RMPAut14 Web

More art than IRM International Geared up Getting it
science Diploma special for success? back on track

Time for a greater All you need to know Is your operation ready Why product recalls
focus on the softer about IRM’s key to take advantage of don’t have to
aspects of risk? qualification unexpected growth? be a PR disaster
The official magazine of the Institute of Risk Management www.rmprofessional.com | Autumn 2014
Space race
Is the final frontier for
tourism a risk worth taking?
RMPAut14 pp01 Cover.indd 1 09/09/2014 13:34

A LITTLE LESS
‘WHAT IF?’
A BIT
MORE
‘WHO
CARES?’
Schillings Reputation Radar helps you predict the
events that will affect your reputation tomorrow by
understanding those shaping public opinion today.
R E P U TAT I O N
R ADAR
Strategic risk forecasting www.schillings.co.uk
RMPAut14 pp02-03 Editorial.indd 2 09/09/2014 13:34

More art than IRM International Geared up Getting it
science Diploma special for success? back on track
Time for a greater All you need to know Is your operation ready Why product recalls
focus on the softer about IRM’s key to take advantage of don’t have to
aspects of risk? qualification unexpected growth? be a PR disaster
The official magazine of the Institute of Risk Management www.rmprofessional.com | Autumn 2014
Space race
Is the final frontier for
tourism a risk worth taking?
RMPAut14 pp01 Cover.indd 1 09/09/2014 13:26
IRM CHAIRMAN:
Richard Anderson FIRM
editorial
Naked
CHIEF EXECUTIVE OFFICER:
Jeremy Harrison FIRM
business development
director:
Sophie Williams MIRM
truth
head of marketing:
Fiona Duhig
fiona.duhig@theirm.org
Tel: +44 (0)20 7709 9808
A
managing editor:
Sush Amar
sush.amar@theirm.org nother week, another cyber breach, another batch of headlines. While the
Tel: +44 (0)20 7709 4114 hacking/stealing of celebrities’ intimate cameraphone images may generate
more ethical hand-wringing newspaper articles than your average corporate
editor: Phil Lattimore
phil.lattimore@ institution’s data loss, both reflect the ongoing issue of cyber security in an
rmprofessional.com ever more connected, data-reliant – yet sometimes cyber risk-unaware –
Tel: +44 (0)7802 870008 society. From the private to the professional, the loss of sensitive data can be
design and production: traumatic and damaging.
CPL (Cambridge Publishers Ltd) The variety and complexity of the cyber threat – and how risk professionals should address
275 Newmarket Road it – was discussed in detail by leading experts at IRM’s recent Cyber Risk Summit, held in London
Cambridge CB5 8JE over the summer. One of the key speakers at the event, chief information security officer of the
Tel: 01223 477411 Bank of England Don Randall MBE, delivers his views on the topic on pages 19-20 of this edition,
Web: www.cpl.co.uk while IRM’s comprehensive guidance for risk professionals in its report, Cyber risk: resources for
advertising manager: practitioners, remains an essential read for anyone looking to understand the issues and take
Michael Niskin practical steps to mitigate these risks.
Tel: +44 (0) 1223 273 535
michael.niskin@ Positives and negatives
rmprofessional.com
Of course, risk management is about positives, too. Risk managing for success is, perhaps,
Risk Management Professional is the undervalued by some outside the profession, but ensuring that your organisation is prepared for
official publication of the Institute of Risk surges in demand or unexpected growth can be critical for a business’ operations. We look at how
Management (IRM). ISSN 2042-4078
to navigate the risks involved and take full advantage of the opportunities on pages 16-18.
IRM is the world’s leading professional
body for risk management. We are
On the flip-side, a potentially negative situation – such as a product recall – doesn’t have to
independent, well-respected advocates of prove a disaster if risk management processes and plans are in place to manage the situation
the risk profession, owned by practising risk
professionals and operate internationally,
promptly and effectively. We explore recent examples of both successes and failures when things
with members and students in more than go wrong in our feature on pages 12-15.
100 countries.
Meanwhile, our cover story for this issue looks at the final frontier for extreme tourism – space
Institute of Risk Management travel – and how this out-of-this-world holidaymaking experience requires the ultimate in rigorous
2nd Floor, Sackville House, 142-149
Fenchurch Street, London EC3M 6BV risk management. You can read all about it on pages 29-32.
Tel: +44 (0)20 7709 9808
Fax +44(0)20 7709 0716
www.theirm.org
The right knowledge
enquiries@theirm.org Being prepared and having the right knowledge is crucial as the scope and importance of risk
Copyright © 2014 Institute of Risk functions in organisations grows. In this edition, we also include a special section on IRM’s
Management. All rights reserved.
Reproduction without written permission International Diploma in Risk Management, which has been revised and updated to reflect the
is strictly forbidden. The views of outside changes in knowledge and new challenges facing global business. You can find out all you need
contributors are not necessarily the views of
IRM, its editor or its staff. to know about the new qualifications on pages 21-28.
Enjoy the magazine.
Phil Lattimore
Cover image: Editor
Virgin Galactic
RMProfessional
| Autumn 2014 | www.rmprofessional.com | 3
RMPAut14 pp02-03 Editorial.indd 3 09/09/2014 13:34

