples of detective controls. They detect theft or similar anomalies. Reconciliation is
another technique. Reconciling authorised payments with bank statements will detect unauthorised
transactions.
Audits, inspections and similar quality controls are detective. They look for causes of defects in products
and procedures, with a view to introducing changes in the future. Accident investigations and ‘black box’
analyses following aviation disasters are other detective examples.
Sometimes, complex risks can only be managed by combinations of different types of control.
Reinforce
Refer back to chapter 1, section E, to remind yourself of the different types of risk we discussed.
Market risk is concerned with the risk of losses in trading positions arising from movements in market
prices. Preventive controls around the management of this risk could involve decisions regarding
investment strategies while corrective controls such as insurance and hedging could be deployed.
Thought could also be given to the implementation of directive controls, say around limiting individual
trading activities, while detective controls could also be adopted such as the organisation deciding to
monitor unusual trading activity over an appropriate time frame.
Credit risk is risk that a counterparty will suffer real or perceived deterioration in financial strength, or be
unable to pay amounts in full when due. Preventive controls would include regular credit checks of
current and potential counterparties. Corrective controls would include contract terms to safeguard
assets held as securities for loans, and use of multiple insurers to protect large potential liabilities.
Directive controls would restrict trading to counterparties whose credit had been approved.
Liquidity risk is the risk of running out of cash when it is needed to meet financial obligations. Preventive
controls would include strategic decisions on capital reserves and ratios, daily cash management and
attention to contract payment terms and debt collection. Corrective controls would include arranging
overdraft facilities, short-term credit and loan facilities, or agreements with shareholders to inject capital
at short notice. Directive controls would support management in enforcing the discipline required.
It is important that the control put in place is proportional to the risk. Apart from extreme undesirable
outcomes such as loss of human life, it is normally sufficient to design controls to give reasonable
assurance that likely loss is confined within risk appetite of the organisation. Every control action has an
associated cost and it is important that control actions offer value for money in relation to risks they
control.
Cost effectiveness of risk controls can be estimated by comparing impact of an uncontrolled risk with
impact of the same risk assuming the proposed control is in place. The difference between the two
impact assessments must at least be greater than the cost of implementing the control. This does not
mean that every cost-effective risk control should be implemented. In practice there may be other
constraints determining that the money involved is unavailable, or better invested somewhere else.
Question 5.2
Checklists, worksheets and test schedules are widely used directive controls. Why are they so important?
H Risk registers
As we study and analyse risks we build up a lot of information we need to record. Different organisations
give this data store different names, but here we call it a risk register. Its extent and form will depend on
a particular organisation and its objectives, but there are common principles we can use to illustrate
typical construction. The aim is to build a complete picture or risk profile of the organisation or of
selected individual or collections of risks deemed important.
Design
The design of a risk register must allow useful information to be produced. Design must take into
account what internal and external reporting is required, and in what form. What information will help
management make critical decisions and influence strategic plans? What links are required to other
Chapter 5
facilities? How much access should be allowed?

Information must be stored in a form that is easy to extend and change. As its risk register matures, an
organisation will discover more uses for the information and will add further analysis or detail to the
categories.
A risk register contains various information which an organisation needs to manage risks. Essential data
such as risk description, probability and impact assessment is supplemented by information about
existing risk controls, ranking, priorities and risk ownership. The register could also allow for
recommendations for new or improved risk controls, action plans for their implementation and plans for
updating and review.
Risk registers can fulfil a dual role, both facilitating practical management of risk and helping to instil or
Risk registers can
both facilitate consolidate risk management culture into day-to-day operations. The latter objective is achieved by
practical embedding the risk register in a controlled environment that enables operational managers throughout
management of risk
and help to instil or an organisation to safely access risk information, update specified data fields, and participate in
consolidate risk decision making regarding appropriate responses.
management culture
A modern risk register might be installed on a web-based distributed relational database, with front end
software designed to make it easy for managers to review and update risks relating to their area of
authority. Relational databases allow tables to be created, altered, expanded, sorted and edited without
disturbing data already entered. Minimal training should be required, although authority to access the
system should only be allowed after ensuring principles of risk management and risk philosophy of the
organisation have been studied and understood. An example of a risk register can be found in appendix
5.1 of this chapter.
A typical distributed risk register implementation might involve:
• automatic diary system to warn when risks are due for review;
• tiered access levels to individual risks;
• authorisation procedures to accept new risks;
• comprehensive enquiry and reporting facilities; and
• procedures for suggesting and authorising new or improved risk controls.
With facilities like these in place, authorised users should be able to record, assess, classify, report and
review risks and contribute ideas for risk management. As a result of this the risk register is more likely
to be complete and up to date, and risks should be actively recorded, reviewed and managed as an
integral part of normal ongoing management operations.
A risk register is the heart of an organisation’s risk management process. It could be a separate facility
A risk register is
or part of a more comprehensive risk and management system, some of which is only accessible to the heart of an
authorised risk professionals. An extended system, for example, may include data concerning risk organisation’s risk
management process
financing and continuity planning, and facilities to test different risk scenarios. Risk professionals will
also want access to system use information to see how active or static the register is, whether
authorisation procedures are effective and whether audit trails can be followed.
Construction
The register is constructed of a series of tables interlinked and cross referenced to provide the flexibility
required. Tables express relationships between items listed in the column headings and items listed in
the row headings. At the intersections between columns and rows we store data; simple on/off
information, a numerical value or text. A teacher may keep a table on the wall with each pupil’s name
down the side and days of the week across the top. Information in the table is maybe a cross to indicate
presence, or some text such as ‘school trip’. This information relates both to the pupil and the day of
the week.
When we fill in a table like this we are creating a model of the relationships existing between column
and row headings. Thus a table showing how many pints of milk a supermarket wants each day is a
model of the delivery schedule for the relevant supplier. Besides making sure correct deliveries are
made it can be used to find totals and averages and for comparison with other delivery schedules.
Construction of a risk register starts with a basic list of identified risks, stored in a table with related
information. This risk description table could be part of a series of aide memoirs or risk reference
Chapter 5
material that form part of a comprehensive risk register. Indeed, for some organisations, a table like this
can act as a basic risk register.
Look at table 5.6 below, but remember the headings are by no means designed to be universal, or a
definitive list. Further headings and descriptions can be added as required. For example, an additional
section might relate to strategy development, which the board and chief risk officer would formulate and
subsequently cascade across the organisation. Reference may be made to audit and compliance
reporting and review programmes, or maybe within the section headed risk controls. A comment could
be made to how existing risk control measures should be reviewed. It is also likely that an organisation
would wish to capture appropriate dates or time lines to ensure key elements of risk management
processes are consistently reviewed.
Table 5.6: Simple risk description table

Risk name A risk title or heading accompanied by a reference or index number specific to the
organisation.
Scope of risk A description of associated possible events that might materialise.
Nature of risk Which category or subcategory the risk may belong to.
Stakeholders relating to the Relevance to identified internal and/or external stakeholders.
organisation
Risk assessment Likelihood of the risk materialising. Indication of the likely size of an event if the risk
materialised – its impact and consequences (qualitative and/or quantitative
description).
Risk controls Existing control mechanisms and activities in place. The potential to introduce more
cost effective control measures.
Risk owner Name of the individual and/or department who has been assigned this risk to
monitor and/or report upon.
Although some tables may be numeric, most will have to accommodate free text. Some compression can
be achieved by using references in the tables to notes and documents stored elsewhere.
By way of further illustration, look at table 5.7. This table illustrates the relationship between selected
crime risks and where, within and around the organisation, the threat is felt to exist.
Table 5.7: Crime risks table

Areas where losses are likely to be experienced
Crime risk Supplier Staff Public Counterparty Clients Assets Continuity Delivery Etc.
Arson 9 9 9 9 9 9 9 9
Kidnap/ransom 9 9 9 9 9
Terrorism 9 9 9 9 9 9
Fraud 9 9 9 9 9 9 9 9
Hijacking 9 9 9 9
Malicious 9 9 9 9 9 9 9
damage
Violence 9 9 9 9
Blackmail 9 9 9 9 9 9
Hacking 9 9 9 9 9
Product 9 9 9 9 9 9 9
contamination
This table covers just one type of risk, that of crime. A full risk register will cover all aspects of risk; from
Chapter 5
group-wide, high-level exposures to hazards that lie within one particular process or even the use of one
chemical. A risk register may, if necessary, have many subdivisions.
Table 5.7 shows where a particular crime can cause loss or damage and the relationship between crime
and place. Potential fraud, for example, may lie within contracts, in service delivery to the organisation,
service delivery by the organisation, theft by trusted asset-holders, misuse of credit cards, misreporting
of financial statements, or in many other ways. A blackmailer may target members of staff, clients or
other stakeholders, all resulting in an impact on the organisation. A computer hacker may use the
computer system to gain access to client’s credit card numbers. The column headings, therefore, show
where the impact of a crime is likely to be felt.
We can use a similar format to identify from where threats can arise. Blackmail, malicious damage or
other crimes can be perpetrated by staff, counterparties, customers or others. Staff, clients and others
may be the victims of violence in and around the workplace but, equally, violence may be carried out by
members of staff towards each other or towards customers or third parties.
Thus, this format could be used equally to:
• identify where losses may occur; and
• identify the sources of any threats.
Following the same principles, relationships between risk and any other chosen category can be
constructed.
Activity
Compile a simple risk register describing the risks around your home or office.
Benefits and reports

Risk registers continually remind a risk management team of the range of risks their organisation is
carrying. With this information, work can begin in understanding how exposures could affect
organisation operations and hinder it fulfilling its responsibilities.
Modern relational databases make it easy to study relationships, extract data and transfer data to other
software for analysis and display. A variety of programs are available to draw charts and graphs, and to
superimpose data onto geographical maps and building plans. These techniques can be used to
emphasise presentations and to help decide where risk management resource is best employed.
The construction of risk model tables is not easy and an organisation will continuously rebuild and refine
Organisations will
its models. However, there are many variables, as similar risks can have different effects. The impact of continuously rebuild
an incident can vary by time of day, by different points of time in the production cycle and by different and refine their risk
models
times of the year. For example, if Christmas sales produce 60% of annual sales and 80% of annual
profits it is clear that an October failure would have much greater impact than a January one. Similarly
the effects of a fire may be influenced by seasonal weather conditions. The seriousness of a lorry theft
will depend on the importance of its contents at the time. An ambulance failure may result in anything
from inconvenience to death.
Considerations like these mean we have to build relationship tables where we might otherwise have
fixed risk attributes. In the above examples we may need tables showing the relationship between risk
effect and time, risk effect and weather, and risk effect and load value. For the ambulance failure we
cannot predict consequences beforehand so what do we do? A possible response could be to consider
the worst case timing and situation or to attempt some probability analysis.
We can explore different risk types and their potential impact in any risk area that has current
management interest. Holding data organised by risk type makes it easier to extract information for
presentations and discussions with those managers who have special interest. Tables that result from
these analytical exercises are linked into the risk register and the process of constructing the tables will
deepen our understanding of overall risks faced by the organisation.
Risk registers may appear to hold the key to effective risk management control. In practice, however, a
number of difficulties must be recognised. These points must be borne in mind when data is interpreted
Chapter 5
or used as a basis for further action:
• What about unknown new risks?
• Can provide a false sense of security.
• Can list hundreds of risks – will anyone be able to cope with the volume?
• May not be updated very frequently.
• May fail to take account of correlations between risks.
• Typically focus on risk events, may ignore causes and certain effects.
• Rely on risk matrices to facilitate assessment.
Remember the fundamental principles of risk assessment we introduced at the beginning of this
chapter. The whole purpose of analysing and recording risks is to produce meaningful reports that will
help management make better decisions and so contribute to achieving corporate objectives. Reports
are also needed to keep other internal and external stakeholders informed and to give them assurance
that risks are properly managed and kept under control.
The content of reports will vary according to the organisation, and will also be tailored to the interests
and expertise of intended recipients. Reports can be primary sources of information or written to support
visual presentation. Reports for media information may have length or formatting restraints.
There is no magic recipe for producing a good report. The objective of risk reports is to provide accurate
and concise information in a format that the recipient can understand. The content must be informative
and enable necessary decisions to be made.
H1 Risk models
We have seen that data from risk registers can be used to create pictures and models of different types
of risk and their possible effect. However, there are other techniques that can be used to explore risk, in
particular when mathematical relationships exist between cause and effect.
Financial risk models are common because concepts, such as profit, solvency and liquidity are
Organisations
mathematically related to sales, costs, liabilities and asset values. Even simple modelling of balance typically use financial
sheet inputs will allow risks to solvency and liquidity to be explored. Organisations typically use models combined
with business
financial models combined with business forecasts to test viability of long-term plans. Stress tests forecasts to test
explore the effect of variations in individual parameters, for example how much can income drop before viability of long-term
plans
profit is eroded or how much can particular asset values drop before solvency is threatened. Some
organisations develop complex models of complete operations, which allow them to test profit and
balance sheet effects of movements in individual factors such as wage rises or material costs.
Models are widely used by engineers, using the laws of physics to examine stresses and tolerances
when designing all sorts of devices, systems and structures. The main concern is to ensure risk of
failure is at negligible levels or design in tolerance to failure when risks cannot be sufficiently reduced.
Mathematical models can be supported or verified by physical modelling, as in wind tunnel testing of
aircraft components. Sometimes models are attempted of wider systems, involving human intervention,
or of systems with so many uncertainties that considerable judgment is needed to interpret the
results. Examples range from modelling national economies to weather forecasting and monitoring
earthquake risk.
Chapter 5
Key points
Risk assessment
• It is only when we understand all possible consequences of an incident that we can decide how to manage the
underlying risk.
• The purpose of examining threats is to stimulate decisions as to how those threats are to be managed.
• To collect and present a clear picture of risk to assist management decisions we first need to understand and
describe risks, both qualitatively and quantitatively. We need to compare risks so we can rank them in order of
importance.
• We need to quantify the damage that could result if each risk materialised. We also need to estimate how often a
particular incident is likely to occur.
• Combining impact and frequency gives us the basis for risk comparison and ranking.
Risk categorisation
• We first must put risks into categories and then look within each category to determine which risks are important,
and which risks can be ignored.
• Risk categorisation systems are important because they enable an organisation to identify accumulations of similar
risks and clarify potential for applying common risk control strategies.
• We can design our own classification system or use one of the published industry standard suggestions as a base.
Chapter 5
Measuring impact
• Losses or gains due to an incident cannot always be measured simply in financial terms.
• Risks that threaten the survival of the organisation might be allocated a code that ensures they come top of any
comparison analysis. The codes could allow for broad categories of assessment, such as intolerable, high, medium
and low or red, amber and green.
• Organisations must decide which definition of monetary value is best suited to their needs.
• Losses must be aggregated when a risk results in simultaneous multiple incidents of damage.
Measuring probability
• Numerous methods and formulae exist that use historical data to analyse mathematically the probability and impact
of risk.
• We cannot always use historical data to predict future trends. If nothing has changed since data was collected then
historical records will be a good guide to the future, but this is very rarely the case.
• The prime use of historical data analysis in risk management is to determine expected values or ranges of value for
particular ongoing risks.
• The theory of mathematical probability sets out to illustrate likelihood or probability as a numerical value. We
calculate the likelihood of an incident occurring and present that exposure in mathematical form.
• Probability tells us the chance that something might happen in a chosen period of time. Frequency is an expression
of how often an event may occur.
Risk ranking
• A risk department may bring probability and impact together by multiplying the two to create an overall risk factor
indicating the size of the risk. However, this hides the distinction whether the exposure is probability or cost.
• The process of comparing different risks and presenting them in an order of priority for the use of resources is
generally known as risk ranking.
• Risk factor indices attempt to standardise risk factors so that different organisations of the same type can compare
the risks they carry. For example, the Dow Fire and Explosion Index is designed to classify particular hazards that lie
within a process in a factory.
Risk appetite and tolerance
• An organisation can use probability/impact matrices to illustrate its tolerance to risk. The matrix can be used to
separate, graphically, those risks that are acceptable and need no action, from those that are not acceptable and
require attention.
• The objective of pictorial representations is to highlight relative importance of identified risks and show the
difference that risk management action can take.
Risk control
• There are four categories of risk control – preventive, corrective, directive and detective.
• Most controls implemented in organisations are preventive controls, which are designed to reduce the possibility of
undesirable outcomes.
• Sometimes, complex risks can only be managed by a combination of different types of control.
Risk registers
• A risk register contains various information an organisation needs to manage risk.
• Risk registers can fulfil a dual role, both facilitating practical management of risk and helping to instil or consolidate
risk management culture into day-to-day operations.
• A modern risk register might be installed on a web-based distributed relational database, with front end software
designed to make it easy for managers to review and update risks relating to their area of authority.
• A risk register is the heart of an organisation’s risk management process.
• Financial risk models are common because concepts, such as profit, solvency and liquidity are mathematically
related to sales, costs, liabilities and asset values.
Chapter 5
Question answers
5.1 Risks with long timescales (years) are generally related to strategy, having the potential to undermine
fulfilment of strategic objectives. Medium-term risks (months) are generally associated with projects,
processes, change programmes, acquisitions and the like. Risks with immediate potential to disrupt current
operations are clearly operational risks. Long-term risks may relate to opportunity as well as threat.
5.2 They are designed to ensure all critical aspects of a task have been properly addressed and completed. Such
instructions are particularly important in assembly, maintenance, testing and repairs of components of
systems where utmost reliability is essential, e.g. aviation, aerospace, nuclear power, oil and gas exploration.
Chapter 5
Self-test questions
1. Why are risk categorisation systems important?
2. List the four types of risk that might threaten business survival.
3. Risk appetite can be reflected in a probability/impact matrix by introducing a tolerance line. What purpose
does it serve?
4. What are the four main types of risk control?
5. What information does a risk register contain?
6. Why are financial risk models commonly used for stress testing?
7. What is the objective of producing risk reports?

Chapter 5
NOT PROTECTIVELY MARKED
Date of Revision: September 2015 Next review date: November 2017
UK Risk Risk Title Outcome Description Likeli- Impact Risk Capabilit Controls currently in Additional risk Risk Lead Review
ID hood Rating y place treatment priority Respon Date
Required required (with sibility
Timescale)
[Accessed February 2018].

LOCAL RISKS ‘HL’
HL8 Fire, flooding, stranding or Up to 50 fatalities and up to 100 casualties 1 3 Medium Operational organisational MCA Nov 2017
collision involving a passenger planning in place (fire fighting
vessel in or close to UK at sea & rescue at sea.
waters or on inland 1
waterways, leading to the
ship’s evacuation
HL9 Aviation Accident Causing up to 50 fatalities and up to 250 casualties. 1 3 Medium Joint Control measures associated Review risk in the LA (RAF) Nov 2017
Agency with the aircraft operating light of any aircraft
Arrangem authorities and regulatory accident affecting
ents bodies, combined with the Gwent or
security aspects neighbouring
areas.
RAF Post Crash Management
awareness training completed
for the LRF
2
Gwent Major Incident
Response Arrangements
Gwent LRF Evacuation &

Recovery Plans in place.
Gwent LRF Warning &

Informing Arrangements
HL10 Local accident on motorways Multiple vehicle incident causing up to 10 fatalities and up to 5 3 Joint Major incident plan. HGP Nov 2017
and major trunk roads 20 casualties (internal injuries, fractures, possible burns); High Agency (Emergency services)
closure of lanes or carriage ways causing major disruption Arrangem
Chapter 5 Tools and techniques 2: assessment and measurement of risk
and delays ents Normal emergency response

procedures Core Business
/
Competency of Emergency
Services
Local authority & SEWTRA

3
emergency plans
Active Traffic Management

systems (M4)
Brynglas & Gibraltar Tunnel

Plans/Site specific plans
HL11 Railway Accident Up to 30 fatalities and up to 100 casualties (fractures, 1 3 Medium Joint Generic Major Incident plans Considered BTP Nov 2017
internal injuries – burns less likely). Possible loss of freight. Agency for all Blue Light Services and Satisfactory
Major disruption to rail line including possible closure of rail Arrangem Health Sector in place 2
tunnel ents
Site Specific plan (Severn Rail
Gwent Local Resilience Forum Version: 7.2. 2016 (Final)

Appendix 5.1: Extract from a sample risk register
Source: Gwent Local Resilience Forum (2016) Gwent community risk register. Available at http://bit.ly/2FpJENW.
Risk Assessment Working Group Review Date: November 2017
Page 19 of 52
NOT PROTECTIVELY MARKED

5/31
Chapter 5
Chapter 5
Risk financing, retention
6
and transfer
outcomes
Learning objectives
Introduction
Key terms
A Cost of risk incidents 3.4
B Risk financing options 3.4
C Insurance as a risk transfer mechanism 3.4, 3.5, 6.1, 6.2
D Other risk financing options 3.4, 6.3
Chapter 6
E Alternative risk transfer 3.4, 6.3
F Risk financing plan 3.4, 6.3
Key points
Question answers
Self-test questions
Learning objectives
• discuss considerations affecting risk financing options;
• explain the role of insurance as a risk transfer mechanism;
• explain the regulatory context surrounding risk management;
• explain the role of an insurance intermediary in supporting risk management;
• discuss how risk can be transferred by contract;
• discuss alternatives to insurance including self-insurance, captives and alternative risk transfer
arrangements; and
• describe the purpose of a risk financing plan.
Introduction
In chapter 5 we talked about risk control – how to go about reducing the chances of risks materialising
or limiting the impact of those we could not prevent. However, despite our best efforts in managing risk,
unwanted incidents will still occur, and hence there will be unwanted costs. Once these costs have been
identified and measured, we need to decide how to finance them. Do we put funds on one side or do we
take out insurance? Are there other options?
In this chapter we will discuss financial losses and methods of funding such losses. We will explore the
full cost of risk incidents, considering secondary consequences as well as primary loss. We will briefly
discuss business continuity management as organisations strive to contain costs following significant
loss or business interruption.
We will describe the insurance market, how it is regulated and what advantages and disadvantages it
offers. We will see how losses can be shared or transferred entirely to an insurer. We will consider the
role of an insurance intermediary and discuss some services they might offer to help manage their
clients’ risks.
We will look at ways organisations can retain or protect themselves from losses. Options include the
creation of an internal fund or setting up their own insurance company via a captive arrangement. The
role of reinsurance is also explained in this chapter. We will also see how liabilities can be transferred to
others, with care, by contract terms and discuss financing options provided in the alternative risk
transfer market.
Finally, we will outline how options we choose can be consolidated into a risk financing plan.
Key terms
Alternative risk transfer Business continuity Business impact analysis Catastrophe bonds
management (BCM)
Chapter 6
Co-insurance Excess layer Facultative reinsurance Insurance derivatives

Obligatory reinsurance Risk financing plans Self-insurance Umbrella policy
A Cost of risk incidents

Before considering different methods of financing damaging incidents, it is important to clarify the full
extent of potential financial cost. The issues are monetary, timing, administration and opportunity costs.
A1 Cost categories
A1A Monetary
Initial monetary cost of an incident is often clearly defined for an organisation. As well as the cost of
replacing any assets that have been lost, it will include awards made against them by courts, litigation
costs and any regulatory fines. Total monetary cost, however, is more complicated than this.
Large, unexpected outgoings can damage cash flows that are needed to keep an organisation
An organisation may
have substantial functioning. An organisation may have substantial assets, but it is not always possible to realise those
assets, but it is not assets quickly to fund losses. Typical examples would be assets invested heavily in machinery and
always possible to
realise those assets property.
quickly to fund losses
Raising cash quickly is always a difficult exercise as assets may have to be sold at less than full value or
lenders may be reluctant to provide finance at reasonable rates of interest. For instance, stock market
values may be low at the time when shares need to be sold. Or an organisation needing to sell a
subsidiary to fund an unexpected group-wide loss may find that prospective purchasers, aware of the
need for the sale, will be in a much stronger negotiating position.
Even if money is available immediately to replace plant or equipment, it could take months or years for
them to be constructed, delivered and brought on stream. For example, a factory fire or similar damage
will often set in motion a chain of events that take a long time before the factory is reinstated as before.
There will be ongoing costs on top of the capital replacement cost.
Chapter 6 Risk financing, retention and transfer 6/3
Assessing replacement costs is not in itself always straightforward. Having suffered a substantial loss,
Assessing
the board of an organisation will want to assess the situation to see if a replacement facility is the best replacement costs is
way forward. Often they will use the opportunity to construct something better or more flexible than the not in itself always
straightforward
one that was lost. In any case, direct replacement may not be possible as building methods, planning
controls and access to materials may have changed.
Steps that may need to be taken, even before building work starts, say after a major fire at key premises
belonging to an organisation working on oil extraction, could include:
• appointing architects and quantity surveyors to make suggestions and draw plans;
• checking and applying for new planning permissions where necessary;
• preparing specifications for builders and equipment suppliers;
• considering and negotiating tenders;
• ordering replacement machinery well in advance; and
• retraining staff where necessary or replacing with new skills.
During this time the organisation will be facing a shortfall in income if sales have slowed or stopped.
Finally, there will be continuing fixed costs to pay. These include such things as the cost of wages, rent
and even some new costs, such as redundancy payments to some employees.
If the incident is a major disaster there will be other potential costs to think about. Have people been
killed or injured? Is environmental damage significant? Is there a clear up cost to consider? Have other
businesses or livelihoods been affected? Will there be legal actions to defend? What extra management
resources will have to be deployed?
A1B Timing
We have seen that delays in completing rebuilding work or replacing assets are an important factor in
the total cost of damage. The longer it takes to re-establish normal working, the longer receipts will be
delayed, with consequent increases in borrowings and interest payments. Share values may also fall.
Chapter 6
Some costs of damage may not need to be financed immediately. A common type of such a cost arises
from liability claims. Often, a prosecuting personal injury solicitor will be reluctant to settle until the full
long-term extent of an injury is known, so there may be a period of time before the full cash award is
needed. However, interim payments, where required, still need to be funded quickly.
When accounting for future unspecified payment liabilities, organisations will take legal advice as to the
likely amount to be paid and the possibility that interim payments may be made, and then work
backwards towards the current ‘present day value’ cost. The current cost will need to assess:
• inflation on the claim itself;
• whether interim interest may be awarded by the court on the amount paid; and conversely
• any values gained from funds held awaiting payment. Insurers use actuaries for such calculations.
There can be other timing issues. In assessing potential costs of possible incidents risk professionals
have to consider that there may be more than one similar incident in a given accounting period, as we
touched on in chapter 5. Would this be significant enough to affect share price? If an organisation is
planning to raise capital from the stock market or is already vulnerable to takeover, this could be a
major issue.
A1C Administration
A significant incident can divert valuable management time away from the ongoing needs of a business.
A significant incident
Similarly, a large number of individual incidents use up resources. An insurer, for example, would not can divert valuable
just finance insured losses. They may also administer the claims portfolio, negotiate with claimants, management time
away from the
manage claims costs down and retain financial and statistical control. Such incidents may also distract ongoing needs of a
managers away from more productive business issues. For example, overseeing the need to collect, business
document and verify evidence for large and complex claims will be a major management task.
An organisation choosing to retain risks internally may need to create an infrastructure that can handle
what may be a large number of individual incidents and their aftermath. However, it is unlikely that an
internal department will have the skills to contain costs as effectively as an outsourced claims handling
operation, whether as an insurer or even a specialist claims management company.
A1D Opportunity
Loss events may detract from an organisation’s ability to achieve its business and financial plans. This is
Loss events may
detract from an known as an opportunity cost as the organisation is unable to pursue opportunities which would have
organisation’s ability generated profits.
to achieve its
business and
financial plans Opportunity costs arise when an organisation can no longer produce goods and services due to machine
downtime or location damage; or are prevented from pursuing new products or market opportunities
through lack of resources. Such costs can be compounded if competitors, detecting a weakness, take
the opportunity to target customers or the distribution base.
Other problems can arise that prevent resources being used as originally intended. An incident and its
location may be adjudged a crime scene by police, who will demand quarantine of that area until they
have completed their investigations. This can take days, weeks, or in the case of a serious incident,
months. An organisation can be denied access to its own premises and property in this way until police
are satisfied that a crime has or has not been committed. To compound the annoyance, media,
politicians, local authorities and lobby groups may react to the organisation’s difficulties.
In addition, there is a range of statutory agencies that have the power to impose an investigation on an
organisation. In the UK these include the Environment Agency, Health and Safety Commission, HMRC
and others. There are equivalents in many other countries, all of whom can hugely distract from an
organisation’s ability to restore its usual activities.
Consider this…
Can you think of some opportunity costs that might occur following a fire at a major hotel?
A2 Scale of loss
When significant risks materialise total losses can be very large. Liabilities can easily exceed the value
of current assets that an organisation holds, and this may be sufficient to significantly damage an
organisation’s financial stability and viability. Underestimating probable losses, even by as little as 10%,
Chapter 6
can leave a liability of millions of pounds. We will see in chapter 7 how liability losses brought down
major organisations during the 2008 financial crisis.
In the previous chapter we explained that in estimating total potential losses, it is not enough to add up
individual losses and their frequency. Aggregate losses must also be considered. A common example is
where employees may be injured together, either in one building or one mode of transport. Some types
of losses, e.g. noise, lung diseases, repetitive strain injury and others, can be felt simultaneously across
an entire workforce. Assets too, where close together, can be lost in one incident; for example vehicles
in an office car park. When a massive earthquake damaged Japan in the 1990s, the major port area was
damaged extensively. Organisations found that they had separate cargoes damaged in the one incident,
even though shipping had been arranged separately. Some cargoes were being transshipped and others
were being stored there awaiting transshipment. Unfortunately, all were there together at the same time
as the earthquake.
A3 Business continuity management (BCM)