Regulars
6 News
T he latest risk management news,
IRM focus 44 In the name game
Career questions answered by
including the establishment of a 21 Enter the next David Imison, delivery director of risk
UK Food Crime Unit in response to generation of risk at Schillings
food fraud scandals, celebrity cyber managers...
breaches, warnings on debt, and An eight-page focus on the launch 46 Member profile:
threats to the economic recovery of the IRM’s revised International Monika Narula
Diploma – an essential guide We talk to the operational risk manager
10 Talking points at RBS India who is a self-confessed tea
Reader feedback on some of the key 39 Glocal hero inventor with a shelf of awards – and a
issues facing the risk profession IRM board director Nicola Crawford passion for books
FIRM reflects on ‘glocalisation’ and
11 CEO’s message the challenges it presents to risk
Increasing regulation is boosting the professionals
demand for risk professionals, but
having the right knowledge and 40 IRM news
experience is crucial, says IRM interim IRM updates, including details of the
chief executive Jeremy Harrison Risk Leaders 2014 conference, key
events and training opportunities, plus
38 Book review news from IRM’s special interest and
Featuring Risk-based performance regional groups
management: integrating strategy
and risk management, by Andrew
Smart and James Creelman
12 29
4 | www.rmprofessional.com | Autumn 2014 |
RMPAut14 pp04-05 Contents.indd 4 09/09/2014 13:09

CONTENTS
AUTUMN 2014
Features
12 Total recalls 33 Handle with care
A badly-handled product recall can have a huge Recently published NHS data signal a warning
impact on both reputation and the bottom line. Yes, for the medical devices industry about the risks
So what lessons can risk professionals learn negative of inflated expectations from patients
from recent high-profile examples?
risks must 34 The case for risk leadership
16 Dream nightmare come first, Now is the time for a greater focus from risk
Would your organisation be adequately professionals on the softer behavioural aspects
prepared for a sudden surge in demand or but then of risk, argues David Hancock
popularity? We explore how risk professionals you should
should prepare for opportunities and over-
performance turn the
19 Banking on it
conversation
Among the experts presenting at IRM’s sell-out around
Cyber Risk Summit, RMProfessional caught
up with Don Randall MBE – chief information
security officer at the Bank of England – for
his views on the cyber threat
Page 16
29 To boldly go...
As Virgin Galactic prepares to take fare-paying
passengers into space, we explore how the risks
associated with space tourism are being managed
34 19
RMPAut14 pp04-05 Contents.indd 5 09/09/2014 13:09

Celebrity hack
highlights data risk
Gil C / shutterstock
The risk of having personal Grande and Victoria Justice. denied that its security was
data and images hacked Both Justice and Grande breached.
has been highlighted with have denied the images are Accounts can be
the release of naked images of them, but a spokesman accessed relatively easily
of high-profile Hollywood
celebrities on an image-
for Lawrence has confirmed
the authenticity of her
if a hacker can guess a
user’s password, or reset RBS hit
sharing forum.
Among those targeted
pictures. Legal action is
being taken, together with
the account password by
answering basic security
with £15m
by the unknown hacker an FBI investigation. questions. However, Apple fine over
s_bukley / shutterstock
posting on site 4chan
were Oscar-winning
The images – said
to come partly from
is now tightening iCloud
security, with additional
mortgage
actress Jennifer Lawrence celebrities’ phones – were measures to alert users if advice
(pictured), model Kate reportedly susceptible to data is restored to a new
Upton, and singers Ariana hacking, though Apple has device. Taxpayer-controlled
Royal Bank of Scotland
(RBS) has been hit
Effects of ebola Ukraine crisis threatens with a £15m fine by

the Financial Conduct
reach UK economy eurozone recovery

Authority (FCA).
The fine has been
imposed after the bank
The economic effects of the Leone and Liberia until at Even Germany is was found guilty of
giving poor sales advice
African ebola crisis continue least the end of the year. experiencing an to mortgage customers
to be felt, with the UK hit by Other businesses unforeseen slowdown in in the latest scandal to
ongoing repercussions on affected have been industrial production. affect the troubled bank.
both travel and businesses. associated with the mining ‘Heightened It is not the first time
RBS has been landed
Liberia, Sierra Leone and industry, especially in the geopolitical risks, as
with extensive fines,
Guinea have all suffered wake of falling iron ore well as developments with past penalties
Stringer / getty
economic effects, which prices, and the need to in emerging-market including £390m for
have, in turn, hit British impose travel restrictions economies and global rigging the Libor rate,
businesses. Among these is on staff and visitors from financial markets, may and £8.75m for money-
laundering irregularities
British Airways, which has affected regions. have the potential by its Coutts subsidiary.
suspended flights to Sierra Further problems have The head of the to affect economic A further fine is
included: delays in shipping European Central conditions negatively,’ expected to be imposed
vital equipment and the Bank (ECB) has said said Draghi, after the by the FCA over the
failure of its computer
export of the finished the political crisis over ECB’s governing council
systems in 2012.
product; palm oil and Ukraine threatens to kept the benchmark rate The bank is also
rubber manufacture; and oil derail Europe’s ‘weak, at a record low level of currently under
and gas production. fragile and uneven’ 0.15 per cent. investigation in
Matt Robinson, senior recovery. Moscow’s decision to connection with alleged
collusion in the foreign
credit officer at credit ratings Mario Draghi has impose a full embargo exchange market.
View Apart / shutterstock
agency Moody’s, warned warned that tit-for- on food imports from The RBS fine means
that if an outbreak hit the tat sanctions between the EU, USA, Australia, the total in FCA penalties
Nigerian capital, Lagos, ‘the the EU and Russia are Canada and Norway was this year stands at
approximately £265m.
consequences for the West sharply increasing likely to have an impact
Last year, fines reached a
African oil and gas industry downside risks within on European exports, record £447m.
would be considerable’. the 18-nation eurozone. economists warned.
RMPAut14 pp06-09 News v3.indd 6 10/09/2014 13:23

industry focus
news round-up
FOOD FRAUD squad IMF fears

for global
A new Food Crime Unit is to well as the establishment of catering services to provide effective responsibility for the
growth if
be set up in the UK to tackle a new Food Crime Unit, the schools and hospitals with traceability of their products, rates rise
the fraudulent food trade government has announced high quality British food and supporting local authorities’
and strengthen consumer further measures to make boost UK farming. target enforcement activity The global economic
confidence in Britain’s food. sure consumers know n Improving food education based on risk, and ensure recovery could be
The establishment of where their food is coming in schools through a consumers have an increased derailed if interest rates
the special force comes from and ensure consumer new national curriculum understanding of where their return to normal levels
in the wake of last year’s confidence. These include: to give children a better food comes from. in Britain and the United
horsemeat scandal, and is n Improved labelling, with understanding of where States, the International
part of the government’s new country of origin their food comes from and Monetary Fund (IMF) has
Monkey Business Images / shutterstock