Organisations have to recognise that some events cannot be either totally avoided or insured, so they
Plans and procedures
are put in place to need to plan what they are going to do if a major incident occurs. This process is known as business
limit the extent of continuity management (BCM). The objective is to keep a system operational despite losses occurring
damage a significant
event may cause and to restore it as quickly as possible to its original state. Plans and procedures are put in place to limit
the extent of damage, financial or otherwise, a significant event may cause.
In this context, a system could be an operational unit of a business, a whole organisation, a social
system, or even a nation threatened by a natural disaster. Individual organisations will specify their own
survival needs.
A manufacturing or product processing business, for example, might be looking to ensure that critical
dependencies are protected or duplicated and available in time to avoid organisational damage. They
will be looking to achieve fast and visible control of any incident and its aftermath. Security and safety
will need to be reinstated where appropriate, and retention of key financial and operational controls will
be fundamental. An organisation will also be striving to protect its brand value and ensure its immediate
responsibilities are met.
Each major incident has unique circumstances that determine its eventual outcome. However, whatever
Each major incident
their cause or effect, major incidents are always followed by the same pattern of activities. First there is has unique
immediate emergency action, then temporary measures to continue some operations, finally a circumstances that
determine its eventual
permanent solution to restore previous facilities or improve them. outcome
In May 2012 the International Organization for Standardization (ISO) published ISO 22301 (Societal
security – Business continuity management system – Requirements) which is the new international
standard for business continuity management and builds on the provisions provided by the BSI (British
Standards Institution) standard BS 25999. ISO 22301 covers the whole process of setting up and
maintaining systems to deal with potential disruptions.
The new standard supersedes BS 25999 and puts a much greater emphasis on monitoring performance
and aligning business continuity management. It is a guide both to BCM planning processes and
management of an overall programme through training, exercises and reviews to ensure BCM plans stay
current and up to date.
Two related guideline documents published in 2015 separately address business impact analysis and
supply chain continuity (ISO 22317 and ISO 22318, respectively). Business impact analysis involves
analysing the effect a major business disruption might have on particular activities. Supply chain
continuity examines the effects of a major disruption in critical supplies, usually because of some
external event beyond an organisation’s control.
ISO 22301 establishes a comprehensive six step process cycle:
1: setting up a
BCM
management
structure
6: embedding
2: analysing the
Chapter 6
BCM in the
organisation’s
organisation’s
survival priorities
culture
5: exercising, 3: determining
reviewing and continuity
maintaining plans strategies
4: developing
emergency
responses
The objective is to set a standard for organisations that need to be confident they are capable of dealing
with emergency situations and recognise they must be able to justify this confidence to their
stakeholders. Nuclear power generators, airlines and space agencies, for example, all depend on
processes that are inherently unstable and rely on good management and safety engineering for
acceptable operation. National or civic disaster response organisations may see a similar need.
For most organisations, particularly the millions of small businesses struggling to make small profits
throughout the world, conformance to ISO 22301 is not a viable economic objective. Nevertheless, these
organisations will still need to consider their response to potential incidents so they are prepared to
deal with them if they do occur.
Be aware
The ISO 22301 standard supersedes BS 25999 and organisations had to transfer over to the new standard
by the end of March 2014 to allow sufficient time for reviews to be undertaken and certificates to be issued by
31 May 2014.
B Risk financing options

B1 Considerations
It is important that an organisation recognises all sources of indirect costs and understands clearly the
full extent of losses that may be faced. With this full understanding the organisation can begin to make
realistic decisions about:
whether to establish insurance and the limits of

whether to retain a risk the best combination of
funding for risk incidents, indemnity to be negotiated
internally financing arrangements
and the size of such a fund within insurance contracts
In their preliminary work before evaluating options and making decisions, risk professionals will:
• evaluate all potential costs that may be faced within a defined time period;
• clarify whether they are maximum probable losses or maximum possible losses;
• evaluate maximum potential impact and total cost of one single loss;
• evaluate total possible cost of risk; and
• separately consider when such losses would need to be funded.
Other factors need to be considered as we saw above, for example:
• Is there unacceptable potential cost in human terms?
• Are losses confined to assets or will there be loss of revenue also?
Chapter 6
• Could a loss event affect the reputation of the firm, resulting in a further loss of sales or even a fall in
the share price?
• Will cash flow disruption result in extra cost?
• Will the incident prevent business objectives being achieved or prevent opportunities being pursued?
• Will staff be unproductive or have to be laid off?
• A weakened organisation may become a higher credit risk. Is the impact likely to be sufficient to raise
borrowing costs or lower share price? Could the organisation become vulnerable to a takeover bid?
Could regulatory approval be withdrawn?
Following this analysis the organisation would then be broadly looking to see how it:
• quantifies the level of all costs that can be absorbed without a significant impact on the organisation
itself;
• identifies potential sources of funding to meet larger losses; and
• considers how such funds can be available at the time they are needed.
B2 Risk impact limits

In order to decide how important individual losses are we need to know how much loss an organisation
can afford to absorb without significant impact on its own operations.
Risk impact
limits will involve
calculating:
the aggregate of losses the

the single largest amount the organisation can afford to retain
organisation can afford to retain over a given time, ignoring low
level, common, frequent losses
Whichever way retained losses are covered, liquid funds have to be set aside that could have been used
for some other purpose. Organisations always have competing demands for cash. Do they invest in
research and development, capital equipment, new ventures, marketing promotion, more staff or
something else? Often the dilemma is resolved by evaluating alternative proposals to see which
promises the best monetary return on investment.
To evaluate comparative proposals, cash spent today has to be compared with income received in the
future. As cash today is worth more than cash tomorrow, the expected timings of payments and receipts
have to be worked out and future amounts discounted back to present day values. This technique is
called discounted cash flow (DCF) analysis and subtracting the present day spend value from the
present day return value gives a net present value (NPV) for an investment proposal that can be used to
Chapter 6
help make decisions.
As a straightforward investment comparison it will always be difficult to explain why liquid risk funds
should be held when they are likely to earn a comparatively low safe interest rate of perhaps a few per
cent, against other investment proposals promising returns of perhaps 35% or more. However, there are
many other factors to be taken into account and organisations will have survival and continuity issues
that are more important than simple financial return.
The extent of losses an organisation will tolerate will depend on its objectives and on what it does. A gas
The extent of losses
or water company, for example, will need liquid funds to restore and maintain supplies. A construction an organisation will
company may need to fund alternative ways of completing contracts. For a particular organisation the tolerate will depend
on its objectives
board will have to define maximum acceptable losses, and this should be in monetary terms, for
example, 2% of turnover.
Of course an organisation does not have to hold its entire risk reserve fund in cash, provided it has
facilities in place to enable it to borrow cash at short notice. Borrowing, however, is not always a
preferred option. The more debts an organisation accumulates, the more expensive additional borrowing
will become. Also, there will be limits on the amount of interest it can afford. Organisations with
shareholders can raise money by selling additional shares, but this is not a quick process and timing is
critical for success.
B3 Insurance related costs

Having identified costs of potential risks and the amounts of risk it is willing to retain, a further
worthwhile exercise for an organisation to undertake is to look closely at the structure of any existing
insurance arrangements, at least on an annual basis. We will see later in this chapter that such reviews
are usually undertaken by an appointed professional risk adviser or insurance intermediary working
alongside the organisation. Premiums paid, claims payments already made, and any projected claims
costs, maybe across a variety of risks, are examined to devise an optimum risk financing solution.
Question 6.1
When an organisation has fully evaluated the risks it faces and considered their potential impact and cost, it needs to
develop a risk financing plan. What initial steps should it take?
C Insurance as a risk transfer mechanism

We saw in chapter 1 that insurance evolved in the days of sailing when merchants set aside part of their
trading profits to compensate those that lost their ships. This method of spreading losses across many
different traders by way of mutual funds – and then insurance contracts – emerged as an instrument
whereby the cost of failure could be reduced to a pre-agreed, reasonably fixed and manageable cost.
Modern corporations, their structures, risks and consequences of damage have moved on significantly
since the eighteenth century. Organisations have greater strengths, but greater sensitivities too, and can
be totally destroyed just as quickly. A modern organisation, however large and strong, still needs to
protect large amounts of assets from simultaneous, sudden loss, and also to stabilise its revenues and
profits over time. Organisations and their stakeholders will not want to take on the risk of significant
asset loss or damage to financial stability.
In the insurance market, insurers are sellers of insurance cover and organisations and individuals are
buyers. Organisations normally seek insurance cover through this market with the help of a broker
(or intermediary) whose role in the risk management process we will discuss shortly.
According to figures released by the Association of British Insurers (ABI), the UK insurance industry is the
third largest in the world and the largest in Europe, providing life and general insurance products to
individuals and organisations. The UK market is highly competitive, with over a thousand companies
authorised to write general insurance business alone. Other prominent insurance markets are based in
the USA and Japan.
Insurers exist in a variety of different sizes and capabilities. Some insurers specialise in providing one or
Some insurers
specialise in two particular types of insurance while others cover a wider market. Some insurers work in an
providing one or two international or global context while others concentrate on provision of cover in one or two countries.
types of insurance
while others cover a
wider market Insurances offered to organisations can be packaged in a variety of ways. Some will be aligned closely to
the requirements of particular trades, for example shops and salons. Others will be designed to meet
requirements of organisations operating in particular industries or professions; such as aviation,
education or energy.
Chapter 6
The insurance market is only going to provide financial protection in the case of loss or damage arising
from some of the risks faced by an organisation. Therefore, not all risks will be covered. For example,
financial protection may only be offered against risks associated with use and occupation of commercial
premises (such as potential loss or damage arising from water and fire), transport (which can range from
aircraft, railway rolling stock to different forms of marine vessels) and various risks associated with use
and movement of money, such as credit insurance. Cover for other risks, for example brand damage or
reputation loss may not be offered.
Insurance cover is relatively widely available in relation to potential costs an organisation may face in
connection with various liabilities it may incur to third parties. For example, public liability insurance is
designed to protect against any legal liability incurred for bodily injury to third parties or damage to their
property. Product liability insurance covers an organisation against liabilities arising out of any injuries
to third parties, or damage to their property caused by goods an organisation has supplied or sold.
Remember that in some jurisdictions in the world, particular insurance covers may be compulsory. For
example in the UK, legislation at the end of the 1960s made employers’ liability insurance a compulsory
requirement, and it has to be provided by an insurer authorised to provide such cover. Employers’
liability insurance gives financial protection to employers (organisations) from claims for damages
brought against them by their employees for bodily injury or illness arising out of or in the course of
employment.
Each insurer will have a financial limit (or capacity) it is willing to underwrite (accept) in relation to a
particular risk or class of insurance. Contract (policy) terms on offer can vary from one insurer to the next
even for the same type of insurance, especially in relation to policy limits and application of different
levels of excess or deductibles in the event of a claim being presented by the organisation (insured) to
the insurer under the terms of a policy.
Cost-effective insurance is not always readily obtainable. Many insurers like to sell standard insurance
Cost-effective
insurance is not packages with covers and premiums they feel able to profit from. Departures from offered products to
always readily cover other risks may be discouraged by high premiums or exclusions. An example of a typical exclusion
obtainable
is the value of data held on an organisation’s computers, which is often the most valuable asset that the
organisation has and depends upon.
However, while there have been many developments that have caused organisations to look elsewhere
for their risk funding, the insurance market still provides a valuable risk funding mechanism.
Organisations will design an insurance programme that matches their risk or insurance requirements,
risk appetite and budgets with insurer capabilities and preferences as evidenced by the insurance
products offered on the market.
Organisations will also consider the value of ancillary services on offer, for example risk management,
claims handling/loss administration, or global coordination. Are these capabilities available in house or
do they need to be bought in? How is insurance management going to be organised? Is it to be devolved
to subsidiary operations or kept under central control?
Consolidation among insurers is enabling them to offer the greater financial strength needed by today’s
Insurers are
organisations. They are also becoming progressively more global, thus enabling them to better meet the becoming
needs of clients who themselves are larger, have greater exposures and are multinational. Insurers are progressively more
global, thus enabling
becoming more amenable to ‘unbundling’ their products and to meeting needs as seen by the customer, them to better meet
rather than just offering products that respond to their own internal preferences. They are also clients’ needs
increasingly willing to consider relationships with insured organisations that last for longer than
one year.
In some instances insurers are recognising that best value may be to provide a layer of catastrophe
protection over and above those exposures that an organisation may wish to retain. They are recognising
too, that buyers may wish to look elsewhere for loss control and claims handling services. Clearly, a
large multinational organisation will have the sophistication and economies of scale to enable it to base
these decisions on best capabilities and value for money.
While principles of insurance remain fixed, new practical applications and products are constantly
evolving to keep pace with changes in business practices and demands. Insurers are increasingly
looking to work alongside alternative funding mechanisms in order to provide their own value where it is
most needed. This value is at its greatest when they can offer to remove large swings in the cost of risk
from clients’ annual results, assets and cash flows. To this aim, one measure is to establish a
Chapter 6
relationship where it is agreed that charges for insurance protection will remain over a longer period of
time within a pre-agreed range of cost.
Consider this…
Do you think insurance is always a good investment? Is your answer the same for high frequency and low impact
risk events, and low frequency and high impact ones?
C1 Advantages and disadvantages of the insurance market

There are both advantages and disadvantages of transferring risks into the insurance market. However,
sometimes organisations have no choice. We have seen that by law some exposures must be insured by
third party, accredited insurers. Depending on the jurisdiction, these risks include employers’ liability,
professional indemnity and motor liability risks. Some regulatory bodies may demand that insurances be
carried as a pre-condition of meeting their regulatory demands. If an organisation has an operation in a
foreign country then that organisation needs to meet the laws of that foreign country, even if they are
additional to the laws of the head office location.
There may be other circumstances where the decision to insure a risk may not be purely monetary. An
organisation may decide to insure its entire public liability or professional liability risks. Someone who is
perceived by a claimant to be independent can then better negotiate with third parties on their behalf.
Alternatively, an insurer may have greater global coverage and thus be better able to respond quickly
and with local resources to an incident that is far from the organisation’s own core infrastructure.
Using insurance has several advantages:
• Insurance is an economic vehicle for sharing exposures with a large number of other organisations.
• Insurers have a wealth of experience in risk and risk funding mechanisms.
• Insurers can provide additional services, which organisations may find useful.
• Fast access to large insurance funds means an organisation has more cash for long-term investment
as it has less need for liquid funds.
• Premiums may be tax deductible.
However, there are also disadvantages because insurers and insured organisations operate from
different perspectives:
• Insurers are constrained by their need to measure all losses in monetary terms. For those insured their
Insurers are
constrained by their greatest exposures may not be monetary, but might be exposures to the operational delivery process,
need to measure all the marketplace they operate in, intellectual assets and other ongoing stakeholder support.
losses in monetary
terms • In order for insurers to be able to assess and cost risks, they traditionally have cause of loss as their
primary interest. The organisation sees impact not causes as their main concern. Insurers may not
cover all possible causes of loss or damage.
• Insurers usually want to contain risk acceptance and pricing to a short period of time, often twelve
months. An organisation needs to forecast for a longer period of time in its product design, product
pricing and marketing strategies.
• Elements that make up an insurance premium (including potential claims costs, expenses of the
insurer and insurer’s profit) may not all be adding value to an insured organisation. Certainly, the fund
swapping that takes place where there are large amounts of small claims simply builds in additional
administration and insurer’s profit costs. As a result of this organisations will usually pay more in
premiums than they will get back.
These issues need to be managed if both parties are to deliver effective insurance protections that meet
business needs.
Other potential disadvantages of insurance include the following:
• Insurers may demand detailed information in a format that suits them rather than their customer.
Insurers may also demand risk control measures that an organisation may not consider cost effective.
• Organisations may have difficulty ensuring that insurers’ conditions and warranties are met
throughout a number of dispersed operations. For example, an insurer may exclude products liability
for goods sold into the USA and Canada. The level of risk funding will be wrong unless each and every
part of the organisation recognises the liability and notifies any sales in these areas.
• Products offered by insurers are increasingly likely not to include those risks that are of greatest
Chapter 6
concern to a large organisation. It is not easy, for instance, to find effective insurance-based
protection for risks, such as brand value, business and financial control, supply chain failure and
intellectual assets.
• It is also possible that an insurer might go bankrupt especially in response to large or multiple
liability claims.
C1A Insurance Act 2015

Both the insurer and the insured must understand precisely what risks are to be insured and what their
frequency and impact are likely to be. Organisations contemplating insurance contracts must
understand the legal framework involved, particularly where third parties are concerned, or they may end
up with inadequate compensation for risks they believed were insured.
English law governing insurance contracts has, in recent years, been updated and revised. The
Consumer Insurance (Disclosure and Representations) Act 2012 (usually abbreviated to CIDRA) covers
insurance contracts with individuals, while the Insurance Act 2015 deals with commercial contracts for
businesses. CIDRA only applies to consumer insurance contracts – insurance bought by individuals for
purposes wholly or mainly unrelated to their trade, business or profession. It is also only concerned with
what a consumer must tell an insurer before entering into or varying an insurance contract. The
Insurance Act 2015 is concerned with non-consumer insurance contracts and addresses wider issues.
The purpose of the two new Acts is to update legislation previously based on the Marine Insurance Act
The purpose of the
two new Acts is to 1906, interpreted over subsequent years by case law in the courts and arbitration rulings where
update legislation legislation was avoided. The Acts bring the law up-to-date in line with today’s market situation and
based on the Marine
Insurance Act 1906 generally established good practice, and are compatible with European legislation and directives.
Both Acts clarify the rights and obligations of the insurer and the insured and remove any ability of the
insurer to avoid contract obligations on grounds that the insured did not act in ‘good faith’. There are,
however, significant differences between the new laws for consumer and non-consumer insurance
contracts. CIDRA is designed to protect the consumer, while the Insurance Act 2015 is designed to be
neutral, imposing reciprocal obligations on both parties.
CIDRA requires only that consumers take reasonable care to answer an insurer’s questions fully and
accurately before entering into an insurance contract. For commercial insurers, the Insurance Act 2015
provides that before a commercial contract is entered into, the insured must make a fair presentation of
the risk to the insurer.
Under the Insurance Act 2015, the insured must disclose every material circumstance that the insured
The disclosure must
knows or ought to know, or, failing that, must disclose sufficient information to put a prudent insurer be made in a manner
on notice that it needs to make further enquiries for the purpose of revealing those circumstances. that would be
reasonably clear and
The disclosure must be made in a manner that would be reasonably clear and accessible to an insurer. accessible to an
Matters of fact must be substantially correct and matters of expectation or belief made in good faith. insurer
The significant differences between the duty of fair presentation in the Insurance Act 2015 and the duty
to take reasonable care not to make a misrepresentation under CIDRA are:
• a commercial policyholder is still required to volunteer information;
• the duty of a commercial policyholder is not to misrepresent, rather than take reasonable care not to
misrepresent; and
• CIDRA rules are mandatory. An insurer may not use a contract term to put consumers in a worse
position than they would be under the provisions of CIDRA. By contrast, in non-consumer insurance,
the parties may extend, as well as reduce, the duty of fair presentation.
Honesty protected
You can see that when placing insurance contracts, you must be very careful to provide enough
information for the insurer to accurately assess the risks it is being asked to insure. With both Acts,
honest and careful policyholders are fully protected, but if a policyholder makes a deliberate or reckless
misrepresentation, the insurer can refuse all claims. If the policyholder answers questions carelessly,
the Acts aim to put the insurer in the position it would have been had the insured taken reasonable care
to provide a full and accurate answer. For example, if the insurer:
• would have changed a policy term it may treat the contract as though that change had been made.
Typically an excess, warranty or exclusion might be applied.
• would have increased the premium, it would be entitled to reduce claims payments in proportion to
the premium difference.
• would not have accepted the proposal, it would be entitled to refuse all claims and return any
Chapter 6
premium paid.
Deliberate fraud has separate provisions. When the insured commits a fraud, the insurer has no
responsibility to pay the fraudulent claim or any claims arising after the fraud, but will remain liable for
legitimate losses before the fraud. The contract can be treated as terminated from the date of the
fraudulent act, and the insurer can reclaim any monies already paid out in respect of that claim.
The Insurance Act 2015 includes the following provisions:
• The insurer may not rely on non-compliance with any term in a policy to limit liability if the insured can
show that the non-compliance could not have increased the risk of loss that actually occurred in the
circumstances in which it occurred.
• Breach of a term that concerns a particular type of loss, or loss at a particular time or place, should
only give the insurer a remedy in respect of that type of loss or loss at that time or place. It should not
allow the insurer to escape liability for a different type of loss on which the non-compliance could
have had no effect.
• In the event of a breach of warranty, the insurer’s liability is suspended, rather than discharged, so the
insurer is liable for valid claims that arise after a breach has been remedied. A breach is remedied
when the risk to which the warranty relates has become essentially the same as that originally
contemplated between the parties.
This is the mandatory regime for consumer insurance contracts, but the default position for commercial
Both Acts prevent
contracts which can be tailored by agreement. However, both Acts prevent insurers turning insurers turning
representations into legal warranties through contract clauses, policy terms or statements on the representations into
legal warranties
proposal form.
The Acts include guidance on how various terms are to be interpreted and, as agents or brokers may be
involved, a structure to decide for whom an intermediary acts when passing information between the
insured and an insurer. They also make it clear that variations to contracts are effectively new contracts
for legal purposes.
The Insurance Act 2015 came into force on 12 August 2016 but without a controversial clause covering
late payments. This was included later in part 5 of the Enterprise Act 2016 and obliges insurers to pay
claims within a reasonable time.
C2 Regulatory context surrounding risk management

If organisations are going to pay premiums now and rely on the insurance market for financing risks that
materialise in the future, then they need to be sure the market is stable. It is also important that
insurance firms are able to meet their liabilities when organisations need to make a claim. Individuals
have the same concerns about personal insurance products. Governments introduce legislation to meet
these concerns.
Insurance companies and intermediaries in the UK are regulated by the Government, both to ensure
sound operation of the financial system as a whole and to protect individual policyholders. Supervision
of organisations under the regulations used to be the remit of the Financial Services Authority (FSA), but
a new regulatory structure was introduced in 2013.
From April 2013, following the enactment of the Financial Services Act 2012, two new regulators were
The FCA is the
successor to the FSA established. First, the Prudential Regulation Authority (PRA), operating as a subsidiary of the Bank of
as far as individual England, became responsible for the stability of financial services firms (including insurance companies)
policyholders are
concerned and was charged with promoting their safety and soundness. In the case of insurers, the PRA had to
ensure that policyholders had an appropriate degree of protection. Second, the Financial Conduct
Authority (FCA) became the City’s conduct watchdog, ensuring financial markets function competitively
and efficiently and that consumers of financial products are treated fairly. The FCA is the successor to
FSA as far as individual policyholders are concerned.
The Bank of England and Financial Services Act 2016 further modified the Bank’s regulatory structure.
The status of the FCA remained unchanged but the PRA was made part of the Bank (ending its subsidiary
status) and a new Prudential Regulation Committee (PRC) was established. The PRC operates alongside
the other two Bank committees, namely the Financial Policy Committee and the Monetary Policy
Committee.
The FCA and PRA
The FCA is responsible for prudential regulation of those financial services firms not supervised by
the PRA.
Chapter 6
The FCA has three

operational
objectives:
to protect and enhance the

to secure an appropriate degree to promote effective competition
integrity of the UK financial
of protection for consumers in the interests of consumers
system
The PRA determines whether organisations’ business models and governance arrangements satisfy
requirements for licence to trade. It sets standards and supervises financial institutions on an individual
basis. There are also statutory requirements (known as threshold conditions) that organisations must
meet. These threshold conditions include maintaining appropriate capital and liquidity and having
suitable management.
The PRA has three objectives:
• a general objective to promote the safety and soundness of the firms it regulates;
• an objective specific to insurance firms, to contribute to the securing of an appropriate degree of
protection for those who are or may become insurance policyholders; and
• a secondary objective to facilitate effective competition.
The PRA will assess firms not just against current risks, but also against those that could plausibly arise
in the future. Where the PRA judges it necessary to intervene, it will generally aim to do so at an early
stage. It will focus on those issues and firms that pose greatest risk to stability of the UK financial
system and policyholders.
The PRA recognises that interests of the financial system as a whole may conflict with interests of
individual organisations and their shareholders and will seek to broaden the outlook of directors and
change culture within firms. It also recognises the difficulty of assessing the financial stability of
insurers that stems from inherent problems estimating their future liabilities. For this reason, the PRA
will run simulations to test resilience of organisations and their business models to potential changes in
financial and commercial environments.
The PRA is not trying to stop organisations failing. It is trying to make sure that organisations that do fail
do so in a way that avoids disruption to the financial system and protects individual policyholders.
The PRA organises its supervision in line with European harmonisation directives for banking (Basel II)
and insurance (Solvency II). In this chapter, we are concerned only with insurance, although the
fundamental principles behind Basel II and Solvency II are the same.
C2A Solvency II
For insurers, the most important reform being undertaken by the PRA is the implementation of
mandatory standard risk reporting in line with Solvency II, an EU Directive covering capital requirements
and related supervision for insurers. Full regulatory reporting requirements came into effect on 1 January
2016, but with a transitional phase lasting until 1 January 2020. Solvency II takes into account current
developments in insurance, risk management, financial techniques, international financial reporting and
prudential standards.
Solvency II sets out solvency capital requirement (SCR) and minimum capital requirement (MCR) levels
Solvency II sets out
for various classes of insurer. Insurance and reinsurance undertakings have to calculate SCR at least SCR and MCR levels
once a year and MCR at least quarterly, and report results of those calculations to the supervisory for various classes of
insurer
authorities. A firm must hold eligible own funds covering its SCR.
SCR corresponds to the amount of money at risk over a one-year period to a confidence level of 99.5%.
MCR reflects the amount of money at risk over a one-year period to a confidence level of 85%, but with
statutory minimum values for different classes of firm, e.g. €2.5m for general insurance firms. The MCR
Chapter 6
must not fall below 25% or exceed 45% of the SCR. Firms must notify the PRA immediately if they cease
to comply with MCR rules or if there is a risk they may do so within the following three months. The PRA
will then focus on that firm and expect to agree a suitable action plan to rectify matters, or alternatively
agree an exit strategy for all or part of the business concerned.
PRA rules for Solvency II reporting demand an enormous amount of data collection, processing and
reporting in prescribed formats. Insurance firms are struggling to put in place the necessary
infrastructure and recruit people with appropriate skills. For example, to calculate its SCR a firm must
calculate the capital requirements for non-life underwriting risk, life underwriting risk, health
underwriting risk, market risk and counterparty default risk and then aggregate them according to a
weighted formula. Each of these components has several sub-sections, e.g. the life underwriting risk is a
combination of the capital requirements for individually calculated risks concerning mortality, longevity,
disability-morbidity, life expense, revision, lapse and life catastrophe. Similarly, market risk will have
components of interest rate, equity, property, spread, currency and market risk concentrations.
SCR requirements
The SCR must take into account all quantifiable risks to which the firm is exposed, including at least the
non-life underwriting risk, life underwriting risk, health underwriting risk, market risk, credit risk and
operational risk. It must cover existing business and new business expected to be written over the
following twelve months. With existing business, it must cover only unexpected losses. Adequate
technical provisions with respect to all insurance and reinsurance obligations must be made, and the
value of technical provisions must correspond to the current amount the firm would have to pay if it were
to transfer its insurance and reinsurance obligations to another Solvency II undertaking.
Assets and liabilities are valued using market-consistent methods and capital requirements are set to
ensure firms can withstand a forward-looking, one in two-hundred-year stress. Market-based valuation of
equities is demanded according to consistent rules, which have been extended to allow for cyclical
market fluctuations. Other rules ensure common accounting and reporting conventions, including capital
treatment, reserve valuation and risk transfer tools. Special protection prevents regulatory costs
overburdening small- and medium-sized organisations.
A firm can calculate SCR with the PRA standard formula or it can use its own internal model or partial
internal model provided it has been granted formal approval from the PRA. The approval process is quite
strict, and covers the systems in place to ensure the accuracy and validity of the data as well as the
calculations and assumptions used in the model. The firm must demonstrate that it has adequate
systems for identifying, measuring, monitoring, managing and reporting risk. It must also submit an
internal model change policy and demonstrate it has systems in place to ensure its internal model
operates properly on a continuous basis. The firm must be able to explain why SCR calculated from its
internal model is better than SCR calculated using the standard formula. It must also show that its
internal model is widely used and plays an important role in its system of governance, in particular in its
risk management system and in its economic and solvency capital assessment and allocation processes.
Enterprise risk management
The PRA is particularly concerned with enterprise risk management (ERM) and corporate governance
systems to identify, evaluate and manage risk. The governing body must take responsibility for
compliance with PRA rules and regulations, and relevant legislation. There must be an effective system
of governance that provides for sound and prudent management of the business. This system must
include an adequate transparent organisational structure with a clear allocation and appropriate
segregation of responsibilities, and an effective system for ensuring the transmission of information.
There must be written policies in relation to at least risk management, internal control, internal audit
and, where relevant, outsourcing. The governing body must approve these policies, ensure they are
implemented, review them at least annually and have a change mechanism for when risk profiles are
significantly altered.
The risk management system must cover all the risk areas used in the internal risk calculation models.
The PRA places particular importance on internal audit and actuarial functions and expects to approve
that persons undertaking these roles are suitable for the task and properly qualified. Outsourced tasks
must not unduly increase operational risk and risk reporting must feed seamlessly into the internal risk
management system and external PRA controls.
Benefits and costs of Solvency II
Solvency II is expected to benefit consumers, insurers and regulators. It should:
Chapter 6
Solvency II is
expected to benefit
consumers, insurers • reduce the risk of failure or default by an insurer;
and regulators • make it easier for companies to sell across different markets, promoting competition;
• improve risk assessment of commercial decisions;
• improve financial management of insurers; and
• improve the regulation of firms and facilitate early identification of potential problems.
The downside is, of course, the considerable cost of putting in place staffing and maintaining systems
capable of providing reliable and consistent data in the detail required. There is also a potential new risk
that very detailed commercially confidential information will be allowed into the wrong hands.
The insurance sector is not particularly interdependent, so it is unlikely that failure of individual
insurance firms could threaten UK financial stability in the same way as banking failures. Nevertheless,
the Government and the PRA believe that policyholders must be able to rely on insurance contracts
being honoured, particularly those with long-term commitments, and are convinced the benefits
outweigh the costs.
PRA rules apply to all firms within the scope of Solvency II, which includes all operating insurers of a
reasonable size with their head office in the UK. The basic rules are appropriately extended to cover
groups of firms, firms with operations abroad and members of Lloyd’s syndicates.
Experience so far
Solvency II seems to be working well and most firms have overcome their initial difficulties with the
complexity required of their risk models. Regulators have no scope for requiring additional capital
reserves if they think models are too lax, so they have to carefully scrutinise model construction and
performance. This has led to some initial friction, but the only serious criticism seems to be excessive
sensitivity of risk margin to interest rates.
Risk margin is calculated by multiplying a fixed cost of capital (currently 6%) by the net present value of
Lower interest rates
future capital requirements. Lower interest rates both reduce the discount rate applied to future capital both reduce the
requirements and increase the level of future capital required. This is primarily an issue for UK life firms discount rate applied
to future capital
with long-dated annuity liabilities. The risk margin is intended to provide the financial resources requirements and
necessary to cover the return on capital that a hypothetical acquirer would need to run off the insurance increase the level of
future capital required
liabilities. The current formula leads to higher risk margins when insurance liabilities have transferred
between firms than those shown to be acceptable from historical analysis. Regulators are using a
transition mechanism to compensate for undue capital demand, but a change in the formula is needed
for a permanent solution.
International operations
Organisations operating outside the UK must be familiar with local laws and regulations. Regulatory
arrangements can be quite different in different countries. As an example, we will look at the USA, where
regulation is being thoroughly reviewed following the 2008 financial crisis.
Each US state is responsible for regulating insurance, including broking activity, within its jurisdiction.
The McCarran-Ferguson Act of 1945 declared that states should regulate the business of insurance and
affirmed that continued regulation of the insurance industry by the states was in the public’s best
interest.
Some states appoint, and others elect, an Insurance Commissioner and there is a National Association
of Insurance Commissioners (NAIC), which is self-regulating and chaired by one of the state
commissioners. NAIC discusses topical issues and offers help and advice. States also get advice from
the National Conference of Insurance Legislators (NCOIL), a body of insurance practitioners that
discusses and ratifies, or otherwise, NAIC recommendations. None of this advice need be taken and
essentially each state goes its own way. So, if an insurer wishes to introduce a new product it must seek
approval from 51 separate authorities (50 states plus Washington, DC).
The Dodd-Frank Wall Street Reform and Consumer Protection Act signed into law by President Obama in
July 2010 introduced sweeping reforms to regulation of US financial services designed to prevent a
Chapter 6
recurrence of systemic financial crises. It included legislation to establish the Federal Insurance Office
(FIO) within the Department of the Treasury.
The FIO is tasked with monitoring all aspects of the US insurance industry and liaising with individual
states. It is also charged with evaluating and reporting to Congress on how to modernise and improve
the system of insurance regulation in the USA. Because of this, further regulatory changes can be
expected.
Question 6.2
What are the names of the two regulatory bodies that were established following the enactment of the Financial
Services Act 2012?
C3 Role of an insurance intermediary in supporting risk management