response to Professor Chris labelling introduced from why it is important to know warned.
Elliott’s report into food April 2015. what is in our food. In its annual Spillover
integrity and assurance of n Making it easier for Professor Elliott’s review Report, the IMF claims a
food supply networks. All food procurers to make examined ways to prevent percentage point could
of the recommendations in decisions about the locality, food fraud incidents from be wiped off growth in
the Elliott report have been authenticity and traceability happening. It also looked at the UK and cause a panic
accepted by the government, of their food. how to improve the culture in emerging markets.
environment secretary n Improving public of Britain’s food supply chain Developing economies
Elizabeth Truss confirmed. As procurement of food and to support industry taking could suffer a flight of
capital to the west when
interest rates begin to
FCA limits sale of high- BoE concern over UK rise and quantitative
risk, high-yield bonds easing is reduced.
The UK’s Financial Conduct Authority (FCA) has placed a

borrowing sensitivity The Bank of England
is expected to announce
one-year ban on the sale of risky complex bank bonds to Bank of England (BoE) – which exceed annual an increase in interest
individual investors. governor Mark Carney has income by 40 per cent – rates later this year,
In the first use of its new consumer protection powers,
the financial industry regulatory watchdog says it will limit voiced concerns over the are making the economy having held them at
the selling of contingent convertible securities – or ‘coco ability of UK households to ‘particularly sensitive to 0.5 per cent since 2009.
bonds’ –from 1 October, as the high-yield investments are cope with the cost of higher interest rates’. In the US, the Federal
inappropriate for a mass retail market. borrowing. If the interest rates rose Reserve is winding down
Coco bonds offer yields in the region of six to seven per
Indicating that the by even a comparatively its quantitative easing
cent, but their value can be written down if the issuing bank’s
capital drops below a minimum level. economy is returning to modest 2.5 per cent, more programme, and is
Christopher Woolard, director of policy, risk and research normal, Carney said that as than half of homeowners forecast to start raising
at the FCA, said: ‘They are complex and can be highly risky, it regains its footing, ‘the would need to economise interest rates in June.
and the FCA has used its new powers to ensure that cocos Bank rate will need to start on spending, while one The IMF has warned
are not inappropriately made available to the mass retail
market, while still allowing access for experienced investors.’ to rise in order to achieve the in five borrowers would that global growth could
Caspar Rock, chief investment officer at Architas, agreed. inflation target’. spend more than 35 per fall by as much as two
He said: ‘Although default rates are still relatively low, it However, the BoE is cent of their disposable percentage points.
is also important to be aware of the risk inherent to these alarmed that any rise in income paying back ‘Much will depend
instruments.
interest rates will cause mortgages. on how well the
richard barnes / shutterstock
households to tighten their Despite the concerns, normalisation process

belts rather than default on however, the BoE has made can be managed
mortgage payments, spend it clear that low interest in major advanced
less and push the economy rates are also a threat economies, and on policy
back into crisis. to the economy, as they frameworks in recipient
Carney said that high can encourage excessive economies,’ it said.
levels of mortgage debt borrowing.

UK borrowing Personal insolvency
down, BUT storm warning
deficIT UP Fears are growing that
interest rate rises could
UK government has now risen to £37bn. lead to a sharp increase
borrowing has fallen In addition, the national in personal insolvency, as
compared with this time debt has also increased to figures for the second quarter
last year, although the £1.3tn taking it up to 76.5 of 2014 show a significant
deficit has increased, per cent of the national upward trend. The three-
according to figures from income. month period saw 27,029
the Office for National This was slightly offset personal insolvencies in
Statistics (ONS). by a £1.6bn reduction in England and Wales, a 5.1 per
The deficit for the government borrowing in cent increase on a year earlier.
first quarter of 2013-14 the period since last July. It was the biggest rise
Tupungato / shutterstock
stood at £35.2bn, and The deficit levels since 2010, and was driven
are still a long way by a 20 per cent jump in the
from their record number of people entering
yearly high of £137bn into individual voluntary
in 2009-10, but could arrangements, to a record
still put the Chancellor high of 14,571, said the
George Osborne under Insolvency Service.
considerable pressure to Some experts claim Bev Budsworth, managing accountant HW Fisher &
meet his planned target the figures show creditors director of The Debt Advisor, Company, is also reported
of £95.5bn for the year. are more confident about in a Guardian report. ‘The acid as saying: ‘With as many
The figures come at recovering debts, but others test will be when the Bank as a quarter of mortgage
a particularly tough time insist it shows people are on of England starts to raise holders facing unaffordable
Peter Macdiarmid / getty
for him in the pre-election a financial knife-edge after its base rate and people’s payments, if interest rates
period, as it was hoped years of falling wages and mortgage payments follow rise to a more normal level
the full-year forecast government cuts. suit.’ of three per cent, a personal
could be met, allowing ‘It’s clear that people Brian Johnson, insolvency insolvency storm could be
him breathing space in are really struggling,’ said partner at chartered gathering.’
the run-up.
Wall Street banks warn US Treasury about risk-taking

A group of leading Wall Street markets that encourage them to used by large Wall Street banks
banks has warned the US Treasury take progressively larger amounts also incorporate volatility data to
that low market volatility is of risk. Recent times have seen calculate how much a trading
heightening ‘excessive risk-taking’ sales of high-risk investments, portfolio might be expected to
by investors. such as junk bonds, soar because shed during a given day, with a
Volatility is now at record lows of increased demand from yield- calculated probability.
Stuart Monk / shutterstock
because of bank policies that hungry investors. With volatility having sunk
restrict sharp market movements Because banks and investors lower, VaR models are suggesting
and deter investors from hoarding include volatility in their internal there are very small chances of
funds. This, in turn, has led to risk management, there is now a sustaining large losses, meaning
concerns that larger investors chance that previously-suppressed more banks can take on more
have grown complacent following markets are amplifying more riskrisk, without breaching internal
years of dealing with one-way taking. Value at Risk (VaR) models standards for risk management.

industry focus
news round-up
Self-driving cars face
Ban hits Standard
Jeremy Reddington / shutterstock

virtual carjacking
Chartered Defending self-driven cars against the risk
British banking and financial services company Standard of cyber attacks that could cause drivers to
Chartered is to be barred from handling transactions for lose control of their vehicles has become
high-risk clients as part of a hefty US$300m settlement ‘essential’, according to Daimler chief
with New York’s banking regulator. executive Dieter Zetsche.
The ban was imposed by the New York Department The increasing use of electronic control
of Financial Services (DFS) after Standard Chartered failed systems could theoretically create an
to improve its methods for recognising suspicious activity. ‘nightmare vision’ opportunity for a third-
Standard Chartered has stressed that the bar will party hacker to create ‘actions not intended
only affect a small number of clients and services, by the driver’.
which includes clearing activity for high-risk Hong Zetsche stressed that Daimler was already
Kong businesses and the withdrawal of certain client working to combat cyber crime, saying: Over-regulation
relationships at branches in the United Arab Emirates.
The embattled company’s UK banking arm
‘We are working with all our strength to
implement firewall-related technologies that risk flagged
will also no longer be able to accept new customers for make this impossible.’ Bankers who say that heavy-handed
dollar clearing without a go-ahead from DFS. It is thought that self-driving cars could regulation is making banks too averse
A Standard Chartered spokesman said: ‘The group be on the streets by 2020, following to risk need to ‘demonstrate that this
accepts responsibility for, and regrets the deficiencies Google’s experiments in the area, is the case’, the UK’s parliamentary
in, the anti-money laundering transaction surveillance with many manufacturers developing Treasury Committee chairman has
system at its New York branch. The group has already autonomous driving systems. said.
begun extensive remediation efforts and is committed to Car manufacturers are already employing Speaking in the Financial Times,
completing these with utmost urgency.’ specialist ‘penetration-testing’ firms to check Andrew Tyrie said that MPs were
vehicle system security. Daimler itself used lacking detailed figures – one of
an external company to try to hack its partly- the main tools for assessing claims
Daniel Fung / shutterstock
autonomous S-class saloon. by senior bankers that regulation is