Commercial insurances are often placed into the marketplace through an intermediary known as a
broker. Traditionally, the main role of an insurance broker was to:
• provide advice on selection of insurers;
• execute instructions; and
• provide, in the case of larger national or international firms, a risk survey service.
However, as theory and practice of risk management have developed (particularly in the last twenty
years or so) the insurance broking industry has recognised the need for many additional technical
services in support of risk management programmes. At the same time, it has also acknowledged that
some organisations, usually large national, international or global organisations, have built up their own
highly skilled risk management departments. Therefore, as a result of this they only rely on outside
agencies to a limited extent.
The role of a broker is to assist an organisation (their client) in achieving its risk management objectives.
The role of a broker is
Thus the broker may be advising an organisation in relation to any of aspect of the risk management to assist an
process. UK brokers are financial services organisations and are regulated by the FCA. organisation in
achieving its risk
management
The list of services offered by brokers is growing constantly. Some brokers may provide the service objectives
‘in-house’ through their own employees. Others may have arrangements with specialist companies or
provide appropriate services with or alongside professional advisers. Legal and accounting services are
typically organised in this way.
As new risks emerge, intermediaries or brokers will continue to develop targeted solutions. New services
dealing with cyber liability and computer crime are now available, along with expertise in particular
areas such as wind farm energy.
In the following section we will discuss some of the services provided by large international or national
broker networks or intermediaries. It is by no means a definitive list. Fees for this expertise are usually
paid by the organisation to the broker or related service provider. Naturally, the mix of services provided
will depend on an organisation’s individual needs.
C3A Property surveys

This is the original risk consultancy service offered by brokers and, where provided, for the most part it is
generally an ‘in-house’ service.
Two examples of
property surveys:
underwriting surveys to determine the risk

risk control surveys to provide the broker’s
information needed by insurers to underwrite
client with an expert assessment of risks
the risk, i.e. construction of buildings,
inherent in the premises and their
occupation, protections, sprinklers,
Chapter 6
occupation, together with practical

housekeeping etc. The availability of good
recommendations for controlling and
quality, up-to-date surveys is crucial to
eliminating those risks
obtain the most competitive terms
C3B Business continuity plans

A broker can provide this assistance as an extension of its property survey or as a dedicated service,
encompassing a range of non-property matters. The aim is to assist the client to understand risks that
could have an impact on their business, e.g. a major fire at their central warehouse, failure of utilities, or
a terrorist threat. The broker will help the client to put in place a plan to deal with such eventualities, so
that the business gets back up and running in the shortest possible time.
C3C Business interruption reviews

These reviews will examine a client’s business model, such as stock production, use of subcontractors
for manufacturing, and assess dependence on customers and suppliers. Taking account of business
continuity work or plans the client has in place, the aim is to assist in identifying risks to the business
and quantifying the correct sum insured.
C3D Health and safety in the workplace reviews

With the growth of health and safety legislation following the Health and Safety at Work etc. Act 1974,
some brokers extended their risk management offering to include workplace liability. However, the
exponential growth of health and safety legislation and regulation has made it difficult for a broking firm
to maintain the level of competency needed in all possible occupations. Where a broker does provide
workplace liability consultancy it is likely that having identified a particular issue, e.g. the need for noise
assessments, it will contract out to a specialist provider any further reviews and recommendations.
C3E Liability surveys

A similar situation applies with liability surveys. A broker may identify a particular product risk and may
subcontract further investigation to, say, an expert in food safety and product recall.
C3F Motor fleet risk management

Where a broker is involved in motor fleet risk management, it is likely that it will contract out most of the
following services:
• Review of driver handbooks and fleet risk management procedures.
• ‘Defensive driving’ training – advanced driving skills training for fleet drivers, focusing on how to avoid
accidents and safe driving.
• ‘At work’ assessments.
• The use of telemetrics to monitor and improve driving skills.
C3G Environmental risk surveys

The field of environmental risk surveys is highly specialised and involves assessing the environmental
impact of a client’s premises and occupation. This can include relevant current and historical exposures
and is particularly important and useful in the acquisition and disposal of premises.
C3H Post-loss control services

Some brokers go beyond ‘processing’ a client’s claim with insurers to providing active assistance in the
event of a loss. Examples of such assistance include quantifying and submitting a claim, providing
guidance to stop any further damage and undertaking detailed negotiations with loss adjusters and
insurers.
Claims services can extend to include administration and handling of all claims with certain classes of
Claims services can
insurance, e.g. employers’ liability or motor, especially if a significant proportion of any financial loss extend to include
associated with a claim within these accounts is retained by the organisation (client). Moreover, larger administration and
handling of all claims
brokers may meet regularly with claims and/or underwriting personnel of relevant insurers to: with certain classes
of insurance
• identify claim or loss trends;
Chapter 6
• discuss renewal terms; and
• review the insurer’s performance against any service level agreements in place.
C3I Disaster recovery services

As an extension to post-loss control services, some brokers are involved in providing specific assistance
in the event of a major loss, e.g. a product recall incident or a major transportation accident. Services
range from access to specialist public relations support to a full crisis management capability.
In addition, some larger international and global brokers offer services around captive management and
self-insurance fund administration, concepts we will be discussing shortly. Such brokers may well have
resources to offer related services across the reinsurance market, or provide guidance and management
on a range of employee benefit provisions; for example pensions and absentee management.
A broker can only provide appropriate help, guidance and advice to match an organisation’s risk
management needs by acquainting themselves as far as possible with their client’s business. In this
context the broker would benefit from:
• knowledge of client’s plans, future projects and general philosophy regarding development of the
business, including possible mergers and takeovers;
• awareness of developments and issues in the client’s business sector;
• offering advice on solutions to present financial problem areas, including liaison with and
recommendations of other professionals;
• monitoring existing business through regular visits and discussions, both on site and with the client’s
management team; and
• discussions and feedback from both client’s employees and broker’s own staff, including
relationships developed at a junior level. These can frequently bring to light problem areas or
exposure to risk of which the management team had not been aware.
Invariably, close dialogue between a broker and their client’s financial team and senior management will
create awareness of risk on both sides and can lead to recommendation and acceptance of risk
management measures more readily. In addition, a broking team should make sure they remain aware of
trends in their client’s trade through reading appropriate journals or other press publications.
As in all risk expenditure, an organisation will compare the cost of insurance with perceived benefits.
The total cost will include both premiums to be paid and fees charged by a broker. Brokers used to be
remunerated by commission, but for large commercial insurances, organisations now look for insurers to
charge the ‘net’ cost to them. They then negotiate a broker fee that relates directly to services provided.
Questions for a broker to answer might include the following:
Can stability in pricing be

What level of risk is to be What level of retention will achieved by a long-term
retained? insurers impose? agreement or through a
multi-year programme?
What is the best way to

include special cover
How can insurance cover be Where is the optimum point
considerations, such as
structured to achieve the for completing and starting a
terrorism, environmental
limits required? new excess layer?
liability or products financial
loss?
What markets are interested in

writing the risk and how will
they respond to the proposed
structure?
Chapter 6
C4 Organising an insurance programme

As we touched on at the beginning of the chapter when putting together an insurance programme
(new or revised) the organisation (in tandem with its professional risk advisers) is likely to begin by
looking over its existing insurance arrangement and, in particular, focusing on its existing retained costs.
The objective is to confirm the:
• total value of losses already retained under existing policy excesses or deductibles;
• savings available in reduced premiums by assuming certain levels of risk; and
• nature of risks being retained.
Information will be needed from insurers on existing claims that are currently being handled. For
Information will be
needed from insurers example, in relation to employers’ liability or material damage claims, what financial reserves are being
on claims that are held against reported or outstanding claims?
currently being
handled
Particular focus will be on any actual or pending personal injury litigation and any significant or likely
escalation of costs. Timing projections will also be required. Remember that property risks usually
involve immediate payment, while some liability claims may take many years to be paid.
The next step in organising an insurance programme is likely to try and determine the level of excess the
organisation is willing to accept. This will vary according to its size and its own attitude towards risk. It
may also be influenced by potential insurers’ assessments of the risks in question, as well as their
willingness to provide insurance cover on them.
It is important to distinguish between a retention level that encompasses ‘inevitable’ losses, that is
predictable losses with established levels and costs, and a higher level of retention that may be driven
by other factors.
control claims. Organisations may feel they are best

increase control over insurance pricing, placed to manage certain types of claim because,
terms and conditions. Insurers will offer for example, they have a business imperative to
more flexible pricing and conditions to defend liability claims when the insurer may be
those who demonstrate their more willing to compromise, or because specialist
commitment by retaining more risk knowledge is required and the organisation wants to
choose its own defence lawyers
A higher level of retention
may be considered
because an organisation
wants to:
control risk improvement measures because save money through premium reductions.
a higher retention means that insurers are Insurers grant reductions in premium for
more flexible about risk improvement higher levels of retention
Further influences on level of retention could be the following:

• The organisation’s view on probability of loss is different from that of the insurance market. Although
various statistical techniques can be deployed to analyse and forecast losses, at higher levels of
retention where there are few losses, most experience is that total loss events are rare. Thus error
margins in loss projections become greater.
• Risk appetite. This depends on the organisation and its executives and will be influenced by the risk
attitudes of key stakeholders, such as shareholders and creditors.
• Insurance market conditions. The amount of spare capacity in the insurance market influences quoted
Chapter 6
premiums.
• If the organisation is a public company, what retention does it feel it can tolerate publicly, particularly
in terms of impact on its share price?
• Cash flow. Businesses in a strong cash position, for example a large profitable supermarket chain, are
in a better position to retain more risk than businesses that are capital intensive with a less regular
cash flow.
• Attitude and experience of the board. Executives with experience of large retentions tend to be more
pragmatic than those from smaller businesses.
• Senior management understanding and appreciation of the aims and objectives of a risk and
insurance programme.
C5 Deductible analysis
We have seen that some risk can be retained in return for a reduction in premium. This process can be
Some risk can be
referred to as a deductible arrangement. Before any arrangements are made three questions need to be retained in return for
answered: a reduction in
premium
• Is the premium discount reasonable?
• Can the organisation stand the extra loss?
• How good are the loss forecasts?
An organisation’s costs of assuming extra risk (losses, administration and net tax) start at a fixed
standing administration cost and increase as the level of deductible increases. The rate of increase is
greater at higher deductible levels as the organisation becomes less efficient the more it tries to act like
an insurer. Plotting the cost curve against savings in premium allows selection of the level that gives the
biggest difference between premium savings and loss retention costs, subject to financial capacity of
the organisation adjusted to take account of the degree of risk it is willing to take.
To estimate the cost of losses to plot this curve, the usual approach is to analyse past losses and claims
and use this data to predict future trends. A base year should be chosen and all values adjusted for
inflation before analysis. Remember that experience shows that claims costs tend to inflate at a faster
rate than general inflation and that rate of inflation depends on the class of risk, country, year etc. It is
common practice to inflate both paid and outstanding amounts. For longer time frames, discounted cash
flow analysis may be preferred, or a combination that takes both effects into account.
One aim of claims analysis is to identify trends within the data. Are claims getting worse or better? If I
eliminated this or that process or location, what difference would it make? Deductible analysis
illustrates how historic claims would be allocated between amounts retained by the organisation and
amounts transferred to insurers under various deductible scenarios.
The validity of data trends must be considered and base data adjusted for changes in operating
The validity of data
trends must be conditions or scale of operation. With suitable data divisions, claim numbers can be converted to
considered frequency per unit of exposure, for example square footage for a retailer, or passenger miles for a train
operator. In this way we can identify frequency trends independently of changes in the size of the
organisation, or adjust figures in line with future projections.
We are assuming here a fairly stable organisation with a historical collection of loss/claims data either
directly retained or available from an insurer. Note that we need all loss data, including ongoing claims
and losses that were not insured or fell within previous retention levels. It will be difficult to get this
information in larger organisations, particularly those with multiple operations or a history of significant
acquisitions and disposals. Experience and informed guesswork will be needed to fill in the gaps.
Once we have established values and frequencies of all expected losses we can, for a given level of
deductible, calculate the total cost of a proposed insurance arrangement. It is the sum of all losses
under the deductible level plus the insurance premium quoted. We can repeat this exercise for various
levels of deductible to see if the additional premiums quoted are worthwhile. For example, an insurer
might offer a premium saving of £110 for an additional £100 on the deductible level. If we assume the
insurer uses 30% of premium income for administration and profit, then the insurer is looking for £77 for
£100 of cover. This indicates that the insurer is expecting 77% of all losses to be less than £100. If an
organisation’s analysis shows expected claims to be less than this the additional premium is not worth
paying as the organisation is being asked more to cover the losses than they are actually expected
to cost.
As well as calculating preferred deductible levels we also need to select the right limits of cover for the
various property and business interruption exposures. Some limits will be based upon fact. For example,
‘If I have a fire at factory X, what will be the maximum costs in terms of damage and business
Chapter 6
interruption?’ Others will be subjective, for example, ‘I have bought a helicopter for business purposes,
what limit of indemnity for passenger liability should I buy?’ This process becomes more complex for
multiple location risks, particularly where the cost of catastrophe cover is a significant issue.
With limits and preferred levels of deductible established, insurers can be approached, either directly or
through brokers, to negotiate a combination or package of policies to suit an organisation’s unique
financial position and dovetail with its own risk management programme if appropriate. Negotiations
with insurers may include discussions about the duration of contracts over the medium or long-term
period rather than annually, savings in premium options and the involvement of other insurers in
carrying some liability if the levels required are substantial.
Question 6.3
The total cost of a proposed insurance arrangement is the sum of all losses under the deductible level plus the
insurance premium quoted. Why is it important to analyse different quotations for different levels of deductible?
C6 Limits and sums insured

The higher the policy limit or sum insured, the more likely it is that no one insurer will be able to provide
cover up to the limits that an organisation may need. Moreover, different market perceptions of
estimated maximum losses (EMLs) and so on will restrict the amount of cover a particular insurer can
provide. When a single insurer cannot offer to carry all the risk there are a number of alternative
solutions.
C6A Co-insurance
Co-insurance involves more than one insurer, who each take a share of the risk. If one competitive
Co-insurance involves
more than one insurer insurer will insure all the risk, a single placement is most efficient, as involving more than one insurer
each taking a share of can increase transactional and negotiation costs.
the risk
Co-insurance, therefore, tends to be an

appropriate option where:
an organisation wants to the risk is high, complex it is needed to gain spare

spread risk capital among or high value and no one capacity to allow for
a number of insurers insurer can provide all the mid-term increases in the
cover required size of the risk
C6B Excess layers

A straightforward way of achieving higher limits of indemnity on insurance policies is to arrange an
additional layer of cover. The additional layer is called an excess layer and is a method commonly used
for both employers’ liability and third party liability policies. Large property programmes also use excess
layers, if the sum insured or the loss limit are significant.
Example 6.1
An organisation may want insurance cover for £50m to protect it against any future liabilities arising in relation to the
number of warehouses it owns. It approaches the insurance market, probably with the help of its nominated
insurance broker and realises that a single insurer is not prepared to carry the entire £50m potential liability.
Therefore it seeks cover from a number of insurers in layers or steps as shown below. In the illustration below, A1
insurance agrees to accept £10m of cover and B2 a further £20m above A1’s limit, making a total sum of £30m.
The organisation then secures from C3 a further level or excess layer of £20m of cover above that secured with A1
and B2 previously. The insurers involved in relation to the ‘excess layers’, i.e. B2 and C3, will be looking to follow the
terms and conditions of the underlying (primary) policy arranged with A1 to ensure the same cover applies
throughout this entire arrangement.
£50m
Chapter 6
£20m in excess of £30m with C3 Insurance
£30m
£20m in excess of £10m with B2 Insurance
£10m
A1 Insurance primary policy
C6C Umbrella policies

Another option is known as an umbrella policy. It sits over a policy or programme, but is independent of
the cover provided underneath. It will have its own terms and conditions and its own attachment point,
which may not necessarily be the total limit of indemnity provided by the primary and excess layers. An
umbrella policy is a way of providing additional limits or specialist cover, e.g. product recall at the
catastrophe end of an organisation’s exposures.
C6D Specialist covers

Sometimes additional policies are needed for specialist cover. Not all insurers can underwrite all lines of
Not all insurers can
cover and the ones that are good at some specialist lines, such as product recall, may not want to underwrite all lines
underwrite, say, property. Clearly, an organisation’s specific needs will determine what multi-line of cover
considerations are appropriate.

It is not necessarily beneficial to ‘force fit’ every risk into one insurance package or global programme.
Local market and scheme underwriters, who have a greater understanding of the risks involved, can
frequently offer more competitive terms. Examples of specialist risks include environmental liability,
product guarantee and recall and motor uninsured loss recoveries.
C7 Global or international insurance covers

The largest multinational companies may operate in as many as 120 countries and the major
international insurance brokers can claim operations in more than 80 countries. Most businesses with a
turnover in excess of £250m are likely to have operations in more than one country.
Organisations with international operations often look to simplify insurance arrangements with a global
policy, underwritten in the head office’s area of legal jurisdiction or in a tax haven. Often, such a policy
will have a difference in conditions (DIC) clause that picks up any local insurance requirements.
These policies are not straightforward. Some countries demand that any insurer is licensed, for example,
China demands that any insurer be licensed by the Chinese Insurance Regulatory Commission.
Conversely, some countries may not have insurers that meet an organisation’s quality and security
standards. Furthermore, there may be a requirement that some compulsory covers, such as employers’
liability and motor insurance, may only be provided by local insurers.
Tax implications also need to be considered. Some countries charge an insurance premium tax on
insurance arrangements and may consider a global policy to be tax evasion. Treatment of premiums may
differ in different countries as well as tax rates. Locally paid premiums are normally tax deductible. Also,
there may be tax problems to resolve when receiving and distributing claim payments to a parent
company based in a different jurisdiction from the damaged business unit.
Table 6.1: Advantages and disadvantages of a global insurance approach

• Consistency of cover. • Parent company needs central control, which may
• Central control of cover and cost. conflict with established management style.
• Savings through group buying. • Could upset local relationships.
• Simpler identification of losses worldwide. Global • Can cause legislative problems.
approach to risk management. • Reduces choice of insurers.
• Facilitates controlled participation in its own risk by the • Premiums allocated between subsidiaries may need to
parent, for instance through a captive. be paid locally.
• Premium allocations can be adjusted for claims • Subsidiaries may be forced to ‘buy’ cover that either
experience and used as a tool to encourage better risk does not apply or has limits that are considerably in
management. excess of their individual exposure.
Chapter 6
Often the premium allocation process requires careful negotiation between different subsidiaries,
especially those who do not like impositions from head office or who feel their risk profile or experience
is better than others. However, while the programme will always have to be justified in cost terms, the
main driver tends to be the desire for effective corporate management and control across the
organisation.
C8 Insurance renewal
Once a suitable insurance programme has been established, an organisation should be able to review
and renew the policy on an annual basis, perhaps adjusting limits and excesses to reflect inflation,
operational changes or experience. They will not make a fresh approach to the insurer market each year
but, say, on a three or five year cycle. However, they may break this cycle if:
• there is a significant change in the insurance market;
• an insurer imposes excessive terms at a renewal; or
• there is a change in business activity.
Many deals enable the insurer to renegotiate if they lose reinsurance support or there is a market-wide
change in underwriting practice or there is a material change in the business. Most also contain a loss
sensitivity clause, which may be expressed in terms of one or more losses over a certain size.
Organisations that are willing to commit to a programme of risk improvement may find some insurers
that are attracted by this attitude to risk. The insurer may be willing to phase in increased retentions and
reduced premiums over a period, say across three years.
D Other risk financing options

D1 Risk retention
It is clear that it would be a waste of money to pay insurance or other risk management costs in trying to
anticipate a level of impact that an organisation would see as being commercially insignificant. If
exposures are calculated to be within that range, then an organisation can simply proceed as usual and
embrace costs as they occur. It may wish to budget for such losses, or an accumulation of such losses,
as part of its process of financial planning.
For some losses there may be no real options available to transfer financial exposure away from an
organisation, even though cumulative losses may be large. An example is ongoing losses through
shoplifting or ‘stock shrinkage’ that are part of everyday life for some types of organisation. There will be
many ways to reduce the risk of loss, but when loss does occur there are very few ways to fund that loss
other than by allowing for anticipated loss levels in the price of the product.
In large organisations losses could be absorbed at group level, or alternatively individual subsidiaries or
other units could take the losses into their local results. This is a matter for the internal culture of the
organisation. The decision as to whether local units must absorb losses themselves can encourage or
discourage ownership of risk amongst local managers.
Self-funding and risk retention can also be unplanned. Unplanned scenarios derive from ignorance or
from unidentified risks occurring.
Causes could include the

following:
Chapter 6
risk transfer did not
not insured (forgot, risk transferred but third
potential risk not work (bad contract
underinsured, not party did not pay (went
identified terms, breach of
insurable) bankrupt)
contract)
To decide whether or not to retain risk, and how much risk to retain, advantages and disadvantages have
to be compared. Typical considerations are shown in table 6.2.
Table 6.2: Advantages and disadvantages of retaining risks

• Capital is retained within the organisation for use • Claims handling skills and resources may be needed,
until needed. either sourced internally or subcontracted elsewhere
• Reduces administration costs of settling smaller at cost.
claims. • Miscalculation of maximum possible losses or of claims
• Line managers encouraged to own and manage risk. frequencies may lead to financial difficulties as losses
retained in-house.
• Fluctuations in loss levels will upset forecasted financial
results.
There will be an aggregate level of loss that an organisation can comfortably absorb, and in an ideal
world this should be reflected in its risk appetite policy.
D2 Self-insurance programmes
Insurance arrangements that cover only part of a risk are known as self-insurance programmes.
They come in a variety of forms and are influenced to some extent by tax treatment and local regulation.
However, they all share the same basic characteristics:
• The purchaser retains an amount of each loss: this retention will be considerably higher than a
standard deductible, say £50,000, £100,000 or £250,000 each loss, or even more for larger risks.
• The full policy limit operates in excess of the deductible or the deductible forms part of the limit.
• The sum of all retentions is limited to a predetermined amount or aggregate.
• Some insurers apply an adjustment factor to each loss settlement to cover the cost to them of
handling claims, while others include these costs in the premium for the cover in excess of the
retention and aggregate.
• Claims can be handled by the insurer, the insured or by a third party, such as a loss adjuster or legal
entity specialising in claims.
For liability self-insurance programmes, particularly those for compulsory covers such as employers’
liability and motor third party, the insurer will usually ask for security for the self-insured amounts. In
year one some insurers will ask for security for the value of the aggregate, whereas others will only look
for the value of expected losses. The security requirement will increase with successive periods of
self-insurance until it equates approximately to the sum of the aggregates less paid claims and adjusted
for trend of total losses in relation to the aggregate in each year.
Some advantages and disadvantages of self-insurance programmes compared to conventional
programmes are summarised in table 6.3. A conventional insurance programme in this context is one
that may carry a far lower deductible or excess than the examples listed above. Not surprisingly,
advantages and disadvantages outlined below are similar to those illustrated when we looked at the
advantages and disadvantages of organisations retaining risks.
Chapter 6
Table 6.3: Advantages and disadvantages of self-insurance programmes

• Cash flow saving. The initial premium is likely to be far • Uncertainty. The insured is exchanging the relatively
less than when compared to arrangements with known cost of an appropriate insurance contract for the
insurers whereby far lower sums are being retained by uncertainty of a self-insurance programme.
an organisation. • Administration and commitment. Self-insurance
• Depending on the structure, certain tax payment may programmes need in-house administration and they
be much lower. require the finance function within the organisation to
• Control of claims. Most insurers are unwilling to be aware of the need to reimburse claims years into the
relinquish handling and management of claims, future.
particularly for liability covers. However, where a • The insured is assuming the liability for claims that
substantial part of the risk is borne by the insured, they could, and often do, take many years to resolve, e.g.
may allow other parties of the insured’s choosing to employers’ liability claims.
negotiate and settle claims. • Opportunity cost of tying up funds in the self-insurance
programme.
It may benefit an organisation to arrange a funding mechanism ‘in house’. One option would be to
It may benefit an
organisation to establish an internal fund for this purpose. Another would be a wholly owned insurance operation. Large
arrange a funding international organisations would establish a separate company for this purpose. Owned and controlled
mechanism ‘in house’
by the parent organisation, this type of insurer is often called a captive insurer or captive.
We can look at these two options further. We will also briefly discuss reinsurance and its benefits. Like
any primary insurer, in certain circumstances a captive insurer may need to seek insurance for itself.
D2A Internal fund

In large organisations, directors may decide to establish a designated fund from which subsidiaries and
other units can claim to recover unexpected losses. This is known as an internal fund. The value of such
a fund is that the group is using its overall asset strength. The individual, smaller, units have their own
financial results smoothed, year by year. The fund may be organised to build up over a period of years so
that large, infrequent losses can be financed. During early years the emerging fund could be protected
by insurance. An internal insurance fund must have liquid assets, which are assets that can quickly be
turned into cash, so there is a cost associated with doing this as liquid funds attract lower returns.
Provided funds are sufficient to cover risks as they materialise, an organisation derives financial benefit
from retaining them itself. While the funds need to remain relatively liquid, they can still be used
meanwhile for certain operational purposes and for investment growth. Against this, any profit left in the
fund and carried forward at year end will normally attract tax, making it more difficult to build up
long-term reserves.
As with all insurance operations, clarity of terms and careful risk assessment are essential. A fund able
to cope with estimated maximum probable loss would not be able to cope with maximum possible
losses or any losses that were seriously underestimated.
Consider this…
To determine the size of its own internal fund to meet the costs of any contingency, is it enough for an organisation
to rely on past claims experience over a few years as recorded by an insurer?
D2B Captive insurer

A captive insurance company is one that an organisation has set up and owns. It can be regarded as a
A captive insurance
formal way of managing an internal fund. The organisation may either manage the captive itself or company is one that
contract its management to a professional captive management company. an organisation has
set up and owns
For the right kind of organisation there are advantages in creating a captive, including the ability to:
• act as a focus of risk management effort;
• deal with claims in a more efficient and timely manner;
• retain premium in-house thus retaining money otherwise going to an external insurer in the form of
profit, margin and overheads;
• provide cover for certain risks that the insurance market is unwilling to write or unwilling to write at an
acceptable premium; and
• access the possibly cheaper, more flexible reinsurance market.
Chapter 6
A captive in the UK would be treated like any other insurance company and would have to meet the
requirements of insurance company legislation, particularly in relation to solvency requirements and the
conduct of business.
In the vast majority of circumstances, this would be a disproportionately onerous task. Most captives are
therefore incorporated offshore, in locations, such as Bermuda, the Channel Islands, the Isle of Man,
Dublin, the Cayman Islands or Gibraltar. These countries offer both a relatively light regulatory regime
and lower rates of taxation. A risk professional is usually appointed to be chief executive, or a director,
of the captive, providing advice on the domicile, the set-up, capitalisation and structure, managing
day-to-day operations of the captive and acting as the captive’s underwriters.
Like any insurance company, the underwriting policy is the key to a captive’s success. Rates have to be
sufficiently high to recover all administrative and operating costs as well as cost of claims and a
contribution to profit. A suitable organisation is looking to build on the benefits of a reliable claims
history, operational stability and effective risk management.
In the insurance market, usually for any particular class of exposure, historical claims data is collected
for a large group of organisations operating in the same trade or industry. The data is divided by some
relevant factor to derive a class rate that can be applied to new business with a similar risk. For example,
for personal liability exposures in light engineering assembly industries the rate may be expressed in
terms of pounds sterling (£) per employee or £ per £ of payroll. For retail shop theft cover the rate could
be £ per sq ft selling space, varied according to the type of goods sold. An alternative to class rating is
experience rating. This is based on the claims or loss experience of the single organisation being insured
(say over the previous three or five years) and is only really suitable for high frequency low cost risk, for
example motor insurance.
If losses turn out to be less than average for the industry, captives using market rate underwriting
policies will expect to make a profit, which can be passed back to operating units by way of reduced
charges. This can then be used to accumulate reserve funds or invested.
Captives will provide for bad loss results by taking out reinsurance. A captive will be able to access the
Captives will provide
reinsurance market directly for any layers of protection required, beyond those that can be retained for bad loss results by
comfortably within the captive itself. taking out reinsurance
The net effect of a captive would be that funds could be available from three different sources to meet a
loss, depending on the scale of loss. Table 6.4 shows an example where three layers of loss have been
defined in monetary terms to correspond with the source of funds.
Table 6.4: Loss layers for captives

Loss layer For example (£) Source of reimbursement
Layer 1 £100,000 The cash flow and asset sources of the organisation itself.
Layer 2 £100,000 to £1,000,000 Funds available from within the captive.
Layer 3 >£1,000,000 The captive’s reinsurers.
Captives will need risk control expertise and resources to handle administration and claims. They could
hire their own staff or outsource some of the work.
They will need an investment strategy to ensure funds are available at the time losses are expected to be
payable.
Captives will normally seek advice from a specialist reinsurance broker on the correct type and level of
reinsurances needed.
It is not necessarily a requirement that a captive is wholly owned. Some organisations offer a
‘rent-a-captive’ service, which can help reduce costs compared to a wholly owned captive. These are of
particular use where an insurance programme is otherwise too small to justify a traditional captive.
Consider this…
If an organisation is considering establishing a captive it will look at tax regimes and regulations in various potential
domiciles. Which do you think will carry more weight in influencing location decisions?
D2C Reinsurance
Be aware
As you read risk management literature relating to reinsurance you are likely to see references to primary insurers.
These primary insurers, which include captive insurers, approach reinsurers for insurance cover in relation to many
Chapter 6
different types of insurance. These primary insurers can also be referred to as conventional insurers or direct
insurers.
The reinsurance market is a wholesale insurance market only available to accredited insurers. It is a
highly sophisticated market demanding specialist market knowledge and technical expertise. As with
the insurer market it contains intermediaries known as reinsurance brokers.
A detailed discussion of how the reinsurance market operates and the various individual forms of
reinsurance contract that can exist between appropriate parties is beyond the scope of this study
text. However, in order to appreciate in particular why a captive would want to engage with a reinsurer,
it is worthwhile highlighting some of the main aspects of this market, especially in the context of
financing risk.
In simple terms reinsurance is insurance for insurance companies. This includes captive arrangements.
In simple terms
reinsurance is Reinsurance allows an insurance company to pass part of its liability to another insurer on a given
insurance for insurance it has accepted.
insurance companies
There are around 200 companies offering reinsurance across the world, although the greatest
concentration of expertise is in the USA, Germany and Switzerland. Lloyd’s of London also has a strong
reputation for reinsurance provision through certain syndicates.
Reinsurers have provided payments in relation to some of the most significant insured disasters in
modern times. Examples include Hurricane Andrew in 1992, Hurricane Katrina in 2005 and World Trade
Center terrorist attacks in New York in 2001 (commonly referred to as 9/11).
This specialist market provides coverage for all kinds of risk, from earthquake to motor, cargo and
shipping to aviation. Reinsurers also provide life insurance related products, such as mortality risks
associated with farmers in parts of Central America.
The reinsurance market is a key player in the education of organisations round the world on benefits of
risk management. Identifying and analysing risks is at the heart of their operations and the international
and global spread of risks they acquire lends itself to extensive modelling of risks, especially those
related to extreme weather events. Reinsurers invest large sums in risk related research. This research
not only focuses on how to better manage some of the existing risks faced by organisations and society
at large but also looks to anticipate new or emerging risks.
Reinsurance contracts come in different forms. They can cover entire portfolios of a certain class of
insurance or a single risk. Sometimes they relate to sharing losses or premiums, or maybe covering
losses above a given financial level.
There are two main

forms of reinsurance:
Facultative reinsurance Obligatory reinsurance
Facultative reinsurance gives the option (facility) to the reinsurer to accept or reject a risk offered to it by
an insurer. These reinsurance contracts tend to be formed where a specific item such as a large building
has the potential to be damaged by a number of different contingencies, for example fire or flood, and
the sums involved if these occurred are far too high for the (primary) insurer to feel comfortable to carry
on its own.
Obligatory reinsurance is where the insurers are ‘obliged’ to give away (or cede) and the reinsurer to
accept (or assume) a contractually agreed share of a portfolio of risks. A portfolio of risks in this context
tends to refer to insurers’ broad lines of business such as their motor insurance policies. As a result of
Chapter 6
the main characteristics of these types of reinsurance contracts they are sometimes referred to as treaty
reinsurance.
Insurers (called primary insurers in this context) usually access reinsurers through reinsurance
intermediaries or brokers. Thus a captive insurer, which is effectively an insurer set up by a suitable
(usually sizeable) organisation, can access the range of financial products reinsurers can offer as well as
their supporting services. Smaller enterprises, who are not able to establish an insurer within their own
operations, or who do not consider it to be worthwhile, cannot access the reinsurance market. It is only
insurers, via reinsurance brokers, that deal with and establish contractual relationships with reinsurers.
Any organisation considering doing business with a reinsurer needs to ensure that the reinsurer(s) it
deals with has no solvency or security issues to contend with. Where possible, an insurer should
consider spreading risks across the reinsurance market to avoid dependency on one single reinsurer.
The solvency of a captive insurer, for example, can be reliant on the solvency of the reinsurer to which it
transfers risk.
It is essential that the right form of contract is put in place to cater for unusual risks. Also, the ‘primary’
insurer would be wise to ensure that appropriate limits and sums insured are kept under constant
review.
Reinsurers use experience-based pricing (premium) for those risks (like fire or motor) where there is
Reinsurers use
usually historical claims data available, i.e. the claims data represents experience the organisation has experience-based
had with that particular risk over a few years. For other risks where there is no such data to review, i.e. pricing for those risks
where historical
that tend to fall in the low frequency and high severity risk category (such as natural catastrophes), then claims data is
the reinsurer will base price on a combination of their underwriter’s knowledge, relevant available available
scientific information, and any modelling or scenario planning it can apply.

In the context of risk financing, the main benefits offered by reinsurance to an organisation that has
established its own insurer include:
• a facility that smooths volatility of the organisation’s earnings, which can be seen as attractive benefit
for those with capital to invest or provide to an organisation;
• protection of its balance sheet;
• a route to gain appropriate financial protection for large individual or unique risks (such as major
sporting events or construction projects);
• ability to transfer some of the risks it carries to another entity (reinsurer) so it can free up more capital;
• access to innovative and flexible risk solutions;
• obtaining affordable coverage; and
• a means of protecting an organisation’s assets against losses stemming from very large losses or the
accumulation of losses.
Any insurer dealing with a reinsurer will also be able to tap into the advice and expertise that the
reinsurer can provide especially around:
• assessing and underwriting risks;
• putting a ‘price’ on individual or a group of risks;
• designing contract wording;
• claims management and processing;
• relevant risk data from a wide range of sources;
• how to manage the risks associated with major projects; and
• the long-term and significant risks an organisation may be facing.
D3 Risk sharing
Some types of organisation share risks between them, with each paying a contribution into a common
Chapter 6
Some types of
organisations share fund from which losses are paid. The contribution is revised regularly to ensure that it is adequate to
risks between them cover expected costs of losses and administration. Again, the arrangement can be formalised as an
accredited insurance company which, because it has shared ownership, is known as a mutual insurer
rather than a captive.
Lawyers, accountants, shipping companies, airlines and the medical profession commonly use such
self-funding mechanisms to provide for professional indemnity claims. Again, reinsurance may be used
to cover unexpected and very large losses.
D4 Risk transfer by contract

We have already discussed the possibility of transferring risks to others through suitable contracts. If we
are clear what risks we are transferring, recognise legal constraints preventing transfer of certain types of
risk, and are careful with contract wording, then this is a legitimate method of risk financing.
There are several types of risk transfer contract. Common examples are shown in table 6.5.
Table 6.5: Types of risk transfer contracts

Leases Commonly ask for the property or vehicle to be returned at the end of the lease period in
good condition (except for wear and tear).
Subcontracts Activities and their associated risks are passed to the subcontractor. Note the
subcontractor’s expertise may make losses less likely.
Surety agreements A contract between three parties where the surety takes the risk that the principal to a
contract does not perform or complete, but can claim back losses from the principal.
Guarantees A contract between two parties where the guarantor takes the risk that the principal to a
contract does not perform or complete.
Waivers Where a contracting party gives up, for a financial consideration, its right to sue in the
event of breach of contract or tort.
We can illustrate typical contract arrangements with a few examples:

• A lease for use of property can establish whether or not the tenant remains responsible for rent should
the property be rendered unusable either by fire or other external cause.
• Delays in delivery of goods can cause financial penalty clauses to be invoked.
• One party to a transaction can retain funds that are to be transferred only if certain defined aspects of
the contract evolve to their satisfaction.
• One party may create an individual legal entity for the purpose of the contract in an attempt to limit
liabilities and losses to that legal entity alone. Builders have done this, creating separate limited
liability companies for each housing estate constructed.
• A contract clause may define ownership of intellectual property. This is a very useful clarification when
a relationship is terminated.
• It may be demanded that payments are made within a defined period and that credit (and possibly
other) insurance is arranged by one of the parties. A mortgagor, for example, will demand that not only
a building that is security for a loan is insured but that the insurance is endorsed to recognise their
contractual interest.
For successful risk transfer you have to ensure that:
contract terms are enforceable – they must be fair, clear and not violate public policy
contract terms are unambiguous
Chapter 6
the person you have transferred to can manage the risk
the person you have transferred to can finance the risk
the price paid for the risk transfer is reasonable. This is necessary both for legal enforcement and for good
management purposes. The price should be as good as or better than alternative risk financing options
Risk and contract professionals should work together to ensure the most beneficial contract terms are
obtained. Where compromise is unavoidable they should at least ensure that their own organisation
understands clearly the risks associated with any particular contract.
Risk transfer to a counterparty is sometimes considered to be an inexpensive way to avoid risk. There
are, however, disadvantages:
• A counterparty may include the cost of a risk in the price. If that counterparty has a lower level of risk
tolerance than the organisation, then the organisation may be paying, indirectly, more than it would
need to do if it retained the risk itself.
• A counterparty may be unable to meet its contracted obligation. This could mean that the unprotected
loss falls back onto the (possibly less prepared) organisation itself.
E Alternative risk transfer

The terms ‘alternative risk transfer’ and ‘non-traditional risk transfer’ are used loosely to embrace a
range of instruments that enable an organisation to transfer financial risk to a professional risk carrier,
other than by way of an insurance contract. Professional risk carriers in this case are capital markets,
rather than insurance and reinsurance markets.
Financial risk transfer is about spreading financial risk across a large number of entities capable of
Financial risk transfer
is about spreading absorbing a substantial loss more easily than a single organisation. Insurance has been the traditional
financial risk across a way of doing this but there has been a movement into capital markets for transfers of very high value
large number of
entities catastrophe risks. This is because a string of very high catastrophe losses has exposed inability of the
insurance industry to respond adequately. The spread and scale of capital markets means that
catastrophe exposures can be spread over a wider capital source, instead of solely within the insurance
and reinsurance markets.
Capital market risk products are still evolving and each has to be assessed on its individual merits. They
differ between countries because of different regulations and tax treatment. They are most commonly
used with large economic risks, rather than for those of individual companies. The financial market
failures of 2008 caused massive damage to the liquidity and asset strength of many of these markets,
and this is causing companies to take greater care in understanding the risks involved.
An example of alternative risk transfer would be that arranged by Swiss Re, which a few years ago
structured, placed and reinsured earthquake cover for FONDEN (the Mexican Government’s natural
catastrophe fund). If an earthquake exceeds certain thresholds (e.g. magnitude, depth and location) the
cover provides financing for disaster relief and post-disaster reconstruction. A sum of US$160m of cover
was placed in the capital markets through a catastrophe bond and the remainder was reinsured.
Remember that alongside the advantage of access to a wider range of funding products there are also
disadvantages:
• Payment is not necessarily linked to indemnity. The amount received, therefore, may be short or in
excess of the loss amount.
Chapter 6
• Capital markets do not always bring the claims skills and resources that come with insurances. These
may need to be sourced internally or subcontracted, both at a cost.
• These instruments may not be treated sympathetically by regulators, taxation regimes or by
accounting standards.
E1 Insurance derivatives
You may be aware of financial derivatives, which are contracts enabling someone to buy or sell a
specified asset at a specified date in the future at a specified price. Organisations can use them to
protect against future movements in commodity prices, currency values or interest rates.
Insurance derivatives are a development of this concept. They are a contract to pay an agreed amount of
money once a certain level of loss incident is reached. Often that level of loss is not one just within the
organisation but a level dictated by an external agency.
For example, an earthquake of magnitude in excess of, say, 7.1 on the Richter scale occurring within a
defined latitude and longitude and within a defined period might trigger a predetermined payment on
this type of contract. There could be an inner geographical grid and an outer one, the trigger point
requiring a lower level of earthquake in the inner one than in the outer one. Occurrence of the defined
event causes funds to be released.
E2 Catastrophe bonds
Catastrophe (cat) bonds, in their simplest form, are investment bonds that provide a return to investors
Catastrophe bonds
are investment bonds based on insurance type events rather than financial market developments. One way in which they are
that provide a return valuable to the large investor is that they can spread the risk of their portfolios beyond the capital
based on insurance
type events rather markets into an additional market of insurance events, mainly catastrophes. Periods are usually from
than financial market three to five years and they make payments on the occurrence of one event or two events happening
developments
during that period.
A trigger mechanism will be determined for the cat bond. Larger cat bond losses are rarely indemnity
based because of the complexity in settling claims. Instead, payment can be triggered when a certain
event arises such as a windstorm or earthquake reaching and linked to a change in the measurement,
e.g. US$3m per increase in wind strength.
While these products are designed for the insurance and reinsurance industries it is possible for large
organisations, through the use of these instruments, to transfer risk portfolios directly into the capital
markets. An actual example of a catastrophe bond was that providing cover for the UK’s Environment
Agency for US$150m in the event that four out of fifty reference locations in the UK were simultaneously
placed under a severe flood warning.
The mechanism of a cat bond is that the purchaser, that is an organisation’s insurer or reinsurer seeking
risk transfer, pays premiums to a special purpose reinsurance vehicle (SPRV), which is effectively a third
party reinsurer. The SPRV raises funds from investors, which it then deposits into a collateral account
which is invested in securities. The SPRV then uses these funds to meet any losses. The interest
payment that investors receive every quarter or year depends upon:
• the premium paid to the SPRV for risk transfer; and
• the investment income on deposits in the collateral account.
If the risk transferred does not arise, i.e. there is no loss by the end of the period of cover, investors
receive their principal out of the cat bond, plus an agreed rate of interest. If the risk arises, triggering a
payment, then redemption amounts are reduced, in keeping with a formula agreed when the
arrangement was first set up.
Brokers and investment banks try to use the greater capacity that capital markets provide to overcome
issues they face when insurers increase rates or reduce capacity for certain risks.
Capital market investors are also becoming interested in such deals, because they reduce their exposure
to risk. This is because losses from cat bond events usually bear no relation to performance of standard
investment products in the capital markets, many of which are linked to economic factors, such as
currency or share prices.
E3 Loans
Chapter 6
An organisation can, of course, arrange to borrow funds after a catastrophe has occurred, to help it meet
the extra costs that have emerged. This method is not usually satisfactory. The cost of new capital
borrowing, on top of the original loss, may weaken finances to such an extent that all lenders demand
higher interest rates and additional security against repayment default.
Furthermore, any loan is treated as a liability in an organisation’s accounts and thus does not really
strengthen the asset base of the company at all. At best, if a loan can be arranged at realistic terms, it
can spread the cost of loss, albeit at a higher long-term cost.
E4 ‘Put options’
Organisations can buy a ‘put option’ from a financial institution. The option, or a contracted right to act,
Organisations can buy
will become effective following certain specified events, such as a catastrophic loss. The damaged a ‘put option’ from a
organisation then could use the contracted right to sell a pre-agreed level and type of equity to the financial institution
financial organisation that provided the option.

The equity to be sold could take the form of non-voting preference shares and thus not affect balance
sheet values.
E5 Combination of the above

It is unlikely that using only one method of risk funding will add best value over the entire range of risks
for which provision needs to be made. Organisations will select a combination of options that best suits
their needs.
The next section explores factors involved in making such a decision and how various mechanisms can
be combined to good effect.
F Risk financing plan

We have seen that the risk professional of a large organisation has a wide range of options available to
finance risks their organisation is facing. Making the right choice is a case of matching precise needs
with available options.
Risk financing plans will have board approval and will be constructed to:
• ensure that strengths of an organisation are fully used for the benefit of shareholders and other
stakeholders;
• provide for single risks that can destroy the organisation;
• cope with insurable risks, as it is difficult to deal with insurable risks and uninsurable risks as one
broad management task;
• reflect the reality that risk is a multi-year, multi-function and multi-exposure phenomenon; and
• make the best use of all risk financing opportunities available.
An outline risk financing or risk investment plan is shown in table 6.6. The amounts used are examples
only and are maximum possible loss, as calculated by the process of risk assessment. The example
embraces losses that are possible within one period of financial accounting. Remember we cannot
always measure loss in purely financial terms.
It is crucial that any risk financing plan is an integral part of risk management planning.
The steps taken in risk management will assist in understanding what the exposures are and what
potential losses could be incurred.
Table 6.6: Outline of a risk financing plan

Category Risks Max. possible loss Funding
1. Brand value Destruction Investment in:
Customer confidence • impact reduction
• business continuity planning
2. Liabilities: < £50m Retained < £1m
Public Captive £1m–£5m
Product
Chapter 6
Insurance of captive £5m–£50m

Professional
Claims handling outsourced
Director and officers
3. Assets (any one risk) £100m Retained £1m
Captive £1m–£5m
Insurance of captive £5m–£50m
Capital markets £50m–£100m
Claims handling outsourced
This plan suggests that an organisation should approach financing its liability risks by dealing with
losses arising in this category up to £1m itself, i.e. internally in the form of a retention arrangement, then
allowing its own insurance operation, the captive, to pick up the next tranche of financial responsibility,
above £1m and up to £5m. Anything above £5m, up to £50m, would be transferred on to a reinsurer by
the captive.
As we discussed at the beginning of this chapter, those risks in category 1 that have potential to destroy
the organisation have been earmarked for investment funding. This is to provide resources to support
measures that the organisation may need to take to reduce their impact or to continue operations if such
catastrophic risks materialise. This plan also indicates that claims handling should be outsourced,
suggesting the organisation considers it has not the capability, or maybe the inclination, to undertake
this work.
There could also be details included within that plan to meet a range of individual needs. An
organisation with US or Canadian liability risks, for example, may choose to take those risks out of the
overall funding plan and place them with a specialist US liability insurer. In addition, government
statutes may demand that certain liabilities are insured and not self-funded. Similarly, some countries
where an organisation operates may demand that any insurance be placed into the local insurance
market. These types of consideration need to be noted as appropriate and incorporated in plans.
Key points
Cost of risk incidents
• To estimate total potential cost of risk we must consider timing, administration and opportunity costs as well as
monetary issues.
• Monetary issues include replacing any assets that have been lost, litigation costs and any regulatory fines.
• Large, unexpected outgoings can damage cash flows that are needed to keep an organisation functioning.
• Delays in completing rebuilding work or replacing assets are an important factor in the total cost of damage. The
longer it takes to re-establish normal working, the longer receipts will be delayed, with consequent increases in
borrowings and interest payments.
• Administration diverts management time away from ongoing needs of the business and generates additional work.
• An organisation choosing to retain risks internally may need to create an infrastructure that can handle what may be
a large number of individual incidents and their aftermath.
• Loss events may detract from an organisation’s ability to achieve its business and financial plans. This is known as
an opportunity cost as the organisation is unable to pursue opportunities which would have generated profits.
• There is a range of statutory agencies that have the power to impose an investigation on an organisation. In the UK
these include the Environment Agency, Health and Safety Commission and HMRC.
• Individual loss assessment is not sufficient. Aggregate losses must also be considered.
• Organisations have to recognise that some events cannot be either totally avoided or insured, so they need to plan
what they are going to do if a major incident occurs. This process is known as business continuity management.
• The aim of BCM is to keep a system operational despite losses occurring and to restore it as quickly as possible to
its original state. Plans and procedures are put in place to limit the extent of damage, financial or otherwise, a
significant event may cause.
Risk financing options
Chapter 6
• It is important that an organisation recognises all sources of indirect costs and understands clearly the full extent of
losses that may be faced.
• In order to decide how important individual losses are we need to know how much loss an organisation can afford
to absorb without significant impact on its own operations.
• Risk impact limits will involve calculating:
– the single largest amount the organisation can afford to retain; and
– the aggregate of losses the organisation can afford to retain over a given time, ignoring low level, common,
frequent losses.
Insurance as a risk transfer mechanism

• Insurance enables an organisation to transfer the cost of specified risks to an insurer in return for a pre-agreed
reasonably fixed and manageable premium.
• A modern organisation, however large and strong, still needs to protect large amounts of assets from simultaneous,
sudden loss, and also to stabilise its revenues and profits over time.
• Insurers exist in a variety of different sizes and capabilities.
• Insurances offered to organisations can be packaged in a variety of ways.
• Cost-effective insurance is not always readily obtainable. Many insurers like to sell standard insurance packages
with covers and premiums they feel able to profit from.
• There are both advantages and disadvantages of transferring risks into the insurance market. However, sometimes
organisations have no choice.
• CIDRA covers insurance contracts with individual consumers, while the Insurance Act 2015 deals with commercial
contracts for businesses. They clarify the rights and obligations of both insurer and insured, spelling out disclosure
obligations and what happens if the information is wrong or relevant circumstances change.
• Insurance companies and intermediaries in the UK are regulated by Government, both to ensure sound operation of
the financial system as a whole and also to protect individual policyholders.
• The three regulatory bodies in the UK are the Financial Policy Committee (FPC), the Prudential Regulation Authority
(PRA) and the Financial Conduct Authority (FCA).
• The PRA has implemented mandatory standard risk reporting in line with Solvency II, an EU Directive covering
capital requirements and related supervision for insurers. A firm must hold eligible own funds covering its SCR, an
amount calculated from an approved risk analysis model of the business that represents cash at risk over a
one-year period.
• Commercial insurances are often placed into the marketplace through an intermediary known as a broker. The role
of the broker is to assist an organisation in achieving its risk management objectives.
• Some risks can be retained in return for a reduction in premium. This process can be referred to as a deductible
arrangement.
• Co-insurance involves more than one insurer, who each takes a share of the risk.
Chapter 6
Other risk financing options

• Organisations need to decide whether or not to retain risks and how much risk to retain. Advantages and
disadvantages have to be compared.
• Insurance arrangements that cover only part of a risk are known as self-insurance programmes.
• Self-insurance programmes come in a variety of forms and are influenced to some extent by tax treatment and local
regulation.
• In large organisations, directors may decide to establish a designated fund from which subsidiaries and other units
can claim to recover unexpected losses. This is known as an internal fund.
• A captive insurance company is one that an organisation has set up and owns. It can be regarded as a formal way
of managing an internal fund.
• Reinsurance is insurance for insurance companies. It allows an insurance company to pass part of its liability to
another insurer on a given insurance it has accepted.
• Some types of organisation share risks between them, with each paying a contribution into a common fund from
which losses are paid. The contribution is revised regularly to ensure that it is adequate to cover expected costs of
losses and administration.
• Risk transfer can also occur by contracts. There are several types of risk transfer contracts, including leases,
subcontracts, surety agreements, guarantees and waivers.
Alternative risk transfer
• Alternative risk transfer is an instrument that enables an organisation to transfer financial risk to a professional risk
carrier, other than by way of an insurance contract.
• Insurance derivatives are a contract to pay an agreed amount of money once a certain level of loss incident is
reached.
• Catastrophe bonds are investment bonds that provide a return to investors based on insurance type events rather
than financial market developments.
Risk financing plan
• Organisations should prepare an overall risk financing plan for board approval that matches the organisation’s
resources and makes best use of all risk financing opportunities available.
Question answers
6.1. Initial steps are:
• quantify the level of all costs that can be absorbed without a significant impact on the organisation itself;
• identify potential sources of funding to meet larger losses; and
• consider how such funds can be available at the time they are needed.
6.2. The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA).
6.3. As the additional premium may not be worth paying if the organisation is being asked more to cover the
losses than they are actually expected to cost.
Chapter 6
Self-test questions
1. Can we add up individual loss estimates to estimate total potential losses?
2. Before deciding how to finance risk we need to know how much loss an organisation can afford to absorb
without significant impact on its own operations. What two calculations should we make?
3. Why is regulation of the insurance market important for organisations?
4. List five additional services brokers can offer in supporting risk management.
5. What options are available if one insurer cannot provide cover up to the limits an organisation may need?
6. What is the usual main reason for large international organisations to consider global insurance
arrangements?
7. A captive insurer allows losses to be funded from three different sources according to level of loss. What are
the three sources?
8. State the five conditions for successful risk transfer contracts.