Last year, researchers demonstrated about to become disproportionate.
cyber attacks on Ford and Toyota vehicles Bankers claim that regulation
that could cause steering and brakes to is stifling the banking sector and
malfunction, while Chinese researchers have pushing activity into other areas of
hacked a Tesla Model S. finance.
Tyrie said: ‘It’s crucial that
politicians exercise judgement, too,
Record fines for Bank of America for and don’t drive regulators into a
corner where they protect themselves
sub-prime mortgage role from criticism by over-regulating.’
His comments followed the
Bank of America has been The fine is the largest publication last week of plans by
ordered to pay a record fine of applied so far in a string of banking watchdog, the Financial
US$16bn for its part in selling similar settlements paid by US Conduct Authority, which were based
flawed mortgage securities in banks as the Justice Department on a report from the parliamentary
the build-up to the financial investigates their behaviour commission on banking standards
crisis. during the sub-prime mortgage that Tyrie chaired last year.
The Department of Justice crisis. Tyrie also highlighted the
found that Bank of America, The US$16bn fine will be risk that regulators ‘endlessly
Northfoto / shutterstock
and companies it owned, paid to several US states and pile on regulation in an effort to
purposely misrepresented the government agencies, as well demonstrate activity that could all
level of risk involved with loans as the Justice Department, with too easily act as a substitute for
that were used to back its US$7bn of the sum going to thinking through what is really
residential mortgage-backed customers seeking to pay off needed’.
securities (RMB). high loans.

irm
READER VIEW
TALKING POINTS
WHAT YOU HAVE BEEN SAYING ABOUT THE RISK PROFESSION
VIA SOCIAL MEDIA, email AND OTHER CORRESPONDENCE
Scrap the ‘R-word’ and external auditors. As the basis for many conflicts in Syria and Iraq; the Ukraine crisis;
I was recently told by another risk KPIs and KAIs, auditors play it safe and do stalling growth in the Eurozone and China;
management ‘student’ that ‘risks’ and not risk recommending something out of the uncertainty over the monetary tightening
‘opportunities’ are not the same and ordinary. Lack of transparency about what in the West; and the world’s largest Ebola
shouldn’t be managed as if they are. And these firms do creates a corresponding lack epidemic. Uncertainty is suddenly everywhere,
he’s not the only one. of transparency about the associated risks. but has not been reflected by similar growth
I disagree. We need to manage ourselves Shareholders are inevitably left unaware of in market volatility – a usual measure of ‘risk’.
and our organisations to anticipate all the risks these companies actually run. Uncertainty remains unchanged: the
possible futures, focusing on those with the Yet, aside from political risk, some of future is always uncertain. What changes –
highest probabilities. A future event carries the greatest share price falls have been as both Knight and Keynes argued – is our
a range of outcomes – favourable for some, triggered by environmental events. Given confidence in our expectations of the future,
adverse for others. Grant Purdy’s hurricane these can be among the largest share price and the speed and vectors of transmission
example is spot on – it destroys crops and influencers, are shareholders aware of the and amplification of risk. The challenge
homes but also creates new work for home actual environmental impacts or only of the is how risk managers respond to this loss
and road repairs. It is anticipation that’s key. compliance-related components? Shouldn’t of certainty and our understanding of risk
Proper anticipation can even allow firms the stock market already have taken this into propagation when the market indicators that
to improve their customer reputation and, account when evaluating the share price? If assess volatility are at seven-year lows.
thus, their competitive position. The now- they have, then why the volatility in the face Stress and scenario testing are increasingly
famous Johnson & Johnson response to the of an environmental event? Risk-averse but used by the financial services industries,
initial Tylenol tampering incident saw the profit-greedy shareholders? but, often, too narrowly. As the Financial
company actually increase its market share in As swathes of Africa open up to foreign Reporting Council urged, these tools must
the following year. Now that’s converting a investment in mining, this is an issue the make the leap to the mainstream of risk
downside event into an opportunity. industry needs to get to grips with, urgently. management in the corporate sector. They
The word ‘risk’ has been almost ADRIAN CLEMENTS FIRM, Mertesdorf, need to become central to the risk manager’s
completely transformed. In the 1920s, Frank Germany. toolkit. Not just for long- or fat-tail risks – but
Knight defined it as a measure of probable as the basis of a focus on risk and uncertainty
likelihoods and consequences. Picking up The new normal is now in setting strategies and understanding
the idea of risk management in the late Recent articles in RMProfessional raise an uncertainty in the strategic environment.
1950s, insurers – naturally – considered only interesting challenge to risk managers The move for risk managers in all sectors
downsides. Ask anyone today, and chances universally: the move from focusing on ‘risk’ from focusing on risk and volatility to
are they will define ‘risk’ as a bad event. to giving greater attention to uncertainty. uncertainty and flexibility is long overdue;
It’s time to scrap the word. It is totally In the wake of the financial crisis in 2011, few have accepted the challenge. It needs to
misleading. Use ‘uncertainty’ instead. Josef Ackerman – then-CEO of Deutsche become ‘the new normal’.
FELIX KLOMAN FIRM, Lyme, UK. Bank – said: ‘We should resign ourselves PETER BONISCH, London, UK.
to the fact that the “new normality” is
Playing it safe and missing characterised by volatility and uncertainty.’ We want your letters, comments
the point He has been both right and wrong. on articles, opinions and
The volatility of mining share prices this Despite significant stock market volatility in viewpoints. We don’t want
summer highlights a dual danger for 2011, it has since declined consistently. From promotions or bland sentiments!
environmental risk managers. When 2013, it has returned to pre-financial crisis Please send your letters, ideally
reviewing many risk reports filed on the stock levels, with the odd higher spike. In contrast, no more than 350 words, to Sush
market, it becomes clear that environmental uncertainty seems to be increasing. Amar at sush.amar@theirm.org.
risk reporting is driven by compliance – the RMProfessional stories bear this out: We reserve the right to edit letters
easiest risk to report. Yet, in too many reduced security of energy supply; the if necessary.
companies, compliance is pushed by internal perceived risk of Britain’s stance on the EU;
RMPAut14 pp10 Letters.indd 10 09/09/2014 12:56