Chapter 6
Risk management lessons
7
outcomes
Learning objectives
Introduction
Key terms
A Risk management standards 3.3
B Example studies of major losses 7.1, 7.2, 7.3
C Embedding risk management 3.4
D Benchmarking 3.1
E Conclusion 2.2
Key points
Question answers
Self-test questions
Learning objectives
Chapter 7
• explain the various risk management standards;
• explain the consequences of the failure of risk management systems;
• explain why risk management systems can fail; and
• describe the monitor and review part of the risk management process.
Introduction
In the previous chapters we have looked at ways in which an organisation can identify, assess, retain
and transfer risks.
Looking back at the risk management process we described in chapter 2, section D we have now come to
the stage where we need to think about the importance of monitoring and reviewing our risk
management activities.
To refine and enhance their risk management activities, organisations must learn relevant risk
management lessons from past events. They need to critically evaluate such events and determine their
cause(s) and effects. They need to examine the outcome of any investigations that may have been made
and use these to improve their understanding of the most appropriate ways to manage a given range of
risks. The objective is to ensure, as far as is reasonably practical and financially feasible for an
organisation, that the same or similar events are not experienced again.
We start this final part of our studies with a look at important risk management standards that have
been published. This establishes a benchmark of best practice in the main areas of enterprise risk
management that we can bear in mind when we look at a selection of recent major loss events. We have
selected three loss events that vividly illustrate the consequences of risk management systems failure
and how such systems can fail.
First we will look at risk management failings around the collapse of the insurer Equitable Life. Next we
reflect on the causes and aftermath of one of the biggest environmental disasters the world has ever
experienced. BP failed to manage risks associated with deep sea drilling for oil in the Gulf of Mexico.
Last, but not least, we investigate some of the underlying causes of the global financial crisis of 2008.
We can compare lessons learned from these in depth reviews with lessons learned from a selection of
other disasters. No matter how long ago an incident occurred, ongoing precautions are still necessary if
similar disasters are to be avoided.
Recommendations from disaster enquiries are often incorporated into standards and best practice
guides. Risk professionals need to monitor their own risk management systems to make sure intended
practices are being observed. They also need to compare these practices against alternatives, using a
benchmark from published standards and guides.
Key terms
Chapter 7
AIRMIC, Alarm, IRM: 2010 Benchmarking COSO FERMA

ISO 31000
A Risk management standards

Investigations and official enquiries into major company failures and more recent banking disasters
Investigations into
major company have raised the profile of risk management considerably. For example, current rules for UK Stock
failures and banking Exchange listed companies require them to document risk management arrangements as supporting
disasters have raised
the profile of risk evidence of good corporate governance.
management
Professional organisations concerned with risk management have therefore attempted to set out the
best way of carrying out the risk management function in an organisation, publishing recommendations
as best practice guides and standards. British, European and international organisations each have their
own scope and viewpoint although the main principles and objectives are similar.
All enterprise risk management systems are designed to improve understanding and attention to risk
throughout an organisation. With more informed risk taking and decision making there is greater
likelihood that enterprise objectives will be met. Reporting requirements ensure management have
better control and can focus on important risks. However, practical implementation is not easy and
requires continual attention to make sure the system operates effectively and responds rapidly to
changes in objectives, operations or environment. In addition, the operation of the system depends on
people, which brings with it a risk of unreliability.
Chapter 7 Risk management lessons 7/3
In this section we will concentrate on the four most popular standards:

• ISO 31000;
• FERMA (Federation of European Risk Management Associations);
• AIRMIC, Alarm, IRM: 2010; and
• COSO (Committee of Sponsoring Organizations of the Treadway Commission).
Other guides and standards are available. For example, Australia/New Zealand Standard AS/NZS 4360
was published in 2004 after a long-term evolution process starting in 1995 and was widely used before
publication of the international standard ISO 31000 in 2009. There are also regulatory standards for
particular industry sectors, such as Basel II for banks (which is currently under review for Basel III) and
Solvency II for insurers.
Whatever enterprise risk management (ERM) framework is adopted, the challenge is to establish and
sustain a corporate culture where risk is continuously identified and assessed against clear guidelines
set by the board. Reliable information has to be gathered across widely dispersed and often differently
structured sites in such a way that it can be readily collated into useful information for various
stakeholders – particularly for management risk mitigation and control. Regular audits of the system will
be necessary in order to maintain credibility and confidence.
Be aware
You should also be aware of publications covering individual parts of risk management activity. For example, ISO
Guide 73:2009, Risk management – Vocabulary, complements ISO 31000 by providing a collection of terms and
definitions relating to the management of risk. And, ISO/IEC 31010:2009, Risk management – Risk assessment
techniques, focuses on risk assessment concepts, processes and the selection of risk assessment techniques.
A1 ISO 31000
The International Organization for Standardization (ISO) has attempted to gather together the best of
national standard publications and in 2009 produced ISO 31000 Risk Management – Principles and
guidelines. This is specifically intended as a generic guideline document rather than a certifiable
standard, but will inevitably be used as a common reference for those interested in risk management.
Organisations will use it as a benchmark to compare with their current performance. It has been adopted
as the current British standard.
Chapter 7
ISO 31000 is
separated into three
risk management
areas:
principles framework process
The principles emphasise that risk management is an integral part of organisational processes and
decision making. It adds value to an organisation by addressing uncertainties in a systematic, structured
and timely manner. The framework is intended to help organisations to integrate risk management into
their overall management framework. It stresses the need for top level mandate and commitment and a
system for continual review and improvement. The process section covers risk identification,
assessment and management, with the associated disciplines of review, benchmarking and
communication.
ISO 31000 provides generic guidelines, but it is not intended to promote uniformity of risk management
across organisations. Design and implementation of risk management plans and frameworks will need
to take into account the varying needs of specific organisations, their particular objectives, context,
structure, operations, processes, functions, projects, products, services or assets and specific practices
employed.
A2 FERMA
The Federation of European Risk Management Associations (FERMA) published a European standard in
2003 that was based on the UK standard at that time, known as AIRMIC, Alarm, IRM: 2002. AIRMIC
(Association of Insurance and Risk Managers), Alarm (the National Forum for Risk Management in the
Public Sector) and the IRM (Institute of Risk Management) are the three main professional risk
management organisations in the UK.
The IRM retains its support for this risk management standard because it outlines a practical and
systematic approach to risk management for business managers as well as risk professionals. Risk
management is viewed as a central part of any organisation’s strategic management approach and
should be embedded into the culture of the organisation. The importance of the board in terms of the
management of risk in an organisation is emphasised throughout, as is the need to understand
significant risks faced.
The FERMA standard uses ISO terminology and sets out the process by which risk management can be
carried out. It also outlines an organisation structure for risk management and includes a list of benefits
to be expected. There are sections on risk reporting and communication and on monitoring and review of
the risk management process.
The key stages of the risk management process are seen as identification, assessment and treatment,
The key stages of the
risk management with the identification phase adopting consistent and coordinated processes and tools. The standard
process are recognises that estimated levels of risk can be stated in quantitative, semi-quantitative or qualitative
identification,
assessment and terms of probability of occurrence and possible consequence. The importance of ranking risks alongside
treatment one another is underlined and there is commentary on risk evaluation and risk acceptance or treatment.
The various options in relation to risk treatment are described with risk control highlighted. We are
reminded that certain risks (e.g. reputation) are uninsurable.
Risk management structures will depend on an organisation’s size, risk appetite and business
objectives. The standard sets out generic roles for the board, business units, risk management and
internal audit. No risk management process will be effective without full commitment from the chief
executive officer and executive management, and resources must be made available for training and for
development of enhanced risk awareness by all stakeholders.
Risk reporting and communication is a vital element in controlling risk. Different levels within an
organisation need different information from the risk management process. As well as internal
communication, reports to external stakeholders should be made on a regular basis, setting out risk
management policies and their effectiveness in helping achieve objectives. Organisations need to avoid
Chapter 7
or reduce risk wherever possible, but be prepared to deal with a crisis situation if it arises.
Monitoring and review

activities need to be
emphasised. These
should aim to:
ensure changes in
the organisation
provide show that consider whether
identify and its
assurance that appropriate lessons could be
opportunities for environment are
appropriate procedures are learned for future
improvement identified and
controls are understood and management
appropriate
operative followed of risks
modifications
implemented
Question 7.1
State the three areas of risk management that ISO 31000 addresses.
A3 AIRMIC, Alarm, IRM: 2010

Following the publication of ISO 31000, a new document, A Structured Approach to Enterprise Risk
Management (ERM) and the Requirements of ISO 31000, was produced to provide a practical guide for
organisations wanting to implement comprehensive risk management systems to the latest best practice
recommendations and standards. This guide was first published in 2010 and provides structured
approach to implementing risk management in the context of the new ISO standard.
The guide is compatible with both COSO ERM (see section A4) and the international standard ISO 31000,
although the emphasis is on ISO 31000 and ISO recommended terminology is used. The guide reviews
the principles and processes of risk management, provides an overview of the requirements of ISO
31000. It also gives practical guidance how to design an enterprise wide risk management framework
and implement an ERM system.
The guide uses the ISO definition of risk, which states ‘risk is the effect of uncertainty on objectives’.
This allows for positive as well as negative consequences and clearly links risks to objectives.
Organisations must set out their objectives before they can identify risks that might prevent those
objectives being met. Overall objectives can only be set at the highest level in an organisation and need
to be realistically achievable.
Reinforce
Refer back to chapter 2, section D to remind yourself of the risk management process we discussed earlier. Figure
2.2 is based on the illustration from Part 1 of the AIRMIC, Alarm, IRM: 2010 guide.
Risks need to be identified, described, assessed, classified, compared and recorded. The most
significant risks can then be addressed. Are they to be tolerated, controlled, transferred or avoided?
The risk management process is supported by key documents which are issued with approval of the
board. Risk management architecture specifies individual roles and responsibilities, communication
requirements and risk reporting structure. Risk management strategy defines risk appetite, attitudes and
philosophy. It set out rules and procedures to be followed and methods, tools and techniques that
should be used.
Risk management must be integrated into the culture of an organisation, with leadership from the board
Risk management
and a structured management framework to ensure appropriate procedures and practices are followed at must be integrated
all levels and in all operating units. The framework must embrace communication and reporting and into the culture of an
organisation
allow for rapid response to change. The system itself must be subject to review both with regard to
Chapter 7
operation and results. The guide extends the simple framework principles of ISO 31000 to address
practical issues involved in designing and maintaining a framework to support an effective risk
management process throughout an enterprise.
Part II of the guide suggests key risk management documents are combined in a single risk policy
document to be signed, reviewed and updated by the board every year. The policy will set out internal
control objectives (governance), risk attitudes (strategy), culture and risk appetite. It will detail risk
management organisation, including roles and responsibilities of key people, risk activities and
priorities for the year and any other resources to be allocated. It may also address details of procedures
for risk identification and assessment and guidance for choosing risk control measures. Required
documentation will be specified along with criteria for monitoring, benchmarking and review.
The guide summarises risk identification and assessment methods and explains risk appetite and
tolerance in practical terms. It stresses the importance of measuring and recording both risk information
gathered and control decisions made. The latter should be subject to monitoring or audit to make sure
they are completed in a given time. Existing controls should also be reviewed, with formal action plans
to implement recommended changes. Are controls in line with change? Are continuity or disaster
recovery plans up to date?
The guide also suggests ways performance of the system might be gauged. Is it achieving results
expected by the board? Are risks materialising less frequently, or with smaller consequences than
before? Are stakeholders more confident that risks are under control?
Appendices to the guide are a risk management checklist and an ERM implementation summary. The
checklist is a reminder of all arrangements that have to be in place in a practical risk management
system. The implementation summary is an overview of steps involved in implementation of ERM. As the
process is ongoing, subject to change, the implementation cycle should be continuously repeated.
A4 COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of
COSO provides
thought leadership five private sector audit and accounting organisations in the USA. It provides thought leadership through
through the the development of frameworks and guidance on ERM, internal control and fraud deterrence.
development of
frameworks and
guidance COSO sets out to recommend a framework and guidelines for a risk management system that
organisations could implement throughout their businesses. Organisations applying COSO’s
recommendations would be recognised as following best practice in risk control and would eliminate
accounting irregularities.
From the outset COSO worked to create a risk management system that permeated the whole enterprise,
affecting every level, unit, operation and location. Starting with strategic decisions by the board of
directors it would be directed to identify and manage risks that could potentially affect operation of the
enterprise or achievement of its objectives. It would be designed to produce sufficient quality and depth
of information for directors to give assurance that significant risks were under control.
COSO first published an internal control framework with five control components: control environment,
risk assessment, control activities, information and communication and monitoring. This became a
commonly accepted standard for financial reporting and was updated in 2013.
In 2004, COSO produced an ERM framework, Enterprise Risk Management – Integrated Framework,
based on four corporate objectives: strategic, operations, reporting and compliance. This addressed
wider concern for stronger risk management and corporate governance, particularly in public companies
and government institutions.
Reinforce
Refer back to chapter 3, section A4, where we discuss COSO’s relationship with the concept of internal control.
COSO’s ERM publications overlap with, but do not replace, its Internal Control – Integrated Framework, which
remains suitable for internal control and reporting.
COSO’s 2004 ERM framework allowed risks to fall into more than one of the four categories, allowing
them to be assessed from different perspectives. The framework required organisations to consider risk
appetite when setting strategic and other objectives, to develop robust risk identification, evaluation
and control procedures, and to undertake effective risk recording and reporting. In-built procedures
monitored the success of the ERM system in identifying and controlling significant risk, and in reacting
appropriately to both internal and external change. The 2004 framework was based on a
three-dimensional enterprise model commonly known as the COSO cube. In one dimension there are the
Chapter 7
four corporate objectives. The second dimension lists eight risk management activities (e.g.
identification, assessment, response etc.). The third dimension lists operating units of the enterprise.
The cube represents a holistic ERM system in that it encourages risks to be viewed from any of its three
perspectives.
Responding to changes in the business environment and recognising the importance of considering risk
in both the strategy-setting process and in driving performance, a major update to the COSO ERM
framework was published in June 2017. The document is now called Enterprise Risk Management –
Integrating with Strategy and Performance. It emphasises the link between performance and ERM and
accommodates increased expectations for governance and oversight. It addresses globalisation of
markets, complex business models, evolving technologies and the need for greater stakeholder
transparency. The COSO cube is replaced with a new graphic representation.
The document introduces a set of 20 principles organised into five interrelated components:
• governance and culture;
• strategy and objective-setting;
• performance;
• review and revision; and
• information, communication and reporting.
The first five principles emphasise board responsibility for defining culture, and for setting up and
maintaining structures for risk oversight. Four principles govern strategic risk analysis, defining risk
appetite and setting objectives. Five principles cover operations performance, identifying, quantifying,
prioritising risk and developing appropriate responses. Three principles are concerned with reviewing
ERM performance and responding to change. The final three principles are about use of risk information,
communication and reports.
The new COSO ERM framework is expected to satisfy future laws, regulations and standards for US stock
exchange listed companies. By following its principles, an organisation can reasonably expect to be able
to manage risks associated with the strategy and business objectives to an acceptable level.
COSO advises that adoption of the updated framework is not mandatory and management may continue
to use the 2004 framework if it wishes.
The following table summarises some of the key content of each of the above standards for comparison
purposes.
Table 7.1: Risk management standards – comparison table

ISO 31000 FERMA AIRMIC, Alarm, IRM: COSO
2010
Date published 2009 2003 2010 2004/2017
Compatible with COSO AIRMIC, Alarm IRM: ISO 31000/COSO
2002
Specifically ERM based 9 × 9 9
Guide to implementation × × 9 ×
of ERM
Risk management to help 9 9 9 9
achieve corporate goals
ERM framework 9 9 9 9
objectives
Guide to ERM framework × × 9 ×
design
Risk management 9 9 9 9
process
Guidance for audit 9 9 9 9
Useful as benchmark 9 9 9 9
Corporate governance 9 9 9 ×/9
Organisation structure/ × 9 9 ×/9
Chapter 7
roles and responsibilities
Emphasis on internal × × × 9/×
control
B Example studies of major losses

In this section we will discuss three major loss events to illustrate why risk management systems are
vital to organisations.
B1 Equitable Life
First we will look at the story of Equitable Life, an insurance company founded in 1762 that traded
successfully for nearly 200 years before making a series of decisions that led to insolvency in 2000.
The Equitable Life Assurance Society was a mutual society, that is it did not issue shares or have
shareholders. It was funded and owned by the members, who were also policyholders. It was the first life
assurance business to use mathematical life expectancy calculations as the basis for setting its
premiums and indeed originated the role and title of actuary. This allowed it to offer lower premiums
than its competitors, and by deliberately targeting healthy people in low risk occupations, premiums
were kept lower still. It invested most of its assets in British Government bonds and distributed any
profits as bonuses to policyholders, a policy that paid off handsomely after the battle of Waterloo when
bond values rose sharply.
Until 1892, bonuses were restricted to the first 5,000 policyholders, but when the last of these early
members died, new management brought in new rules and new financial products, including pensions.
Pensions were structured to appeal to the upper middle classes, successful business people and
professionals such as doctors and lawyers, and people who moved in upper class circles but did not
have inherited land or fortune as security.
Business was good and in 1957 Equitable Life introduced a wide range of flexible with-profits pensions
aimed at the self-employed. From 1957 to 1988 all retirement annuities sold had a guaranteed annuity
rate (GAR) provision. There was no cause for concern. GAR was below current annuity rates so few people
exercised the option and competitors also featured GAR. The 116,000 GAR products Equitable Life sold
were, however, a higher proportion of total sales than the others.
Buffered by a contract to manage the pension scheme for university teachers, Equitable Life traded
Equitable Life traded
conservatively until conservatively until 1963, when the Government started looking at pension reform. Worried about losing
1963, when the its management contract, which by then was nearly half the business, Equitable launched an aggressive
Government started
looking at pension expansion policy, opening new branches and expanding its sales force. By the late 1990s Equitable Life
reform had over 1.5m policyholders and was one of Britain’s three largest pension providers.
Oil price rises in 1973, the stock market crash in 1974, and inflation at 24% in 1975 all contributed to
depleting asset reserves. Also, in response to inflation, Equitable Life had raised its GAR to 7%. Reserves
did build up again, but in 1983, Equitable Life made another decision. It would beat its competitors by
promising to distribute all investment returns to policyholders. In conjunction with this marketing ploy,
Equitable employed its own salespeople, so avoiding third party commissions, invested in information
technology, and kept administrative costs low. As a mutual it did not have to worry about shareholders.
Products were marketed directly to affluent clients with a projected illusion of joining an elite club. Profit
distributions were popular, of course, and helped win new business. In addition, add-on consultancy
products increased profit margins. However, the policy of ‘full distribution’ meant there was no build up
of reserves. Equitable Life’s free asset ratio was 8% compared with an industry average of 18%.
So when it became apparent that distributions since 1987 had been too generous, Equitable Life in 1990
had an estimated shortfall of some £3bn, the difference between policy values (liabilities) and assets.
Management could live with this because life insurance companies were not subject to mass customer
fund withdrawals like banks. However in 1993, falling inflation and interest rates caused market annuity
rates to fall below Equitable Life’s GAR for the first time. Faced with the likelihood of GAR options being
exercised in quantity, Equitable Life might have started to reduce distribution payments and build up a
contingency reserve. Instead, it introduced a differential terminal bonus. If you opted for GAR you lost
the same amount of money through a reduced terminal bonus.
From then on the situation deteriorated sharply. Bank of England independence and persistent
Government intervention drove inflation down. By September 1998 Equitable GAR was 30% above the
market rate. In early 1999, the Financial Services Authority (FSA – the then regulator), set up by the
Government to regulate the financial services industry, issued a guideline that companies must assume
80% of GAR options would be exercised. Equitable had been using a figure of 2%. It suddenly found
Chapter 7
itself with an unexpected exposure of £1.5bn. Equitable Life bought a reinsurance policy to cover the
deficit and buy some time.
Policyholders complained loudly and persistently about differential terminal bonuses, and Equitable Life
decided to justify its action by bringing a test case before the courts. The High Court backed
management in 1999 but the Court of Appeal overturned this judgment by two votes to one. The final
decision was made by the House of Lords who, in July 2000, pronounced that a contract was a contract
and the company was in breach. The judgment invalidated the reinsurance contract and left Equitable
Life in an insolvent position. The company was put up for sale.
No one offered to buy the company because liabilities were too high and assets were invested in stocks
whose value was falling at the time. Assets were sold off to accumulate whatever could be raised and a
much reduced business prepared for sale again in 2008, when the worldwide financial crisis developed
and sale ideas had to be scrapped. Policyholder losses were estimated at between £4bn and £5bn, but
after much political wrangling the final settlement was £1.5bn, offered by the Coalition Government
in 2010.
Consider this…
Equitable Life did not build up sufficient reserves to cover eventual demands. Do you think this was a significant risk
management failing?
To what extent do you think external risks or events in the first part of the 1970s eventually led to demise of the
business?
Management style reflects beliefs, attitudes and behaviour. To what extent do you think management style of the
board and CEO influences management of risk across an organisation?
Lessons learnt
There were five official enquiries into the Equitable Life collapse, and at least 30 reports from various
interested parties. Lord Penrose’s enquiry ran from August 2001 and produced an 800-page report in
March 2004. The Parliamentary Ombudsman published a 2,800-page report in 2008. Other significant
reports came from the FSA, the Treasury Select Committee and the European Parliament.
Penrose laid most blame on the society’s senior executives and directors. He found that non-executive
directors:
• did not understand risks to which Equitable Life was exposed;
• were ill-equipped by training or experience to challenge actuaries;
• did not understand the financial position; and
• were influenced by the autocratic and domineering personality of Roy Ranson, joint actuary from 1982
and chief executive from 1992 to 1997.
However, he also commented that ‘the practices of the Society’s management could not have been
sustained over a material part of the 1990s had there been in place an appropriate regulatory structure’.
Penrose criticised the Equitable Life’s governance structure and also blamed accounting standards for
allowing too much discretion in balance sheet reporting.
So what did go wrong? Obviously the decision to guarantee annuity rates was only viable in times of high
inflation and high interest rates. Was this risk recognised at the time and forgotten later or ignored
because the decision helped bring in new business? Why did the board not place limits on the number
of products sold with this guarantee, so if interest rates dropped liabilities could be met by reserves?
You can see that board members might take for granted products that had been one of the mainstays of
the business for some thirty years, but a competent risk manager should have highlighted the problem.
The ‘full distribution’ policy promoted by Ranson in 1983 was the key decision. By distributing all profits
By distributing
to policyholders there was nothing left to build up reserves. From then on Equitable Life could not afford all profits to
any risks to materialise as they had no buffer to cope. Any shortfall would have to be borrowed as there policyholders there
was nothing left to
were no shareholders to ask for extra funds. In a turbulent financial environment they could not afford a build up reserves
single mistake.
What happened to regulators who were supposed to protect policyholders by ensuring financial services
organisations traded with adequate capital and reserves? Up to 1997 life assurance supervision was one
of many functions of the Department of Trade and Industry (DTI) or its predecessors. In January 1998
responsibility was switched to the Treasury and a year later transferred to the newly created FSA.
Chapter 7
Government actuaries had commented unfavourably on full distribution and GAR but the DTI had taken
no further action. At a critical time for Equitable Life, regulators were primarily concerned with internal
shuffles and manoeuvres. When the FSA eventually issued guidelines Equitable Life was in trouble.
A combination of factors contributed to the company’s demise. A high-risk business strategy was
adopted by arrogant, forceful executives who seemingly dominated board discussions. Risk
management conspicuously failed or was absent. Top level governance checks didn’t work because
non-executive directors were incompetent and bullied, and regulators were disorganised and inefficient.
Equitable Life had no contingency capital or plans to deal with surprises and no access to additional
shareholder funds.
All this sounds obviously wrong in hindsight, but the high-risk strategy was reaping high rewards. The
business had traded for over 200 years, offered highly competitive products, was experiencing high
growth, reporting good profits and had an excellent reputation. The view from inside must have been
different, lulling all directors into a false sense of security, and believing potential problems could be
solved.
Would professional risk management have helped? Well, yes and no. Most of the key risks were well
known in the industry and to the regulators, but a competent risk function would have highlighted them
for serious discussion at a board risk subcommittee and would have proposed contingency plans. After
that, who knows? Would a hubristic chief executive persuade the board to ignore risks or a strong
chairperson insist on changes of policy? What would have happened if non-executive directors had had
more appropriate backgrounds or perhaps had a better appreciation of their governance role on the
board? Both these questions arise in other organisation failures and answers still need to be found.
B2 BP
The disaster
In the evening of 20 April 2010, an uncontrolled flow of water, mud, oil, gas and other materials came
As of July 2016,
criminal and civil out of the drill riser and/or drill pipe onto the deck of the drilling vessel Deepwater Horizon, contracted
settlements, costs, by BP to drill the Macondo well in the northern Gulf of Mexico. Shortly afterwards there were two or more
and reserves to settle
compensation claims explosions and a huge fire that lasted nearly two days before the vessel sank. Eleven people were killed.
had cost BP over The drill riser and pipe were damaged and continued to discharge materials into the water. It took a
US$44bn
further 83 days to stop the flow, resulting in massive clean-up operations around the Gulf and still
unmeasured damage to marine ecology. As of July 2016, criminal and civil settlements, costs, and
reserves to settle compensation claims had cost the company over US$44bn.
This was the worst disaster in the history of offshore drilling and, of course, triggered multiple enquiries
and investigations to determine what went wrong. Substantial amounts of detailed evidence remain
unpublished as legal proceedings continue, but there is enough published material to get a reasonably
accurate picture of the chain of events involved.
Offshore deep water drilling is a high-technology, high-risk occupation. Experience and technical
expertise is required, not only to understand the risks involved, but to be able to interpret real-time
information during drilling operations, so as to pick up warnings that things are going wrong. People
with different technical skills belonging to different organisations have to be able to work together in a
hazardous environment, and be able to react together if an emergency arises.
The Macondo well was estimated to lie at a depth of about 18,500ft below the drill rig, the rig being
about 5,000ft above the sea floor. Drilling was conducted from a floating rig with computer controlled
positioning to keep it above the well head.
Temperatures and pressures increase as you go down into the earth. The big concern in drilling
operations is to prevent a blowout of high pressure gases and hydrocarbons coming up the borehole
before you want them to. Design of well linings, tubes and fittings, drilling precautions and procedures,
testing and safety devices all have this aim. So what went wrong at the Macondo well to let this happen?
And when it happened, why was the blowout not contained?
Risk management deficiencies
The critical element of this disaster was the undetected entry of high pressure, high temperature
hydrocarbons into the Macondo well. It was discovered that flaws and design deficiencies were built into
the well during construction. Temporary abandonment procedures exposed the flaws, and the well
structure failed at one or more points, allowing hydrocarbons to enter undetected into the well bore. The
Chapter 7
flaws were not detected by well tests, and subsequent operations did not detect entry of hydrocarbons
into the well or their propagation upward through the well toward the drill rig.
As fluids, hydrocarbons and gases erupted on the drill floor, deficiencies and defects in the well system
were again exposed and exploited. All rig emergency and well control systems failed to prevent the
hydrocarbons from igniting with disastrous effects, including multiple hydraulically operated rams
designed to seal off the well as a last line of defence. Explosions and fires further damaged rig
emergency and well control systems.
There was no evidence that additional risks had been seriously evaluated
Investigations listed at least 30 separate decisions that increased risks during design, installation and
testing. There was no evidence that these additional risks had been seriously evaluated before
continuing with operations. Deficiencies in communication procedures led to decisions being taken by
people not in possession of critical information.
Design and installation decisions affecting the risk
Significant decisions affecting well design were made as well construction proceeded. For example, BP
chose to use a single long pipe for oil production dropped inside the pipes used to line the borehole.
Any hydrocarbons getting into the gap between the pipes were only contained by seals at the top and
bottom of the well. An alternative, but more expensive, overlapping two piece pipe design was available
which would have introduced two further intermediate seals.
In another example, the bottom of the production pipe was to be sealed in the base of the borehole with
cement. However, as the pipe diameter was 7in and the borehole lining diameter 8.5in, the cement
annulus seal was only 0.75in thick. BP were to use 21 disc-like centralisers to keep the pipe in the
middle of the borehole and ensure a seal of even thickness, but for various reasons only six were
eventually installed. If the pipe touched the rock face at any point the seal there would not be effective.
At the bottom end of the production pipe was a 190ft section known as the shoe track. The shoe is the
Unexpected
cap (with flow holes) at the bottom of the pipe and approximately 190ft above this is a valve mechanism measurements were
called a float collar. A tube holds the valve in the float collar open to allow drill mud to fill the pipe, then not investigated
thoroughly or
pressure is raised to drop the tube into the mud and the valve closes, allowing downward flow but explained
preventing any backflow up the casing. The process of releasing the tube is known as float collar
conversion and should be achieved in one attempt with 400 to 700psi pressure. On 19 April 2010 it took
nine attempts and 3,142psi to start circulation, causing debate about whether shoe outlets were
blocked, whether weak rock formations at the base of the well had broken down, or whether the float
collar had not converted. These unexpected measurements were not investigated thoroughly or
explained. Low circulation pressures observed after these attempts were put down to inaccurate
instrumentation.
At this stage, before pouring cement for the base seal, mud should have been circulated through the
whole system to clean out any debris and allow inspection of mud at the well bottom for traces of oil
products (hydrocarbons). BP decided on a partial circulation to keep pressures down, but this meant any
hydrocarbons in the well would remain undetected.
The bottom cement seal design was a major headache. The mix had to be light enough for pumping into
position, yet dense enough when set to provide an adequate high pressure seal. Lightened by nitrogen
to guarantee good flow properties and reduce pressure on surrounding rock formations, the cement
needed 48 hours to set to design strength. The seal was required to reach a specified height around the
base of the well.
Use of non-gaseous additives instead of nitrogen would have produced a better seal, but more important
facts emerged. BP conducted pressure tests on the well after 10½ hours. It is possible the cement mix
was not stable and, due to inadequate instrumentation, might not have been placed at intended levels.
No level confirmation tests were performed. Haliburton, the cement contractor, was later found in court
to have known the cement mix was unstable before going ahead with the cementing procedure. They did
not make BP aware of the seriousness of their test results and BP representatives did not make relevant
enquiries. All the evidence suggests the cement base was never an effective barrier to hydrocarbons
entering the well.
In this short summary it is not possible to go into all the technical detail of design decisions affecting
the integrity of the various barriers and seals. From the examples we have described, you can see that
design decisions taken before and during drilling operations were important, leading to system
weaknesses which could have been avoided had the primary concern been safety. Instead, decisions
appeared to have been taken more with regard to cost and time, provided safety was deemed adequate.
Chapter 7
Testing decisions affecting the risk
Having completed drilling operations, the next job was to test the system to make sure there were no
leaks into or out of the hole. First, pressure would be increased to test that no fluid could flow from the
well through the pipe casing and well head seals. Second, pressure would be reduced to test that no
fluids could get through the seals into the well from the rock formations.
BP was not planning immediate production. The well was to be prepared for temporary abandonment
and sealed until a later date. As well as sealing the casing shoe at the bottom of the well with cement, a
surface plug of cement was to be placed at 3,300ft below the seafloor to seal off the well at the top. The
mud in the riser above the location of the surface plug would then be displaced with sea water, the
cement surface plug set and tested, and the casing hanger tested, locked down and sealed.
There were arguments over the sequence of testing. The Transocean drill crew were concerned about
displacing mud with seawater before installing and testing the surface plug and securing the lockdown
sleeve, but they were overruled by BP. The depth chosen for the surface plug was also below the
recommended best practice depth of 1,000ft, and would reduce pressures in the well when the section
above the seal was later filled with seawater.
Positive pressure testing started at 10.55 on 20 April 2010. As we mentioned earlier, this was done
before the foamed portion of cement had time to develop its strength and testing may have
compromised the integrity of the seal. For other reasons, this test does not check integrity of the cement.
Nevertheless, the test was deemed a success.
The production pipe was then run to 8,367ft in preparation for mud displacement and negative pressure
testing. Some spacer mud was pumped in, followed by seawater. Displaced drilling mud was offloaded
to a supply vessel, but the mud tank used to check mud volumes pumped or displaced was being
cleaned, so there were no accurate measurements available to check for leakage. Other operations, such
as preparing for the surface plug, were taking place at the same time and may have caused a distraction.
As pressure was decreased for the test, if the well were sealed, only enough fluid would flow back to
compensate for the pressure drop. The well would remain static and the well head pressure should be
zero (atmospheric). In the event, there was more backflow than anticipated and the pressure never
dropped to zero.
It was noticed that about 50 barrels of mud had leaked from above the test blowout preventer being
used to block off the top of the pipe while the pressure was reduced. When this was corrected and the
pipe fully closed, pressure unexpectedly rose from 273psi to 1,250psi in six minutes. Transocean
interpreted this as a well leak problem. BP said results were inconclusive because of the leak. A second
negative test was agreed.
What no one noticed was that not enough seawater had been pumped before the test to move all the
spacer mud above the test blowout preventer. The spacer mud was heavy and the leak allowed it to drop
across the test inlet, making pressure readings unreliable.
The second negative test began at 17.27 by bleeding drill pipe pressure to zero. Three and a half barrels
of backflow were expected but 15 barrels were observed. Drill string pressure quickly rose and then fell,
slowly rebuilding, and by 18.35 had reached 1400psi. Despite the high pressure readings, at 19.55 the
negative pressure test result was accepted.
At this stage, the test blowout preventers were opened and seawater was pumped for about an hour
down the drill pipe to displace all the mud in the riser pipe above the well head. This process continued
to reduce pressure inside the drill pipe. Checks for leakage by measuring to see if seawater inflow was
balanced by mud outflow were not implemented.
At 20.50 the pumps were slowed to monitor the water-based mud spacer’s arrival. A decrease in the flow
of the spacer was expected as the pumps were slowed, but data indicated flow actually increased.
Shortly after 21.00, pressure on the drill pipe increased from 1,250psi to 1,350psi, when it should have
decreased due to replacement of heavier mud with lighter weight seawater.
At about 21.08 the pumps were shut down, but the drill pipe pressure continued to increase, indicating
that there was flow into the well. This went unnoticed, and pumping restarted at about 21.14. Outflow
was being pumped, unmeasured, overboard and the crew continued pumping, seemingly unaware that
the well was flowing beneath them.
The risk materialises
Wide pressure variations were recorded between 21.30 and 21.40 and, at about 21.45, seawater was
pushed out of the drill derrick, followed by drilling mud and other fluids, which soon covered the rig
floor. The rig crew diverted the flow to a mud gas separator, rather than directing it overboard, and tried
Chapter 7
to shut off the well with the test blowout preventer.

The separator was not designed for the volume of gas and well fluids that were being produced by the
well and was quickly overwhelmed. Gas coming out of solution in the well was expanding rapidly,
pushing seawater and drill mud ahead of it. Gas flooded onto the rig. Ingestion of gas through the
generators’ air intakes resulted in their over-speeding and probable failure. All rig power was lost at
21.49 and of course data recording stopped.
Attempts to activate emergency shutdown systems failed, even though there were no less than five
blowout preventer devices installed above the seafloor well head. These are remote-controlled,
hydraulically operated rams that close parts or all of the borehole when they are operated. Three of
these were used in testing procedures, the two main ones being protected as the last line of defence.
The blowout preventers had two independent (blue and yellow) hydraulic control systems, but there had
been a leak on the yellow control pod and only the blue one was in use. No one had noticed there was
insufficient charge on the battery bank in the blue pod. Failures in both pods meant the emergency
blowout preventers could not be remotely activated.
This situation seems not to have been considered in any risk analysis. BP had not seriously considered
BP had not seriously
considered the risk of the risk of all preventers failing to operate, and had no plans in place to contain the effects of an
all preventers failing uncontrolled blowout. Indeed, in their original application for a permit to drill, BP had described the
to operate
chance of blowout as ‘negligible’ and blowout emergency plans ‘not required’.
Efforts to disconnect the Deepwater Horizon from the well head also failed. The first explosion is
estimated to have occurred within seconds after the power loss, quickly followed by a second explosion
and fire. Without power, the rig was unable to maintain its position above the well. It is likely that strains
and movement of the drill pipe and riser caused problems, and defeated attempts to operate release
mechanisms as the crew tried to disconnect the rig from the well to stop well fluids fuelling the fire.
Later investigations established that various alarms and critical safety systems had failed to operate as
intended. Several fire and gas detectors were not functioning or had been inhibited prior to the
explosion to avoid false alarms waking crew members in the middle of the night. Sensors would have
sent hazard warnings to a computer display, but operator action was needed for response. Failure of
alarms along with other critical safety systems potentially reduced the time available to crew to evacuate
the rig.
Lifeboat evacuation procedures were confused and hindered by exit routes blocked following the
explosions. Many people jumped into the sea and were rescued by supply ships. One hundred and
fifteen of the 126 people on board the rig escaped alive, including 17 who were injured. The remaining
eleven were killed in the explosion.
After 36 hours the burning rig sank and the fire was extinguished. The riser, with drill pipe inside, bent at
the top of the subsea blowout preventer and dropped broken on the seafloor, spewing gas and oil into
the Gulf of Mexico. Various attempts were made to cap the pipes and to inject heavy mud and cement
into the well head, but it was 83 days before a permanent seal was effected by drilling a relief well to
intersect the open one.
Lessons learnt
Investigators criticised the way all operations were conducted. System safety was never a prime
Approved guidelines
consideration in documentation or reported discussions. Design disagreements between contractors were not followed
were left unresolved. Testing procedures were sketchy with little or no information on how results were
to be interpreted. Approved guidelines were not followed. Operators were inadequately trained.
Equipment maintenance was inadequate. Instrumentation was faulty or gave misleading results.
Unexpected or conflicting test results were not explored. Multiple simultaneous procedures distracted
operators at key times during the tests. Significant changes were made at all stages of the project
without proper risk assessment or management.
Flawed maintenance procedures prevented post-incident safety systems operating, safety trips needed
manual intervention and various alarms had been switched off. The incident also exposed emergency
response flaws. The well should have been diverted overboard and not to the mud gas separator, the rig
could not be disconnected from the well head and evacuation procedures proved chaotic. The decision
to rely on the float equipment and single cement seal at the bottom of the well during negative pressure
testing was unnecessarily high-risk, compounded by displacing mud with water (and so lowering
pressure) before setting the surface plug.
Regulation also failed. The US Minerals Management Service (MMS), responsible for signing off permits,
Chapter 7
did not have sufficient staff with the right expertise to check plans and proposals associated with ultra
hazardous hydrocarbon exploration and production. MMS was responsible for leasing, revenue, energy
management and enforcement, and was clearly short of staff and funds that might have enabled them to
develop competence to test proposals against best available practice.
As an example, on 15 April 2010, BP applied for a permit to change from an exploration well to a
production well. By installing production casing now, they could save time later when they came to open
up the well for production. It is not clear when this decision was made. BP had asked Haliburton, the
cement contractor, to assess options for cementing the base of the production casing on 12 April 2010.
Certainly no detailed risk assessments were considered with the change of plan and the permit was
granted the same day.
Many things went wrong with this project and investigations and enquiries were not short of suggestions
and recommendations for improvement. Enquiries focused particularly on how the project was managed
and controlled, both within BP and the Government regulatory authority, MMS. The lack of safety culture
within BP was heavily criticised. Bad decisions were made by many different staff. Effective control and
governance were missing and best safety practices not observed.
Most recommendations aimed to ensure future high-risk drilling operations were properly controlled and
The culture had to
supervised by competent staff, trained to consider the overall system implications of technical change from
decisions, and with the ability to correctly interpret test results. The culture of participating emphasis on
production to
organisations had to change from emphasis on production to emphasis on safety. Governance emphasis on safety
improvements required effective risk analysis and review of decisions before permits would be granted.
Best practice guidelines would be reviewed and compliance more rigidly enforced.
Further recommendations were made to improve post-incident precautions. Blowout preventer design
and maintenance came under particular scrutiny. It seems none of the emergency activation systems
could develop sufficient pressure to close the hydraulic rams. Hydraulic leakage, low battery charge and
damaged cables were suspected. Emergency procedures were inadequate and alarm systems needed
attention. There was also criticism of spill prevention and clean-up operations. No pre-planning had
been done to stop the oil spill, and chemical water treatment is only partially effective.
Future projects
Regulator deficiencies were swiftly acknowledged and MMS replaced with BOEMRE (Bureau of Ocean
Energy Management, Regulation and Enforcement), an organisation with a separate department solely
for regulation. However, it will take BOEMRE several years to recruit and develop staff of sufficient calibre
to provide independent risk assessment of operator proposals. Similarly, culture change within
organisations is a long-term objective. In the short term, changes will concentrate on inspections and
other ways to enforce approved best practice compliance.
A feature of this disaster was that the risk of blowout was well-known. Rock formations were known to be
weak, differential pressures critical and blowout precautions essential. Yet the risk overcame a series of
barriers and defences because of deficiencies in design, organisation, competence and management.
Weak or inadequate defences were not revealed by tests and multiple safety systems failed. Information
that would indicate hydrocarbons had entered the well was available some four hours before the
blowout erupted, had anyone recognised its importance.
Analysis after the event established plausible failure modes for the systems and devices that failed. If
this level of risk analysis had been available during operations, and safety culture such that the
information was acted on, the conclusion is that this disaster would never have occurred.
Consider this…
How much do you think a lack of an appropriate safety culture within BP contributed to risk management failings?
B2A Why risk management systems can fail

The BP case study highlights that problems can occur if people, for whatever reason, do not perform
allotted tasks in a thorough and competent manner. Had well tests been carried out without errors and
omissions, key risk indicators would have been uncovered.
No matter how well they are designed and implemented, risk management control systems can always
Risk management
control systems can fail because of human behaviour. The COSO executive summary highlights the following possible
Chapter 7
always fail because of reasons:

human behaviour
• human decision making can be faulty;
• decisions responding to risk and establishing controls can be subject to financial constraints;
• human error;
• controls can be circumvented by collusion between two or more people; and
• management’s ability to override ERM decisions.
It follows that the board and management can never have absolute assurance that an organisation’s
objectives will be achieved.
B2B Consequences of the failure of BP risk management systems

Primary consequences
As we saw at the start of this section, the primary consequence of risk management failures was that a
It took BP 83 days to
cap the well and stop well blowout was allowed to occur. The blowout was not contained and eleven operators died in
the oil flow subsequent explosions and fire. The drilling rig burnt out and sank, and a massive oil spill was released
into the Gulf of Mexico. It took BP 83 days to cap the well and stop the oil flow.
Secondary consequences
By around the middle of 2010:
• over 20m gallons of oil had spread over 24,000km² of the Gulf;
• over 20,000 people were involved in cleaning beaches and other impact mitigation attempts (BP
supplied over 14,000 staff and contract workers);
• clean-up costs had already reached US$1.2bn;
• fishermen lost their livelihood due to long-term depletion of fish stocks;
• BP stock fell to a 14-year low, equivalent to a US$67bn loss of value since the disaster;
• rating agencies issued warnings and downgrades;
• BP had received 42,000 claims for compensation and settled about 20,000 at a cost of US$53m;
• BP was forced to set aside US$13.5bn against claims and cancel its dividend. It announced plans to
raise up to US$35bn of which up to US$7bn was to come from asset sales; and
• senior managers were replaced or resigned.
Multiple legal proceedings will take many years to resolve.
Longer-term consequences
Scientists and marine ecologists are continuing to monitor potential long-term effects on marine
ecosystems, wildlife habitats and pollutants in the food chain. Their concern is not just about oil
particles but also about chemical dispersants used in clean-up operations. Many organisations are
involved and BP has promised US$500m to fund a ten-year research programme.
Although tourist beaches are now cleared and fishing activities have returned to normal, marshland and
other wildlife habitats that would have been damaged by conventional clean-up techniques still retain
visible oil deposits. Large amounts of oil are known to have sunk into the ocean and contaminated the
sea bed. Micro-organisms that ostensibly help to clean up dispersed oil by feeding on it are then eaten
by fish and sea birds with effects that are not yet known.
Be aware
As you study risk management literature, especially in the context of operational risk management, you are likely to
see reference to key risk indicators (KRIs) and key control indicators (KCIs). KRIs help identify increases in the
probability of incidents occurring early enough to prevent them. KCIs indicate controls are not working effectively or
have failed.
Chapter 7
For example, people analysing credit worthiness of potential banking customers will look for key risk indicators
relating to credit risk. These could be changes in specific financial ratios, management behaviours, or economic
conditions, each of which could indicate a potential rise in credit risk. An example of a KCI is a rise in unaccounted
stock losses, which indicates a failure in stock theft controls.
As we have seen throughout our studies, particularly in this chapter, it is important that organisations learn risk
management lessons from incidents that occur. If an organisation can see the probability of certain types of risk
increasing, then it has the opportunity to put preventive measures in place, or prepare to mitigate the impact of a
materialising event. Organisations must try and determine all possible causes and look for conditions or events that
might make occurrence of these causes more likely. A good KRI is one that can be readily calculated or measured.
Managers need measurable quantities to track and trigger levels for alerts.
KRIs and KCIs are related as failure of a control is often a KRI. In terms of a financial transaction for a bank product,
for example, key controls could be around customer identification or proof of address before a financial loan is
approved. A failure of these controls could act as a key risk indicator, as there is clearly an increased risk from
acceptance of a customer who did not meet the lending criteria of the bank.
B3 The financial crisis of 2008

During 2007 many financial services organisations were showing signs of serious stress. Problems were
most noticeable in the USA and Europe, but because of the global nature of banking, repercussions
reverberated throughout the world. The crisis peaked to full-scale panic in August/September 2008,
when simultaneous failures of some of the world’s largest financial organisations were confirmed and
banking confidence broke down. Governments had to intervene, using taxpayer funds to restore
stability. Disruption of asset values and credit facilities affected the finances of all sorts of businesses
and individuals. Ten years later, countries are still rebuilding their economies and millions of individuals
are rebuilding their lives.
B3A Background to the banking system

Modern banking, particularly investment banking, responds rapidly to business pressures and
Banks are daily
looking for ways to opportunities. A tiny percentage profit on a transaction can result in significant income if the transaction
use money to their involves billions of pounds. Banks are daily looking for ways to use money to their advantage and large
advantage
overnight cash flows are common. Investment banks secure their reputation, and increase their income,
by earning more per pound of investment than their competitors.
Banking of this nature involves risk. As a general rule, the higher return you get on an investment, the
larger the risk involved. Commercial pressure leads to investment in high-earning assets, which are only
high-earning because of underlying risk.
When asset fund managers buy shares in a company for their investment fund, they are betting that the
value of those shares will increase, but there is a risk they will not. Fund managers hedge this bet by
buying a large number of different shares, now requiring only the average value to increase. Similarly, if
the investment is in other forms, such as options to buy or sell in the future at a fixed price, or bonds
backed by various securities, fund managers can assess the risks involved and reduce their exposure by
buying opposing options or other forms of insurance. Investment banking is based on bets and counter
bets and effective risk management is essential.
The global financial system is large, complex and interrelated. Each financial transaction involves at
least two parties, often with a third intermediary. Each contract moves the balance of risk between
counterparties involved. Furthermore, counterparties can change overnight as someone sells their
contract to someone else. The whole system depends on confidence that bargains will be kept and
obligations honoured. When counterparties cannot be relied on, uncertainty sets in, confidence is lost
and financial transactions refused. The whole interconnected, interdependent financial system breaks
down.
B3B The economic situation

Consider the economic situation in the USA and Europe in the decade leading up to the crisis. We are
concerned primarily with real estate, mainly housing but also commercial property. Government policies
throughout this period encouraged credit availability in general and home ownership in particular. Large
amounts of capital were flowing into the west from China and oil-producing states. Low interest rates
were designed to stimulate economic growth and in the USA specific policies were directed at increasing
home ownership, particularly to encompass groups of people with previously no access to home finance.
In the USA and several European countries, house prices rose consistently.
The housing boom was most spectacular in the USA. Successive Governments placed increasing targets
Chapter 7
on the two Government sponsored enterprises (GSE), Fannie Mae and Freddie Mac, to ensure mortgages
were made available to specific communities and lower income families. Fannie Mae and Freddie Mac
bought mortgages from originating companies, and their demands for more mortgages of specific types
encouraged mortgage originators to relax qualification standards. Various categories of sub-prime loans
appeared, including those with low or no deposits, interest only, adjustable rate, and longer repayment
terms. Some required no certified income documentation and became known as ‘liar loans’. Sub-prime
loans worth over US$300bn were issued in 2003.
Activity
Using the internet, find out more about Fannie Mae and Freddie Mac.
Mortgage originators flourished. Some operated like building societies, attracting deposits from the
Mortgage originators
set up mortgages and public and using this cash to provide mortgages, but most set up mortgages and then sold them on,
then sold them on, earning money from commissions and fees. Investment banks and commercial banks repackaged blocks
earning money from
commissions and fees of mortgages into residential mortgage-backed securities, which were then sold to investors. In many
cases the securities were repackaged again into collateralised debt obligations (CDOs) and sold on to
other investors. CDOs could also be repacked into other CDOs, and synthetic CDOs emerged as bets on
the performance of nominated CDOs. To make CDOs more attractive, a series of them could be offered
against a specified pool of mortgages. Higher-rate CDOs would have first call on assets if the value of the
mortgage pool were to deteriorate. Lower-rate CDOs would lose money first.
Demand for CDOs fuelled demand for mortgages. Homeowners were encouraged to refinance, to use
equity to purchase better or second homes, or to release cash for private expenses. Buyers with low
initial repayment mortgages faced with steep increases could also refinance using new low starter rate
loans. Many people were persuaded to take out loans they could not really afford.
CDO investments were attractive because of the high returns they provided. But, they depended on
high-rate mortgage returns which were only possible while house prices continued to rise. By 2006, US
house prices were flattening out and default rates on mortgage repayments were increasing.
B3C Cash flows

In the financial system billions of pounds change hands daily as organisations buy and sell in an
attempt to increase the value and earnings of their investments. Most of this money is borrowed from
someone else. Financial institutions hold limited capital compared with the value of assets they hold. In
2007, the five major US investment banks were operating with ratios around 40, i.e. for every £40 of
assets they held there was only £1 available to cover losses. Put another way, a 3% drop in asset values
could wipe out the bank. Ratios for Fannie Mae and Freddie Mac were as high as 75.
To make matters worse, much of the borrowing was very short term, often overnight loans that had to be
renewed every day.
Example 7.1
The investment bank Bear Stearns is a much quoted example. At the end of 2007, it had US$12bn equity, US$384bn
liabilities and was borrowing around US$70bn every day in overnight loans. Inside the company such risks were
obvious but the extent of risk was camouflaged to outsiders, with liabilities hidden in holdings of complex financial
products and carefully crafted financial statements.
Two common ways of arranging short-term loans are commercial paper and repurchase agreements
(repos). Commercial paper can be issued by any financially sound organisation and is effectively a
promise to pay. Totally unsecured, commercial paper depends for its credibility on reputation of the
organisation concerned. Repos are secured loans. The borrower sells low-risk security to the lender and
uses the money for higher-earning investment. The sale is accompanied by agreement to repurchase the
low-risk security at a slightly higher price in the future. Repo loans often involve a third party, usually a
bank, holding the securities in case either party defaults. In a stable market, both types of loan
mechanism are typically renewed (rolled over) as they become due, often on a daily basis. If the loan is
not rolled over, however, the borrower is faced with an immediate demand for cash.
In purchasing a CDO or any similar security, there is obviously a risk that the value of the underlying
assets will decrease, thus reducing market value of the security just purchased. Purchasers with low risk
appetites removed this risk by means of a credit default swap (CDS). In return for a series of payments
throughout the life of the swap, the CDS purchaser transferred the default risk of the underlying debt to
Chapter 7
the seller. If the value of the underlying security fell by more than an agreed amount, the purchaser
could demand payment of the difference.
CDSs were often referred to as insurance but there were two vital differences. First, you can only insure
CDSs are not
things in which you have an insurable interest, whereas a CDS could be bought as a bet against a loan technically insurance
you do not own. Second, the insurance industry is regulated and insurers have to hold capital reserves and no capital
reserves are required
against default. CDSs are not technically insurance and no capital reserves are required. For example
AIG, the largest US insurer, accumulated US$500bn credit risk without a single dollar of reserve. CDSs
were popular, and the value of assets underlying them grew worldwide from US$6 trillion in 2004 to over
US$52 trillion at the end of 2007.
B3D Risk assessment

How did investors decide what to pay for a particular mortgage-backed security? They needed to assess
risks involved to trade off against expected returns. To do this they would need accurate information as
to the number and quality of mortgage loans backing the security on offer. But this information was
rarely available. With products based on other products and individual mortgages counted in multiple
packages, the basic information trail became obscured.
As large investors with risk evaluation departments struggled to determine whether the products on offer
In the USA the three
were based on sound or risky mortgage collateral, smaller investors had to look elsewhere for help. This main rating agencies
is where rating agencies came in. In the USA the three main rating agencies were Moodys, Standard & were Moodys,
Standard & Poor,
Poor, and Fitch. Each employed industry analysts to issue credit ratings against public companies and and Fitch
governments, giving investors independent informed opinion of risks attached to current share and
security values. CDO originators paid these agencies to evaluate their financial products and publish
similar ratings. It is not clear how these agencies arrived at their conclusions, but the outcome was that
most layered CDO products attracted the highest AAA rating for their highest tier offerings.
Consequently, these CDO products were treated as investments as sound as Government bonds.
B3E Risk management and control

Computers are essential to banking. Retail banking, credit card operation and interbank clearing now
depend on their functioning for survival. Computers are also used for arbitrage, profiting from different
prices of the same commodity in different markets across the world. Computers are programmed to look
for such anomalies and automatically initiate suitable trades, even if the opportunity lasts only for a few
seconds. Banking people are used to computers and expect them to provide accurate and reliable
information.
Within global financial organisations, different subsidiaries in disparate countries are making daily
decisions involving billions of pounds or dollars. It is difficult to keep track of overall risk exposures
without strict discipline and effective reporting. Management may impose risk-based limits on operating
units, setting ceilings on the amount of specific commitments they are allowed to make. Then
computer-based risk modelling may be introduced, including stress tests to probe the limits at which
corporate risk becomes untenable. But the assumptions used in programming these models are subject
to debate and therefore carry their own risk. This distinction is not always emphasised or appreciated by
bankers used to accepting whatever the computer says.
Correct interpretation of risk analysis data is important. Boards need to disseminate risk appetite
information for managers to reference when they have to make individual decisions, otherwise risk
taking can spiral out of control. The risk culture of the organisation is important in influencing levels of
risk undertaken and diligence of reporting exposures up the management chain.
There was a change in risk perception as the financial crisis developed. Before 2007, organisations had
been treating other financial organisations as competitors, not as potential sources of risk. We will see
that organisations which recognised and evaluated the possibility of counterparty default were able to
take steps to reduce their exposures significantly.
Activity
Using the internet, find out how organisations responded to the financial crisis. For example, look into the changes
that have been made in banking standards.
B3F The bubble bursts

House prices in the USA increased each year from 1997 to 2006, rising on average over 150% during that
period. Prices in ‘sand’ states such as California, Arizona, Florida, and Nevada rose faster. This
encouraged speculation. People bought and sold property quickly to realise profits, taking advantage of
flexible mortgage arrangements to finance and refinance the deals. Standards decreased under pressure
Chapter 7
to do deals and boost earnings. Fraud convictions multiplied. And, the percentage of sub-prime and
risky mortgages in packages supporting CDOs increased.
By 2007, house prices had become unsustainable, and in most regions were starting to fall. The national
average US house price fell 17% in 2007 and a further 11% in 2008, though with wide variations across
states. Many people with variable rate mortgages were not able to refinance loans or keep up payments
when higher interest rates kicked in. Others had loans greater than their declining property value and
chose simply to move out and stop paying. Communities with empty properties became unattractive,
and house prices fell further.
In dollar terms, the decrease in mortgage-related financial products business in the USA was rapid and
startling. Seventy-five billion dollar sales of sub-prime, mortgage-backed securities in the second
quarter of 2007 had dropped to US$12bn by the fourth quarter. CDO transactions fell from £90bn in the
first quarter to just US$5bn in the fourth. Figures for commercial property-related product sales were
similar, falling from US$232bn in 2007 to US$12bn in 2008.
Meanwhile, lenders would only agree to refinance loans at more affordable rates if the GSEs, Fannie Mae
and Freddie Mac, would purchase or guarantee the loans. But the GSEs already owned or guaranteed
US$5.3 trillion of mortgages (over 75% of all US loans) with less than 2% capital funding, and were
writing off asset values and reporting billion dollar losses. Attempts to relax regulations failed, and in
July 2008, Congress approved provisional, additional emergency funds and set up a new agency with
comprehensive regulatory powers. The new regulators took both GSEs into conservatorship on 7
September 2008. The agreement involved Government purchase of US$200bn preferred stock, options
to purchase nearly 80% of remaining stock, and short-term loans and guarantees to multiple
counterparties. Ten smaller organisations were allowed to fail and a further 35 downsized. Ordinary
stockholders were effectively wiped out.
Throughout 2007, mortgage default rates increased and ratings agencies downgraded credit ratings on
mortgage-related products. CDO values fell sharply, triggering demands for cash from CDS contract
holders. People argued about CDO valuations and litigation mushroomed. Claims of mis-selling and
misrepresentation were filed, and thousands of financial services workers lost their jobs. Against this
background, we can look to see how individual organisations were affected.
B3G US organisations
It had been assumed that risk embedded in financial products derived from property values was spread
widely through a diverse and sound banking system. In fact, the risk was concentrated in a handful of
major organisations holding, or exposed to, CDOs. Some of these had actively reduced their exposures
when the housing market turned, while in others, exposures had substantially increased.
Organisations could no longer hide their exposures with balance sheet manipulations or ignore cash
Confidence dropped
demands eroding their capital. One after the other announced billion dollar losses, a consequence of throughout the
asset value write-offs and reserves for expected future losses. Confidence dropped throughout the financial world as
organisations
financial world as organisations questioned whether contracts would be honoured. Downgraded questioned whether
organisations found credit expensive or unobtainable. Share values of related financial organisations contracts would be
honoured
fell. Underlying assets that had nothing to do with the housing market had to be sold or refinanced as
organisations struggled with liquidity problems.
Regulators had been closely monitoring Bear Stearns’s liquidity, encouraging them to reduce exposures
and raise additional capital. However, after ratings agencies downgraded their prospects, credit became
more expensive and more difficult to obtain. By October 2007, commercial paper borrowing was
unobtainable and Bear became totally dependent on overnight repo transactions facilitated through the
clearing bank J.P. Morgan.
As signs of Bear’s distress spread through the financial system, hedge fund clients withdrew US$70bn
assets from Bear’s management in just four months. On Monday, 10 March 2008, Moody’s downgraded
some Bear securities, but abbreviated headlines such as ‘Moody’s downgrades Bear Stearns’ caused
panic among lenders. Counterparties demanded their collateral and overnight borrowing arrangements
were not renewed. Eighteen billion dollars cash that Bear had on Monday morning was down to US$2bn
by Thursday night. The US Government organised a US$12.9bn credit facility to keep operations going
while a full takeover by J.P. Morgan was negotiated and announced on Sunday night.
The Bear rescue and extensive new US Government credit facilities made available shortly afterwards
served to stabilise financial markets for a few months. However, J.P. Morgan and the other clearing bank
Chapter 7
for repo transactions, BNY Mellon, had both become alerted to the risks they faced if either of the other
parties in a repo transaction were to default. If the lender defaulted, the bank could be pressured into
taking over the loan. If the borrower defaulted, the bank would be stuck with securities and would have
to sell them, in a distressed market, to recover cash.
Also, people were analysing the Bear Stearns situation and realising other organisations faced similar
capital and liquidity risks. US regulators organised a stress test analysis of other major US investment
banks, including, for the first time, risks of losing access to all unsecured funding and some secured
funding. Goldman Sachs and Morgan Stanley passed, while Merrill Lynch and Lehman Brothers failed.
Lehman Brothers was another investment bank with the same basic financial characteristics as Bear
The US Government
Stearns, although with a bit more liquid cash. A similar pattern unfolded. The price of CDS insurance decided it was in
against Lehman default increased, potential repo counterparties refused business, fund managers taxpayers’ best
interest to let
reduced their exposures, and collateral calls increased. Government officials tried to arrange for the Lehman fail
bank to be bought before it actually ran out of cash. Talks with the Korean Development Bank, Bank of
America and Barclays all fell through. Without collateral to post against a loan and with no available
purchaser, the US Government decided it was in taxpayers’ best interest to let Lehman fail, and the
company filed for bankruptcy on 15 September 2008.
News of Lehman’s failure shook the financial world. The Dow Jones index fell 500 points in one day,
wiping US$700bn from retirement plans, pension and other investment funds. General confidence fell
and even firms like General Motors found it hard to borrow against their commercial paper. Large banks
questioned previous assumptions that they were too big to be allowed to fail. Lehman failed with 8,000
subsidiaries and over 100,000 creditors. Over 66,000 claims totalling over US$873bn had been filed
against them by September 2010, and incomplete transactions left counterparties struggling to recover
securities as best they could.
The impact of Lehman’s failure was heightened by news released the same day that investment bank
Merrill Lynch had been bought by Bank of America. Merrill Lynch was aware of its exposures to CDOs
backed by sub-prime assets and had been working hard to reduce them. Its strategy was to get rid of
higher-risk CDOs but retain the senior tranches, as it saw these AAA-rated investments to be nearly as
risk free as Government bonds. When the ratings and values of senior CDO tranches collapsed, Merrill
Lynch executives were caught by surprise. Serious write-offs and reported losses followed, with the
same pattern of confidence loss, collateral demands and liquidity strain leading to what was later
reported as a ‘shotgun wedding’ facilitated by the US Government.
Two days after Lehman failed, the insurance conglomerate, AIG, had to be rescued. The AIG organisation
held over US$1 trillion assets, but most of these were in insurance subsidiaries, whose regulators did
not allow them to be transferred to other parts of the organisation. By September 2008, in addition to
major problems with CDS collateral demands, AIG was having trouble borrowing against its commercial
paper, its share value had declined, and it was also facing questions about mortgage-based collateral
posted as security against its repo borrowing. Assets were illiquid, asset values were falling, available
reserves were not sufficient, borrowing was restricted and raising capital was not possible.
AIG was so interconnected to other financial institutions through CDS contracts and securities lending
that its failure would have had major repercussions. As an example, if European banks lost the credit
protection they had bought from AIG they would have had to raise an additional US$18bn capital to
satisfy regulators. The US Government decided AIG was too big to fail and made available US$180bn for
its rescue.
Concurrent Lehman failure, Merrill Lynch and AIG rescue caused widespread panic. Investors drew funds
Borrowing against
commercial paper from all but the safest investments, credit and liquidity dried up and markets stuttered. Everyone lost
became impossible confidence in everyone else. Borrowing against commercial paper became impossible and repo
and repo transactions
ceased transactions ceased. Trading in derivatives virtually stopped. Classic bank runs began as ordinary
depositors withdrew funds from their banks. Institutions were running out of cash. At Morgan Stanley,
for example, cash reserves dropped from US$130bn to US$55bn in one week. On top of this, asset
values, credit ratings and share prices were all shrinking daily. Of the thirteen most important US
financial institutions, twelve were at risk of failure within a matter of weeks. The whole financial system
was in turmoil.
The US Government took drastic action to restore confidence in the system. By 18 September 2008 it had
already lent banks and investment banks over US$300bn to try and stabilise overnight lending. On 3
October a further US$700bn was authorised to restore capital balances and purchase toxic assets from
financial institutions. On 7 October additional funds were made available to purchase commercial paper
directly from issuers so that industrial organisations could once again borrow. A week later Government
Chapter 7
guarantees were given that specific debts would be honoured, and in December capital funding was
extended to motor companies.
During this period, while senior Government officials were dealing with major financial institutions,
lesser organisations had similar problems, sometimes exacerbated by particular market exposures. In
general, weak organisations were allowed to fail while more stable concerns were helped with merger or
takeover arrangements. Surviving organisations were generally stronger, but the net effect was to
concentrate risk even further, making adequate regulation even more important.
Consider this…
Do you think organisations in the USA have learnt lessons from the financial crisis?
B3H Effects in the UK

The financial crisis was not confined to the USA. House prices in the UK followed a similar pattern with
In the UK, loans were
originated and held by average prices nearly doubling between 2002 and 2007, then falling steeply as the bubble burst. Similar
regulated building patterns were observable in Spain, France, Ireland and Australia. However, UK mortgage financing was
societies and banks
and there were no more conventional. Loans were originated and held by regulated building societies and banks and there
derived securities were no derived securities. Nevertheless, with falling house prices increasing default risk, markets
became suspicious of organisations with large mortgage holdings and high financial leverage. As
uncertainty spread from the USA and interbank lending became difficult, companies found it increasingly
hard to obtain short-term finance.
On 12 September 2007, Northern Rock building society in the UK had difficulty raising funds to replace
maturing borrowings and asked the Government for liquidity support. Within a week, depositors
withdrew £2bn cash and there were TV pictures of long queues at Northern Rock branches. To prevent
panic spreading to other building societies and banks, the UK Government announced it would
guarantee all deposits. The queues disappeared, but funding difficulties continued, and on 6 February
2008 Northern Rock was effectively nationalised. Twenty-five billion pound loans, £30bn guarantees and
the value of the company’s mortgage book (approximately £55bn) were added to the UK’s national debt.
Bradford & Bingley building society had a similar problem. Failing to raise sufficient additional capital in
June 2008, they asked for Government help in September. Eventually the company was split in two and
the savings business sold to Spanish bank, Santander, and the rest nationalised. Also in September
2008, the Cheshire and Derbyshire building societies merged with Nationwide.
Another UK casualty was HBOS. HBOS was formed by a merger of the Bank of Scotland and the Halifax
building society in 2001. In March 2008, the value of its shares fell rapidly due to rumours about its
financial stability and reports it was talking to the Government about a loan. In September 2008, shortly
after Lehman’s failure, it was announced that HBOS would be taken over by Lloyds. On 13 October the UK
Government announced a capital injection of £17bn into the new group. The money was used to buy
shares which they would sell later when financial conditions improved.
HBOS/Lloyds funding was part of a bank rescue package totalling some £500bn announced by the
British Government on 8 October 2008 to avoid ‘UK banking meltdown’. The plan aimed to restore
market confidence and help stabilise the British banking system. It provided for a range of short-term
loans and guarantees of interbank lending, as well as up to £50bn of State investment in the banks
themselves. The plan was open to all UK incorporated banks and all building societies, but only
HBOS/Lloyds and Royal Bank of Scotland (RBS) took up the offer. Barclays and HSBC had avoided being
significantly affected.
RBS was also in trouble. In 2007, it had joined a consortium with Benelux bank Fortis and Spanish bank
Santander to take over the Dutch bank ABN AMRO. But with the onset of the financial crisis it found itself
overstretched. Attempts to raise funds in the market failed and eventually £20bn was drawn from the
Government, which ended up with 58% (later, 70%) of the shares. Subsequently, RBS has sold parts of
its business, heavily cut staff numbers, and curtailed its bonus payments.
B3I Effects in Europe

In 2007, Benelux bank Fortis was the 20th largest business in the world by revenue. Finance for its part
Chapter 7
of the ABN AMRO takeover was to come from issuing new shares, but by June 2008, Fortis also needed
an additional US$8.3bn capital. A decision to raise US$1.5bn by cancelling dividends angered
shareholders and share prices dropped. Rumours spread and share values fell further.
On Friday, 26 September 2008, €20bn was withdrawn by investors, and a further €30bn was expected to
be withdrawn the following Monday. Fortis was partially nationalised on 28 September 2008 and other
arrangements were negotiated between finance ministers from the Netherlands, Belgium, Luxembourg
and France. Belgian and Dutch banks and a private finance group provided €61bn emergency credit, but
the company was split up and sold in parts, with only some insurance business remaining.
The crisis also spread to Iceland. All three of Iceland’s banks had problems with short-term loans and
depositors in the UK and the Netherlands started to withdraw funds. At the end of the second quarter of
2008, Iceland’s external debt was €50bn, more than 80% of which was held by the banking sector. This
compares with Iceland’s 2007 gross domestic product of €8.5bn. In September 2008, Iceland’s
Government nationalised the internal operations of all three banks, allowing overseas branches to fail.
Loans from the International Monetary Fund (IMF) and Nordic Bank consortia were negotiated at the
expense of severe austerity measures, falling GDP and currency values, and international arguments with
the British and Dutch Governments.
And, on 30 September 2008, the Irish Government promised to underwrite the whole Irish banking
system.
It is worth noting that Fortis Belgium banking operations were sold to BNP Paribas, one of the world’s
largest banks, headquartered in Paris and London. BNP Paribas escaped the financial crisis relatively
unscathed. In August 2007, it was the first major financial organisation to acknowledge the onset of sub-
prime difficulties by closing two of its funds, indicating it had no way of valuing the CDOs to which it was
exposed. By taking early action, the group limited financial losses to one subsidiary operation.
Figure 7.1: Summary of how the financial crisis developed
Easy credit fuels US housing boom.
Sub-prime mortgages proliferate.
Banks sell complex asset-based securities, many based on sub-prime mortgages and are difficult to value.
Investors rely on rating agency valuations, which turn out to be too high.
Commercial pressures and pay structures encourage high-risk trading activities.
Weak regulation allows high-risk activity to proceed unchecked.
Major organisations fail to identify, assess and manage important risks.
Security asset values drop as housing bubble bursts. Exposed firms run out of cash and closures and
mergers accelerate.
Chapter 7
Tight-knit financial services organisations lose confidence in each other and credit dries up.
Governments intervene to provide massive credit facilities at taxpayers’ expense.
B3J Worldwide repercussions

The combined effect of US and European Government actions eventually restored confidence, and
normal market activities resumed. However, the credit squeeze and financial turmoil had affected whole
economies around the world. In the USA, US$17 trillion had been lost from household budgets in 21
months and unemployment had risen above 10%. Households cut down drastically on spending and
GDP shrank. Businesses lost credit facilities and customers and dependent businesses and trades
struggled to survive. People were forced to leave or abandon their homes as mortgage defaults
continued.
The scale of State rescue spending upset national fiscal policy plans and triggered austerity measures
designed to rebalance economies. Policymakers at State, national and global level struggled with the
aftermath all over the world. On 2 April 2009, the G20 group of nations with the largest economies
announced a US$5 trillion stimulus package to try and fend off recession and restore financial growth.
Strains in European economies are still being felt.
Figure 7.2: Causes of the financial crisis
Macro
Low US interest
High-risk rates
environment
US credit/housing
boom
Loss of confidence
Insufficient liquidity
Rating agencies
Growth in CDO
Basel II design products
Complex
Human/ Economic
interconnected Weak regulation
social
products/markets
Management
attitude and skills
Computer-based
risk modelling
Too big to fail?
Risk reporting
systems Growth of flawed
assets
Firm specific risk
culture Pay and bonuses
Micro
Chapter 7
B3K Lessons learnt
It is obvious that many factors contributed to the financial crisis and allowed it to develop. Individual
financial organisations were affected because confidence in securities and lending mechanisms broke
down, and they could not obtain finance to fulfil obligations when it was needed. Organisations with
high-risk strategies were severely damaged when those risks materialised.
Pressure for more and more high-return mortgages from which to derive attractive investment products
undoubtedly caused acceptance criteria to drop and default rates to rise. Government policies
encouraging home ownership and the large market influence of GSE with conflicting commercial and
Government targets also contributed to the problem. A long period of cheap credit and rising house
prices caused people to act as though prices could never fall.
As underlying assets were bundled into more and more complex financial products, often referenced to
other products, it became difficult to assess underlying risk to determine which products to buy.
Organisations relied on ratings agencies, even though these agencies had the same problems with their
assessments. Many mortgage-backed securities were allocated AAA ratings that did not reflect
underlying risk.
As mortgages and mortgage-backed assets were continuously traded, organisations could pass on risk if
they chose. The availability of CDSs acted as further insurance. Organisations appeared to draw comfort
from these factors, ignoring other risks such as counterparty default.
The structure of the banking system caused risk to accumulate in a handful of global financial
institutions. Some of these were tightly regulated but in others, regulation was lax or otherwise not fit for
purpose. Capital regulations set out in Basel II agreements were criticised for focusing on asset values
and allowing banks to take on extensive liabilities with little capital reserves.
Risk management has been criticised in organisations that had to be rescued. Mathematical risk models
were relied on too much and stress tests did not test for conditions that actually occurred. Risk control
was not tight enough. Often, senior management was not aware of critical risks until it was too late and,
in some organisations, opposing risk strategies were being conducted in subsidiaries. Risk cultures
generally encouraged risk taking and risk appetites were not clearly understood.
Risk reporting problems also came to light. In some cases, risk managers were sacked or moved
sideways after highlighting risks inherent in profitable initiatives. In other cases, risk managers were
seen as internal agents of regulators and deliberately ignored. Elsewhere, risk information never reached
the board, or reached them in a form they could not understand, leading to wrong decisions being taken.
In contrast, some financial organisations, notably HSBC and BNP Paribas, avoided problems by rapid
risk identification and reporting followed by active corporate instructions and management to reduce
critical exposures.
Pay structures were another complaint. Senior executives enjoyed multi-million pound or dollar salaries
Targets were
short-term, tied to and generous bonus packages if targets were attained. Generally, targets were short-term, tied to sales
sales or asset or asset quantity with no reference to quality or risk. Neither were there any arrangements for clawing
quantity with no
reference to quality back bonuses if losses were incurred. No one had a financial stake in their business because no one
or risk suffered if things went wrong. The size of bonuses, moreover, encouraged manipulation of financial
reports, already obscured by off-balance sheet transactions designed to reduce capital reserves.
A common theme relates to competency of executives, in both financial institutions and their regulators.
Many people did not understand the complexities and implications of the business they were in.
Non-executive board members were not familiar enough with financial operations and not strong enough
to rein in aggressive chief executives. Regulators found it difficult to criticise organisations reporting
sound financial results.
Looking back over the crisis and its development, it is easy to conclude that if all industry executives
and their regulators had the knowledge, skills and experience to make sense of risk exposures inherent
in complex, interconnected financial products and organisations, then a lot of pain could have been
avoided. Organisations needed better risk management frameworks, improved reporting procedures,
and consistent application of risk appetite throughout their operations. Where these characteristics were
in evidence, organisations were able to survive the crisis very well.
Governments need to sustain a viable banking system that will support their financial policies and
protect small investor deposits, and they appoint regulators to oversee financial organisations they
consider critical. Current regulation being obviously inadequate, policymakers are looking at options to
prevent excessive risk taking affecting ordinary depositors’ funds and investments, including pension
Chapter 7
funds. One suggestion is to separate risk taking investment banking from organisations that manage
personal savings and deposits. The idea is to protect the ordinary taxpayer, while allowing people who
can afford it to take risks in pursuit of higher returns. Organisations in each camp would have distinctive
risk cultures reflecting their different attitudes to risk. Other regulation would tighten financial reporting
standards, raise amounts of liquid capital to be held and introduce rules governing bonus payments.
There is no doubt that risk attitudes and risk management need to be improved, and this will require
Reporting has to be
more transparent to considerable education and training of both financial organisation executives and regulators. Reporting
allow risks to be has to be more transparent to allow risks to be properly assessed, and pay structures have to reflect
properly assessed
long-term corporate objectives rather than short-term quantitative targets. Except in these areas, and
review of capital ratios to protect liquidity as well as insolvency, it is not obvious that additional
regulation would be helpful.
Instead, regulators might be directed to help key financial organisations improve strategic decision
making, become more risk aware, and strengthen the corporate governance of high-risk operations.
There are now fewer key financial organisations. It is important that their risk models and assessments
incorporate lessons from the crisis, and that organisations, regulators and governments work together to
ensure effective risk control prevents future trends developing once more into a systemic loss of
confidence.
Question 7.2
Financial institutions hold limited liquid funds compared with the value of assets they hold. Why was this such a
critical factor in the viability of US investment banks during the financial crisis?
B4 Other publicised disasters

There are, of course, many other disasters that have been investigated and discussed. The following
table summarises a further selection of these major loss events.
Table 7.2: Summary of findings from other major disasters

Event Proximate cause Effect Findings
Sinking of the Titanic Hit an iceberg. 1,571 • Changes to ship design and management.
cruise liner in the people died. • International laws introduced to protect safety of life
North Atlantic at sea.
Ocean, April 1912.
• Ships subsequently required to maintain radio watch
constantly.
• Ships required to provide sufficient lifeboats in
relation to the number of people on board.
• International early warning system in relation to
icebergs was set up.
NASA Challenger Fuel ignited within All seven crew • Design flaws.
space shuttle, USA, the fuel tank. members died. • Poor safety culture.
January 1986.
Fire at King’s Cross Rubbish 30 deaths of • New regulations.
underground station underneath a customers using • Replacement of wooden escalators through
in London, wooden escalator the station. One underground.
November 1987. caught fire. death of a
firefighter • Automatic sprinklers/heat detectors introduced.
attending the
blaze.
Hillsborough Overcrowding in 96 deaths and • Elimination of standing areas at football grounds.
disaster in Sheffield, confined space. over 750 people • Recommendations for crowd risk control.
April 1989. injured.
Windsor Castle fire Curtains set fire £40m of • Effective management of workpeople on site.
in the UK, by a very property
November 1992. warm lamp. damage.
Concorde caught fire Ruptured fuel tank 100 passengers, • Lessons from previous incidents.
after take-off in in the wing. 9 crew and 4 • Quality control within manufacturing process of
Chapter 7
Paris, July 2000. people on the component parts.
ground died.
Table 7.2 illustrates the link between cause, event and effect and shows what was learnt and changed
following subsequent investigations. It illustrates the benefit of effective investigations where analysis
of causes is followed up with recommendations aimed at preventing similar events. In the following
subsections we will briefly discuss these incidents in more detail.
Sinking of the Titanic
The sinking of the Titanic illustrates that even though an event may have happened over 100 years ago,
lessons learned and subsequent risk improvement measures introduced are as relevant now as they
were at the time. Reflection on the causes of the disaster led to a series of regulation changes
throughout the industry as well as the introduction of new legislation, principles that are still in force
today. This example also illustrates why early warnings systems can be invaluable in reducing the likely
incidence of certain types of risk.
Challenger disaster
The Challenger disaster had widespread repercussions. NASA used to undertake its own internal risk
investigations but this time they were put under public scrutiny by the Rogers Commission instructed by
US President Ronald Reagan. It would seem that culture across the organisation and the way it made
crucial decisions had played a large part in causing the catastrophe. Concerns raised by engineers and
contractors were ignored by those deciding if the flight was to go ahead. This flight had already been
delayed several times and management were evidently under a great deal of pressure not to cause NASA
further embarrassment. By dismissing issues raised by experts NASA clearly did not put crew safety at
the centre of decisions it made. In the event, NASA reputation was shattered and its ethics questioned.
Strategic objectives were put back several years and NASA manned lunar landings stopped.
King’s Cross fire

At King’s Cross underground station, the ignition of rubbish underneath the escalator was thought to
have been caused by a discarded cigarette. Smoking was allowed on the underground network in 1987.
It is always important to consider past events in context when reviewing lessons learned, especially in
relation to laws and regulations operative at the time. Decisions after the fire led to changes being
introduced right across the London underground network not just in the station where the fire happened.
These changes included:
• the banning of smoking on the entire underground network;
• combustible materials being removed; and
• additional fire precautions being introduced.
Hillsborough disaster
In April 1989, an FA Cup semi-final football match between Liverpool and Nottingham Forest was to take
place at the Hillsborough stadium in Sheffield. Transport problems had delayed some supporters and as
kick-off time approached, there were still many people outside the ground. Realising they would not get
through totally inadequate turnstiles before the game started, the crowd became restive and police
decided to open one of the main exit gates. This led to a mass of people pressing into an enclosed
standing area that was already full. Police could have delayed kick-off or diverted the flow to less full
areas but did neither. Wire fencing and steel barriers, originally designed to prevent or reduce the risks
of pitch invasions and hooliganism, barred any escape. Eventually, a safety barrier collapsed and 94
Liverpool fans were crushed to death. A further two died later in hospital. Over 750 people were treated
for injuries and shock, some left permanently scarred or disabled.
Lord Justice Taylor led an enquiry one month after the event. He indicated the main cause of the tragedy
was that police failed to adequately control the crowds. The situation was made worse by
communication failures between those responsible for managing crowd problems at the ground on
match day. Lack of response from trained medical personnel, including the ambulance service, was cited
as directly or indirectly contributing to the eventual death toll. The findings of the report resulted in the
elimination of standing terraces at all major football stadiums in England, Wales and Scotland and
wholesale removal of barriers such as metal bars or wire fences preventing emergency escape.
Although this catastrophe happened over 25 years ago it remains in the news today. Relatives organised
pressure groups, refusing to accept official reports of the disaster or verdicts of accidental death
recorded at the coroner’s inquest. They asked for those responsible to be held accountable. Police still
had questions to answer regarding decisions taken before, during and after the incident, especially in
light of later evidence that police statements formulated immediately after the disaster had
Chapter 7
subsequently been altered. Responsibility for the apparent lack of coordinated response from
emergency services also needed proper acknowledgement.
In September 2012, the Hillsborough Independent Panel concluded that up to 41 of the 96 people who
perished might have survived had the emergency services’ reactions and coordination been improved. In
December 2012 the High Court quashed the original verdicts of accidental death and ordered new
inquests, which were held from March 2014 to April 2016. On 26 April 2016 the inquest jury ruled that all
96 victims were unlawfully killed, and confirmed that the behaviour of supporters on the day played no
part in the tragedy. It found blame with South Yorkshire police, ambulance crews, the state of the
stadium and Sheffield Wednesday (which owned the ground).
In June 2017, it was announced that six people are to be charged in relation to the disaster. The former
police chief in charge of the match faces 95 counts of manslaughter by gross negligence, and his
assistant four counts of misconduct in public office. Two other police officers and a solicitor are charged
with perverting the course of justice, and the former Sheffield Wednesday club secretary is charged with
breaching the Safety at Sports Grounds Act 1975. Trials are scheduled to continue until 2019.
This incident highlights that disasters do not necessarily involve significant damage to property, and
This incident
highlights that often involve more than one organisation or authority. A further problem is that those responsible can
disasters often sometimes look to shape public and media perceptions of the causes to deflect responsibility for poor
involve more than one
organisation or risk assessment and decision making. Reports published in The Sun newspaper at the time alleged that
authority Liverpool fans were drunk and without tickets, allegations subsequently shown to be without foundation
and withdrawn. At all stages, senior police officers tried to cover up their shortcomings by blaming the
behaviour of supporters.
Staging a football match involving movement of tens of thousands of people poses its own set of risks.
Decisions have to be made beforehand in terms of the most significant ones and allocation of resources
to manage them. Before this incident, authorities saw the threat of hooliganism or pitch invasions to be
of concern, but did they even consider a sequence of events that could result in fans being crushed due
to mismanagement of turnstiles, barriers and gates? Previous incidents at the ground suggest this
possibility was well known. Moreover, Liverpool FC had complained about the choice of ground following
fans’ complaints at a previous game, and at the time of the incident the ground had no valid safety
certificate.
Windsor Castle fire
Sometimes, though very rarely, disasters can be caused by acts of carelessness by human beings. One
Sometimes, though
simple act of carelessness by one individual can lead to devastation. The fire at Windsor Castle was very rarely, disasters
caused by curtains catching fire from a warm lamp and the King’s Cross fire was likely caused by a can be caused by acts
of carelessness by
carelessly discarded cigarette. Accidental fires are typically caused by careless use of cigarettes, human beings
matches, candles, heaters, fires, lamps and the like, as well as generation of sparks from electrical
equipment or heavy machinery. The extent of damage caused is then dependent on other factors such as
presence of inflammable, explosive or combustible material and any risk control measures in place. At
Windsor Castle the damage was the destruction of over 100 historic rooms, but at King’s Cross and in
several night club fire incidents around the world, the presence of combustible material and lack of
adequate escape routes resulted in serious injuries and loss and life. Lessons learnt from fire disasters
have resulted in changes to laws relating to use of fire resistant materials, building regulations and
operating licence conditions, but we have not yet learnt how to ensure regulations are not disregarded
by unscrupulous people with different objectives.
Concorde plane crash
The Concorde plane crash in 2000 is another example of a serious disaster. The plane caught fire shortly
after take-off and 100 passengers and 9 crew members lost their lives. The crash also claimed the lives
of four people on the ground. A French accident inquiry concluded in December 2004 that the Concorde
disaster was partly caused by the strip of metal that fell on the runway from the Continental Airlines
plane (DC-10) that took off just before the supersonic jet. The Concorde ran over the super-hard titanium
strip, which shredded one tyre, causing a blow-out and sending debris flying into an engine and a fuel
tank and setting it on fire.
A subsequent court hearing in France in 2010 led to a fine for Continental Airlines because the court felt
the US airline was criminally responsible for the Concorde crash. Charges of involuntary manslaughter
were upheld. Continental was also ordered to pay Air France €1m in damages. The judge also gave a
Chapter 7
Continental employee a 15-month suspended jail sentence for having incorrectly manufactured and
installed the titanium strip.
Continental always denied that the titanium strip triggered the disaster by shredding Concorde’s tyres,
insisting the supersonic jet had already been on fire for 700 metres of runway. However, the French court
ruled that none of the evidence supported Continental Airlines’ theory.
Continental appealed the decision by the French court and the criminal findings were quashed. However
Continental was still held to be responsible in a civil legal context so had to pay damages originally
awarded by the French court. Some 13 years after the disaster the legal wrangling continues with
authorities also accusing some parties involved of failing to learn any lessons from exploding tyre
incidents that had haunted Concorde from the late 1970s onwards.
The Concorde crash also shows how it is sometimes very difficult to find out exactly what may have
caused an accident, especially those where complex systems are involved. Investigations can take many
years to determine the precise sequence of events that led to a catastrophic failing, and even then
conclusions may leave areas of doubt. In terms of its approach to risk management, the aviation
industry is generally known for having a no blame safety culture at its heart. This no blame approach
encourages those within the industry to learn and share lessons from events or near misses. It also
encourages forums to be created whose underlying purpose is to analyse events and learn from
mistakes but crucially without individuals fearing any recrimination.
Conclusions
Following a major disaster, especially one that resonates with the general public, there tends to be
People are sceptical
demands for public enquiries or similar forums to investigate causes and allocate responsibility. People about organisations
are sceptical about organisations undertaking their own internal enquiries, doubting that underlying undertaking their own
internal enquiries
causes will be uncovered and subsequently made known to all interested parties. However, public
enquiries are often complex and time consuming and their merits have been questioned, especially in
terms of accurate recall of events by witnesses some time after they actually took place.
It is not unusual for several investigations into a major incident to be undertaken at the same time, for
example by industry specific authorities, emergency agencies and government appointed bodies. While
on face value they may all be looking to uncover the cause(s) of an incident, they will not necessarily all
share the same underlying objectives, reach the same conclusions or look at the same evidence.
Findings of such enquiries need to be studied in the context of their terms of reference.
Official enquiries can be categorised as internal, industry, government, public or judge led. Where
findings are accessible to the general public, reports from enquiries are a valuable source of learning
material.
Be aware
Risk professionals should bear in mind that such reports can provide numerous insights, not only into what went
wrong in certain scenarios, but also to see what risk management lessons can be imported into their own
organisations.
Lessons learnt from investigations and subsequent changes can be organisation specific or can be
applied to others operating in the same sector. Sometimes it is appropriate to apply changes to entirely
different business operations that are deemed vulnerable to similar events. Recommendations can
include introduction of new legislation, changes to standards, guides or regulations, or establishment of
new regulatory or enforcement agencies. Appropriate organisations may publish general or specific
guidelines or instructions aimed at improvement of design, systems, procedures, control or
management.
Most disasters have multiple causes. Often a combination of events exposes weaknesses in complex
systems or dependant activities. Both the BP Gulf spill and the financial crisis fall into this category. In
2009, BP and the Deepwater Horizon crew had successfully completed drilling operations on the Tiber
well in the Gulf, yet in 2010 a similar operation on a similar well went drastically wrong. A particular
combination of design, test and maintenance operational decisions changed the outcome. Similarly in
the financial crises, it was a particular mix of government policies, falling house prices, regulator
decisions, accounting standards, complex financial products, corporate governance and commercial
pressures, that ultimately resulted in the breakdown of confidence and collapse of credit availability that
destroyed key organisations and strained government resources.
In recent years there has been more emphasis on responsibility. People have been educated to
associate accidents and disasters with blame and claim. Those with authority in organisations are
expected to take responsibility and to be held accountable for perceived management failings. Fines,
improvement and prohibition notices are issued and senior executives removed or persuaded to resign.
Chapter 7
In the UK the Public Interest Disclosure Act 1998 has encouraged individuals to become
‘whistleblowers’ and expose allegations of wrongdoing.
Question 7.3
It is not unusual for several investigations into a major incident to be undertaken at the same time. Why is caution
needed when examining their conclusions?
C Embedding risk management

We have seen from our analysis of disaster examples that nearly all organisations suffering major losses
did not have an imbedded culture that put due emphasis on risk management as an essential element of
corporate governance. Some organisations failed to identify potentially serious risks or misjudged their
consequences. Organisations that were aware of significant risks did not have systems in place to make
sure they were avoided, or else chose to ignore warnings in pursuit of other objectives.
In an organisation with an effective risk culture, methods and procedures used to identify and evaluate
risk should be recorded in documents that follow organisational risk policy and strategy laid down by the
board, or by a risk committee reporting to the board. Procedures should document what information
gathering channels are to be used, what records are to be established and what subsequent analysis is
to be done.
These procedures need to be monitored to see if they are being followed. They also need to be reviewed
to see if they are effective in carrying out risk policy and strategy. Monitoring and reviews can be carried
out by risk department management, by internal or external audit bodies, or by any combination, as an
organisation decides. Whoever carries out the task, their results, arguments, conclusions and
recommendations should be documented for future discussion and action.
In chapter 3 we studied the link between risk management and audit functions. The audit function
should be accountable for providing senior management with independent assurance on the risk
management process and how well it is working. It reviews output from the processes used by the
organisation to identify, evaluate and mitigate risk. The audit committee may establish its own
demands for risk reports on an ongoing basis or may identify a particular area of risk and demand a
detailed report.
Auditors will look for evidence that conversations and meetings have taken place, that information has
Auditors will look
been accessed and that records have been kept. Their task will be much easier if suitable record keeping for evidence that
is part of procedure requirements. Some organisations, particularly those expecting external audits from conversations and
meetings have
safety authorities, say, or financial regulators, use the power and storage capacity of IT systems to keep taken place
such records automatically. They will route as much work as possible through computers so factual
statistics are continuously available.
Reviews will try and establish how effective procedures are in terms of achieving their objectives. For
example, this might involve historical analysis to find how often risks materialised that had not been
previously identified. There may also be historical tests to see if past recommended risk strategies
turned out as planned or whether different strategies would have proved more economical.
The actual extent and depth of audit reviews will depend on the size and type of organisation, its
culture, objectives and past record of discipline. Large organisations may have formal internal audit
structures reporting regularly to the board, while at the other end of the scale the task of reviewing
procedures might be just another headache for a hard pressed owner/manager. Organisations must
make their own audit arrangements based on cost-effectiveness decisions.
Where new projects are being considered, procedures and controls will ensure that proposals identify
and measure risks that the new project will bring and how the project could change any existing risk
profiles elsewhere around the organisation. The control requirement may not just ask for downside risk
to be identified, but demonstrate that the balance of risk and return has been evaluated effectively.
In a well managed organisation, risk will be continuously assessed as a routine activity as alternative
courses of action are discussed. Risk awareness will be embedded in procedures and practice
handbooks and associated training material. Risk management issues and benefits will feature
prominently in organisation news sheets and press releases and in the annual report.
D Benchmarking
Chapter 7
If you have appropriate knowledge and skills it is relatively straightforward to set up a system and
procedures for risk management activities in an organisation. The problems come with implementation,
in organising and managing people to carry out required tasks efficiently at the right time. Continuous
hard work is required to achieve consistent performance.
In order to evaluate performance, both measurements and targets are required. We need to set
In order to evaluate
standards to strive for and take credible measurements to assess progress towards their achievement. performance, both
Comparing your performance with best practice examples on a regular basis is the essence of measurements and
targets are required
benchmarking. You can use the information to establish a baseline from which improvements can be
sought.
We have seen that international standards are often accompanied by best practice recommendations
and guides. Many trade and professional organisations publish case studies, together with general and
comparative information. For example, the Association of British Insurers (ABI) and the Operational Risk
Consortium (ORIC) have recently launched their Creating Value from Risk Events best practice paper,
which is a useful benchmarking approach for risk management. Knowledge of other organisations can
sometimes be gleaned from new employees, customers, suppliers or appropriate seminars. Searches
should not be confined to similar organisations. Best practice is often to be found in other industries
and other countries.
When reliable comparative information has been found it can be examined to see if different methods
would improve results in your environment. By adopting the best of other people’s ideas, your own
system and performance can be incrementally enhanced.
Benchmarking can be supplemented by internal audits and reviews. For these to be effective,
quantitative targets need to be established and performance monitored against them. This can be
difficult when different risks need different amounts of attention. Also, temptation must be resisted to
produce arbitrary targets because they are easy to measure, or to set targets that cause people to
neglect other important tasks while they concentrate their efforts on achieving visible performance
measures.
E Conclusion
In this chapter, and throughout this study text, we have emphasised the need to allow for change. Risks,
environments and people change. Organisations continually face new challenges, legislation, regulation
and market conditions. Opportunities also change, offering the chance of rich rewards for those who can
evaluate and exploit them.
Risk management has emerged as a practical way of avoiding or reducing obstacles that stand in the
way of success. We identify risks that might hinder progress towards achieving our objectives and set
out to deal with them in a systematic and logical fashion.
Risk management has developed from a concept to a profession, with formal qualifications, standards
Risk management has
developed from a and opportunities to extend knowledge and skills. It is recognised as a key element of planning and
concept to a preparation from government through to service organisations and industry.
profession
In a live, working environment it is not always easy to put theory into practice. Required data will be
missing or unobtainable, people will be uncooperative and resources unavailable. Successful risk
professionals also need management skills, people skills, communication ability, experience and the
ability to imagine the consequences of an incident.
We have identified and discussed risks that are topical in the current world environment, with particular
reference to UK conditions in terms of legislation, regulation, environment and available support. If you
work in another country you will need to find similar information.
We have emphasised that we live in a world of continual evolution and change. Use website references,
establish your own network of contacts and do your own research to keep up to date with the latest
information and trends on any specified topic.
We have seen that the best organisations embrace risk management concepts as an integral part of their
culture. It is an essential element of good corporate governance and best management practice.
However, even in less enlightened environments or in small organisations with limited resources, the
Chapter 7
principles and objectives remain valid. Persuading and helping people continuously to be aware of risks
their organisation might face, and to take steps in advance to mitigate or deal with their potential
impact, is always a worthwhile endeavour and might save an organisation from extinction if particular
serious risks materialise.
As a final thought to take forward, remember not to get pessimistic as you imagine all possible
Probabilities of
disasters occurring consequences of risks. Probabilities of disasters occurring are low, and lower still if precautions are in
are low, and lower place. Risk management professionals should never be afraid of risk. They can recognise its existence
still if precautions are
in place and know how to deal with it.
Key points
Risk management standards
• Professional organisations across the world have published recommendations as to the best way of carrying out
the risk management function in an organisation.
• ISO 31000 is separated into three risk management areas: principle, framework and process. The principles
emphasise that risk management is an integral part of organisational processes and decision making.
• The ISO 31000 framework is intended to help organisations to integrate risk management into their overall
management framework.
• FERMA 2003 is a European standard based on the UK standard AIRMIC, Alarm, IRM: 2002.
• The FERMA standard uses ISO terminology and sets out the process by which risk management can be carried out.
It also outlines an organisation structure for risk management, and includes a list of benefits to be expected. There
are sections on risk reporting and communication, and monitoring and review of the risk management process.
• AIRMIC, Alarm, IRM: 2010 provides a structured approach to implementing risk management in the context of
ISO 31000. The guide reviews the principles and processes of risk management, provides an overview of the
requirements of ISO 31000, and gives practical guidance how to design an enterprise wide risk management
framework and implement an ERM system.
• Organisations following COSO recommendations would be recognised as following best practice in risk control and
would eliminate accounting irregularities.
• Compliance with COSO satisfies the US legal requirements for financial reporting as set out in Sarbanes-Oxley
corporate governance legislation.
Example studies of major losses
• Equitable Life was a well established, successful insurance company that became insolvent in 2000.
• Equitable Life’s management made key decisions to sell products that were only profitable in times of high interest
rates and to operate with minimal reserves. When interest rates fell, potential losses outstripped reserves.
• A combination of factors conspired to the company’s demise. A high risk business strategy was adopted by
arrogant, forceful executives who seemingly dominated board discussions.
• Top level governance checks didn’t work because non-executive directors were incompetent and bullied, and
regulators were disorganised and inefficient. Equitable Life had no contingency capital or plans to deal with
surprises and no access to additional shareholder funds.
Chapter 7
• In 2010, BP was in the process of sealing a newly drilled deep sea oil well in the Gulf of Mexico for later production
when a ‘blowout’ occurred.
• Eleven people were killed as a result of the incident. The drill rise and pipe were damaged and continued to
discharge into the water. It took a further 83 days to stop the flow, resulting in massive clean-up operations around
the Gulf and still unmeasured damage to marine ecology.
• Investigations listed at least thirty separate decisions that increased risks during design, installation and testing.
• Investigators criticised the way all operations were conducted. System safety was never a prime consideration in
documentation or reported discussions. Regulation also failed.
• The financial crisis peaked to full-scale panic in August and September 2008 when simultaneous failures of some
of the world’s largest financial organisations were confirmed and banking confidence broke down.
• House prices in the US increased each year from 1997 to 2006, by an average of 150%. By 2007 house prices had
become unsustainable, and in most regions were starting to fall.
• The structure of the banking system caused risk to accumulate in a handful of global financial institutions. Some of
these were tightly regulated but in others, regulation was lax or otherwise not fit for purpose.
• Investigating links between cause(s), event and effects allows recommendations to be made aimed at preventing
similar events. Recommendations can include introduction of new legislation, changes to standards, guides or
regulations, or establishment of new regulatory or enforcement agencies.
• Most disasters have multiple causes. Often a combination of events exposes weaknesses in complex systems or
dependant activities.
Embedding risk management
• Risk management methods and procedures need to be monitored to see if they are being followed. They also need
to be reviewed to see if they are effective in carrying out risk policy and strategy.
• Auditors will look for evidence that conversations and meetings have taken place, that information has been
accessed and that records have been kept.
• Reviews will try and establish how effective procedures are in terms of achieving their objectives.
Benchmarking
• Comparing your performance with best practice examples on a regular basis is the essence of benchmarking.
• By adopting the best of other people’s ideas, your own system and performance can be incrementally enhanced.
Conclusion
• Risk management has emerged as a practical way of avoiding or reducing obstacles that stand in the way of
success.
• The best organisations embrace risk management concepts as an integral part of their culture. It is an essential
element of good corporate governance and best management practice.
Chapter 7
Question answers
7.1 ISO 31000 is split into three risk management areas: principles, framework and process.
7.2 This is because in 2007 the five major US investment banks were operating with ratios around 40, i.e. for
every £40 assets they held there was only £1 available to cover losses. Put another way, a 3% drop in asset
values could wipe out the bank.
7.3 While on face value they may all be looking to uncover the cause(s) of an incident, they will not necessarily all
share the same underlying objectives, reach the same conclusions or look at the same evidence. Findings of
such enquiries need to be studied in the context of their terms of reference.
Chapter 7
Self-test questions
1. What is the essence of the AIRMIC, Alarm, IRM philosophy regarding risk management and organisation
culture?
2. Why is the COSO internal control framework widely used in US organisations and their overseas branches?
3. What was the key decision that led to the demise of Equitable Life and why was it so important?
4. What were the main aims of recommendations made after the BP Gulf disaster?
5. Why were pay structures criticised for contributing to the financial crisis by encouraging high risk
behaviour?
6. In investigations into the 2008 financial crisis, what general complaints were made concerning competency
of executives, in both financial institutions and their regulators?
7. What should an audit function be accountable for when reviewing and monitoring risk management
procedures?
8. Where can comparative information on risk management practice be obtained?

Chapter 7
Self-test answers i
Chapter 1 self-test answers

1. From the middle of the twentieth century.
2. As fate or acts of God.
3. To contain the effects of risks they take so that the general public are protected.
4. The characteristics include:
• dread (lack of control, catastrophic potential, inequitable distribution of benefits and dreadful
consequences); and
• unknown risks (limited knowledge of risk, possible delayed effect and unknown consequences).
5. We cannot be sure exactly when or how often a risk will materialise or precisely what its full
consequences will be.
6. So that all employees and other stakeholders have a common understanding of discussions and
reports.
7. Pure risk only has negative consequences. Speculative risk can have negative consequences but is
accepted in the expectation of adequate reward.
8. Often it is easier to prevent or control causes of risk rather than try to deal with anticipated
consequences once a risk has materialised.
ii M67/P67/March 2018 Fundamentals of risk management

1. To see whether they can be tolerated, tolerated with financial compensation (insurance), or are
totally unacceptable. This will lead to recommendations for appropriate management action.
2. Any six from the following:
• compliance with legislation and regulation;
• improved corporate governance (top management control);
• understanding (and therefore avoiding or reducing) operational risk;
• understanding risks associated with opportunities (and therefore better choices);
• improvements in both internal and external risk reports and communications (increase in
stakeholder satisfaction and possible decrease in cost of borrowing);
• avoidance of disasters;
• reduction in frequency of incidents;
• reduced cost of incidents;
• reduced insurance costs;
• increased likelihood of meeting organisation objectives;
• preservation of reputation;
• improved health and safety; and
• quicker recovery from emergencies.
3. It is crucial to be clear whether risks inherent in the outsourced operation have been transferred or
retained.
4. Issues for consideration to protect an organisation against damage or loss are as follows:
• safety of people;
• safety of assets;
• revenue and cash flows;
• legal obligations; and
• delivery of promised goods and services.
5. The key elements of the risk management process are:
• establish the context;
• identify risks;
• analyse risks;
• evaluate risks;
• treat risks;
• communicate; and
• monitor and review.
6. When we are setting out to analyse identified risks we are looking for the following:
• Could it happen?
• How bad would the loss or damage be?
• How often could it happen?
7. There are three choices available to try to control unacceptable risks:
• retain the risk;
• reduce the risk down to acceptable levels; or
• transfer the risk to insurers or others.
Self-test answers iii

1. Corporate governance is the way a board sets up an organisation to achieve its objectives, together
with the systems it puts in place to manage and control that organisation.
2. Devices and procedures that can be used for internal control include:
• approvals;
• authorisations;
• reconciliations;
• separation of duties;
• physical controls;
• IT controls; and
• peer reviews.
3. ERM is the structure an organisation sets up to control risk management across the whole of its
organisation. ERM allows all the risks involved in an organisation to be looked at together and from
different perspectives. This is known as a holistic approach.
4. Heads of departments have primary responsibility for identifying, assessing and managing
operational risks in their areas. A group risk management function is responsible for setting up
and maintaining the ERM framework, and for coordinating all risk management functions within
the group.
5. Any five from the following:
• Ensure risk management is at the heart of strategic decision making.
• Supply appropriate risk management skills and expertise concerning any corporate involvement in
major initiatives or programmes.
• Agree, establish and oversee a risk management framework across the organisation.
• Raise ‘risk awareness’ across the organisation.
• Communicate on risk matters with all business areas and appropriate external stakeholders.
• Ensure all risk owners understand the risks they are responsible for.
• Provide advice and support across the organisation to ensure effective risk management.
• Identify risk trends and emerging risks of interest to the organisation.
• Identify, analyse, assess and evaluate a range of individual risks across the organisation.
• Maintain an up-to-date risk register.
• Evaluate existing risk controls – highlighting any deficiencies and creating action plans for
improvement.
• Implement cost effective risk controls or adjustment.
• Identify and report on the most important risks faced by the organisation.
• Prepare insurance programmes and business continuity plans.
• Identify and report on significant changes in probability or impact of the most important risks
faced by the organisation.
• Work within agreed budgetary constraints.
• Take overall responsibility for recruitment and development of direct reports including appropriate
training.
6. Compliance is a subset of audit, concentrating on a limited number of important risks, normally
those threatening compliance with relevant laws and regulations.
7. Risk appetite describes those risks that an organisation is actively willing to take. Risk tolerance
describes those risks that the organisation might be able to put up with. A risk appetite policy can
be used as a guide for both new and existing risks.
8. Activities that support a risk aware culture include leadership, involvement, learning, accountability
and communication. Any management device is useful that contributes to the aim of fully
embedding risk consideration as an integral part of everyday procedures at all levels in an
organisation.
iv M67/P67/March 2018 Fundamentals of risk management

1. Risk departments should take interest in procedures manuals because this is where procedural risk
management is implemented.
2. Large companies include risk information in their annual report to demonstrate proper management
and risk awareness.
3. To be effective, procedures for collecting risk information must be clearly documented and issued
with the authority of the managing director or chief executive officer.
4. To collect information in a common format to simplify comparisons and analyses of the information.
5. Flow charts show how goods and services come together to achieve a final product. Fault trees
highlight possible causes of failure to deliver that product.
6. Fault trees are used to investigate what could cause supplies to cease and consider the likelihood of
that happening.
Self-test answers v

1. Risk categorisation systems are important because they allow an organisation to consider where
similar risks may lie within and outside its operations. It will also clarify potential for applying
generic risk control strategies across similar risks.
2. The four risks that could threaten the survival of a business are as follows:
• High monetary value incidences of common risks such as physical damage, fraud or misuse
of funds.
• Loss of confidence.
• Credit, solvency and liquidity risks.
• Third party damage.
You may have thought of others.
3. The purpose of a tolerance line is to separate those risks which are acceptable and need no action
from those that are not acceptable and require attention.
4. Risk controls can be classified as preventive, corrective, directive and detective.
5. A risk register contains various information which an organisation needs to manage risks.
6. Financial risk models are used because concepts such as profit, solvency and liquidity are
mathematically related to sales, costs, liabilities and asset values, so stress tests can explore the
effect of variations in individual parameters.
7. The objective of risk reports is to provide accurate and concise information in a format that the
recipient can understand.
vi M67/P67/March 2018 Fundamentals of risk management

1. No, because in estimating total potential losses it is not enough to add up individual losses and
their frequency. Aggregate losses must also be considered.
2. The two calculations we need to make are:
• the single largest amount the organisation can afford to retain; and
• the aggregate of losses the organisation can afford to retain over a given time, ignoring low level,
common, frequent losses.
3. If organisations are going to pay premiums now and rely on the insurance market for financing risks
that materialise in the future, then they need to be sure the market is stable. It is also important that
insurance firms are able to meet their liabilities when organisations need to make a claim.
4. Any five from the following:
• property surveys;
• business continuity plans;
• business interruption reviews;
• health and safety workplace reviews;
• liability surveys;
• motor fleet risk management;
• environmental risk surveys;
• post-loss control services; and
• disaster recovery services.
5. Available options include the following:
• co-insurance, where two or more insurers share the risk;
• excess layers;
• separate umbrella policies; and
• additional policies for specialist cover.
6. The main driver tends to be the desire for effective corporate management and control across the
organisation.
7. The three sources of funding are:
• the cash flow and asset sources of the organisation itself;
• funds available from within the captive; and
• the captive’s reinsurers.
8. Five conditions for successful risk transfer are:
• contract terms are enforceable;
• contract terms are unambiguous;
• the person you have transferred to can manage the risk;
• the person you have transferred to can finance the risk; and
• the price paid for the risk transfer is reasonable.
Self-test answers vii

1. Risk management must be integrated into the culture of an organisation, with leadership from the
board and a structured management framework to ensure appropriate procedures and practices are
followed at all levels and in all operating units.
2. The COSO internal control framework is used because compliance with it satisfies US legal
requirements for financial reporting as set out in Sarbanes-Oxley corporate governance legislation.
3. The ‘full distribution’ policy promoted by Ranson in 1983 was the key decision. By distributing all
profits to policyholders there was nothing left to build up reserves.
4. Most recommendations aimed to ensure future high risk drilling operations were properly controlled
and supervised by competent staff, trained to consider overall system implications of technical
decisions, and with ability to correctly interpret the results of tests. The culture of participating
organisations had to change from emphasis on production to emphasis on safety. Governance
improvements required effective risk analysis and review of decisions before permits would be
granted.
5. Senior executives enjoyed multi-million pound or dollar salaries and generous bonus packages if
targets were attained. Generally, targets were short term, tied to sales or asset quantity with no
reference to quality or risk. There were no arrangements for clawing back bonuses if losses were
incurred.
6. Many people did not understand the complexities and implications of the business they were in.
Non-executive board members were not familiar enough with financial operations and not strong
enough to rein in aggressive chief executives. Regulators found it difficult to criticise organisations
reporting sound financial results.
7. The audit function should be accountable for providing senior management with independent
assurance on the risk management process and how well it is working.
8. International standards are often accompanied by best practice recommendations and guides. Many
trade and professional organisations publish case studies, together with general and comparative
information. Knowledge of other organisations can sometimes be gleaned from new employees,
customers, suppliers or appropriate seminars.
viii M67/P67/March 2018 Fundamentals of risk management
ix
Statutes
B P
Bank of England and Financial Services Act 2016, Public Interest Disclosure Act 1998, 7B4
6C2
Basel I, 1A4A
Basel II, 1A4A, 7A, 7B3K S
Basel III, 1A4A, 7A Safety at Sports Grounds Act 1975, 7B4
Sarbanes–Oxley Act 2002, 1A4A, 3A3, 3A3B
Solvency I, 1A4A
C Solvency II, 1A4A, 6C2A, 7A
Companies Act 2006, 3A1
Consumer Insurance (Disclosure and
Representations) Act 2012, 6C1A
D
Data Protection Act 1998, 1E4
Dodd-Frank Wall Street Reform and Consumer
Protection Act, 6C2A
E
Enterprise Act 2016, 6C1A
EU Gender Directive 2012, 1E11
F
Financial Services Act 2012, 6C2
G
General Data Protection Regulation (GDPR), 1E4
H
Health and Safety at Work etc. Act 1974, 6C3D
I
Insurance Act 2015, 6C1A
J
Jumpstart our Business Startups Act 2012, 3A3B
M
Marine Insurance Act 1906, 6C1A
McCarran-Ferguson Act of 1945, 6C2A
Modern Slavery Act 2015, 2C1B
x M67/P67/March 2018 Fundamentals of risk management
xi
Index
A disaster recovery services, 6C3I
discounted cash flow (DCF) analysis, 6B2
aggregate loss, 5C6
Dow Fire and Explosion Index, 5E2
AIRMIC, Alarm, IRM: 2010, 7A3
duty of fair presentation, 6C1A
alternative risk transfer, 6E
analysing risks, 2D2B
asset loss, 5C2
E
enterprise risk management (ERM), 3B, 6C2A
B environmental risk surveys, 6C3G
Equitable Life, 7B1
benchmarking, 7D
evaluating risks, 2D2C
board and risk management, 3A1
evolution of risk management, 1A
BP disaster, 7B2
eighteenth century, 1A2
consequences of risk management failure, 7B2B
nineteenth century, 1A3
lessons learnt, 7B2
post-World War II, 1A4A
brainstorming, 4G5
seventeenth century, 1A1
BS 25999, 6A3
twentieth century, 1A4
business
examples of major losses, 7B
continuity plans, 6C3B
excess layers, 6C6B
impact analysis, 6A3
external information, sources of
interruption reviews, 6C3C
business and professional institutions, 4D
risk, 1E8
company reports, 4D
survival, 5C4
conferences, 4D
consultants, 4D
databases, 4D
C emergency services, 4D
captive insurer, 6D2B government organisations, 4D
catastrophe bonds, 6E2 insurers, 4D
Challenger disaster, 7B4 newspapers and magazines, 4D
checklists and questionnaires, 4G3
chief risk officer, 3C1
co-insurance, 6C6A
Committee of Sponsoring Organizations of the
F
fault trees, 4G6
Treadway Commission (COSO), 3A4, 5B4, 7A4,
Federation of European Risk Management
7B2A
Associations (FERMA), 7A2
Concorde plane crash, 7B4
financial crisis, 2008
continuity planning, 2D4
banking system, 7B3
control self assessment (CSA), 3A4A
cash flows, 7B3
corporate governance, 3A3
economic situation, 7B3
and internal control, 3A
effects in Europe, 7B3I
cost of risk incidents, 6A
effects in the UK, 7B3H
credit risk, 1E6
lessons learnt, 7B3K
cyber crime, 2C3B
risk assessment, 7B3
risk management and control, 7B3
US organisations, 7B3G
D worldwide repercussions, 7B3J
data collection, 4E flow charts, 4G2
external information, 4E2 fraud, 6C1A
internal information, 4E1
data concentration, 2C3B
deductible analysis, 6C5
delivery of promised goods and services, 2C2E
xii M67/P67/March 2018 Fundamentals of risk management
G liquidity risk, 1E7

loans, 6E3
global and political risks, 2C3A
global or international insurance covers, 6C7
governance, risk and compliance (GRC), 3F
M
market risk, 1E5
H maximum possible loss, 5C5
maximum probable loss, 5C5
hazard and operability (HAZOP) studies, 4G7
minimum capital requirement (MCR), 6C2A
health and safety reviews, 6C3D
misrepresentation, 6C1A
health damage, injury or loss of life, 5C1
money laundering, 1E11
Hillsborough disaster, 7B4
monitoring and reviewing, 2D6
motor fleet risk management, 6C3F
I
identifying risks, 2D2A
impact
N
new and emerging risks, 2C3
defining, 5C5
measuring, 5C
numerical definition of, 5D6
individual responsibilities, 3C
O
insurance operational risk, 1E4
as a risk transfer mechanism, 6C organisation charts, 4G1
derivatives, 6E1
programme, organising, 6C4
related costs, 6B3 P
renewal, 6C8 physical inspections, 4G4
risk, 1E9 post-loss control services, 6C3H
internal probability
control, 3A4 and frequency, 5D3
fund, 6D2A combining probabilities, 5D2
internal information, sources of impact/tolerance matrix, 5F
auditors’ reports, 4C measuring, 5D
committees, 4C numerical definition of, 5D5
databases, 4C theory, 5D1
documents, 4C property surveys, 6C3A
historical risk reports, 4C protection against damage or loss, 2C2
insurance documents, 4C pure risk, 1E2
meetings, 4C ‘put options’, 6E4
observation, 4C
people, 4C
procedures manuals, 4C R
international operations, 6C2A regulatory and legal risks, 1E11
ISO 22301, 6A3 reinsurance, 6D2C
ISO 31000, 7A1 facultative, 6D2C
obligatory, 6D2C
relationship between audit and risk management,
K 3D
key risk indicators, 7B2A relationship between compliance and risk
King’s Cross fire, 7B4 management, 3E
reliability and change, 4F
does our information change?, 4F2
L is our information reliable?, 4F1
legal obligations, 2C2D reputation risk, 1E10
liability surveys, 6C3E retaining the risk, 2D3A
limits and sums insured, 6C6 revenue and cash flows, 2C2C
Index xiii
risk process, 2D
and consequence, 1F regulatory context surrounding, 6C2
and organisational objectives, 2C representations, 5F1
and reward, 1D role of an intermediary, 6C3
and uncertainty, 1C standards, 7A
assessment, 5A risk management systems
aware culture, 3H why they can fail, 7B2A
committees, 3C4 risk perception
comparison, 5E1 importance of, 1B10
control, 5G risks
factor indices, 5E2 dread and unknown, 1B8
financing plan, 6F risks from stakeholders
geopolitical, 2C3A banking industry, 2C1
global economic, 2C3A customers, 2C1
global environmental, 2C3A distributors, 2C1
global social, 2C3A employees, 2C1
global technology, 2C3A others, 2C1
identification, methods of, 4G partners, 2C1
impact limits, 6B2 private investors, 2C1
manager, 3C2 quoted shareholders, 2C1
maturity, 3I regulators, 2C1
models, 5H1 suppliers, 2C1
officer, 3C3 the environment, 2C1
perception, 1B the media, 2C1
political, 2C3A
ranking, 5E
reduction, 2D3B S
registers, 5H safety of
retention, 6D1 assets, 2C2B
sharing, 6D3 people, 2C2A
supervision of, 3A2 SCR requirements, 6C2A
tolerance, 3G2 self-insurance programmes, 6D2
transfer by contact, 6D4 single point of failure, 2C3B
transferring, 2D3C solvency capital requirement (SCR), 6C2A
treatment and control, 2D3 special purpose reinsurance vehicle (SPRV), 6E2
types of, 1E specialist covers, 6C6D
risk aggregation, 5C7 speculative risk, 1E1
and correlation, 5D4 strategic risk, 1E3
risk appetite, 3G1 supply chain continuity, 6A3
and tolerance, 5F
risk categorisation, 5B
approaches to risk categorisation, 5B3 T
difficulties with categorising risks, 5B2
technology and cyber risk, 2C3B
principles and benefits, 5B1
terrorist risk, 2C3C
systems, 5B4
time and resources, 5C3
risk financing
Titanic, 7B4
options, 6B, 6D
risk information, 4A, 4B
risk management
benefits of, 2B
U
UK Corporate Governance Code, 3A3A
embedding, 7C
umbrella policies, 6C6C
evolution of, 1A
updating and communication, 2D5
implications, 3A3C
introduction to, 2A
philosophy, 2D1
policy statement, 2D1 W
Windsor Castle fire, 7B4
Chartered Insurance Institute
42–48 High Road, South Woodford,
London E18 2JP
tel: +44 (0)20 8989 8464
customer.serv@cii.co.uk
www.cii.co.uk
Chartered Insurance Institute

@CIIGroup
© Chartered Insurance Institute 2018
Ref: MP67T9

M67 Fundamentals of Risk Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

M67 Fundamentals of Risk Management

Uploaded by

Copyright:

Available Formats

M67/P67

Updates and amendments to this study text

Reviewers and updaters

Using this study text

Key features typically include:

Find out more

Fundamentals of risk management

Summary of learning outcomes Number of questions

Published February 2018 M67/P67

Published February 2018 2 of 5

1. Understand the meaning of risk 6. Understand the position of insurance

3. Understand the core elements of the

4. Understand the different categories of

5. Understand current trends in risk

Published February 2018 3 of 5

Enterprise risk management: from incentives to controls.

Published February 2018 4 of 5

Exam technique/study skills

Published February 2018 5 of 5

2: The purpose and process of risk management

3: Roles and responsibilities

4: Tools and techniques 1: risk identification

5: Tools and techniques 2: assessment and measurement of risk

6: Risk financing, retention and transfer

7: Risk management lessons

A Evolution of risk management

A1 Evolution of risk management in the seventeenth century

A2 Evolution of risk management in the eighteenth century

A3 Evolution of risk management in the nineteenth century

A4 Evolution of risk management in the twentieth century

A4A Post-World War II onwards

Expected benefits Familiarity

B4 Man-made and natural risks

B8 Dread and unknown risks

Figure 1.1: Dread and unknown risks

Diagnostic x-rays Radioactive waste

B9 Other influences on risk perception

Figure 1.2: Renn and Rohrmann’s structured framework

Personal identity and views

Social, political and

B10 Importance of risk perception in risk management

C Risk and uncertainty

D Risk and reward

Now consider the following statements:

organisation if confusion and inconsistent risk related decisions are to be avoided.

E10 Reputation risk

E11 Regulatory and legal risks

F Risk and consequence – the link between cause,

organisation is to meet best practice standards of governance.

Figure 1.3: The risk chain

People Processes Resources Human

Cause(s) Event Effect(s)

You will find the answers at the back of the book

CII membership helps you achieve

Join today and push your

Member beneﬁts include:

Find out more

A Introduction to risk management

B Benefits of risk management

• understanding (and therefore avoiding or reducing) operational risk;

C Risk and organisational objectives

Figure 2.1: The organisation as a nexus of contracts

Suppliers Organisation Investors/

C1 Risks from stakeholders