irm focus
ceo’s message
Brave new
world?
THE RISK PROFESSION IS EVOLVING TO MEET EVER MORE COMPLEX NEEDS, SO KNOWLEDGE
AND EXPERIENCE ARE CRUCIAL, SAYS INTERIM CHIEF EXECUTIVE JEREMY HARRISON FIRM
N
ovember will find me co-hosting a breakfast as journalism, banking and politics, is the renewed
discussion on why legislation is not the importance placed on standards and competence in
answer to bad behaviours. Given the boardrooms across the world.
increasingly entrenched positions of regulators No profession is, or should be, exempt from these
and regulatees, I suspect the conversation may be louder expectations – least of all ours. As a previous IRM
than I am used to at that time of the morning. chairman argues, in this issue of RMProfessional: ‘The
While legislation may not be universally viewed as time when we are treated like a profession is when we
A Good Thing, there’s no doubt it has been very good act like a profession.’
for our profession. The banking liquidity provisions in At IRM, we have spent an already exceptionally busy
Basel III, the ‘will they, won’t they’ speculation about the Those who summer further developing our professional standards,
introduction of EU insurance directive Solvency II, and drawing on best-practice examples from more than 30
the apparently endless revelations about bad behaviour
advise other competency frameworks from around the world.
in financial services are driving a significant increase others about These are currently under review by a panel of experts,
in risk management roles in that sector. One global risk hold the and we will publish our framework by the end of the
recruiter has put the increase at more than 20 per cent commercial year. We will expect graduates of our certificate and
in the past year. diploma to sign up to these standards, and to adhere to
However, insurance, retail and investment banking – and them throughout their risk-management careers.
while huge creators of risk management roles – form physical
just part of the picture. As our centrefold supplement safety of A new era for IRM
on the launch of IRM’s revised International Certificate This will be my last column as IRM’s interim CEO, as
millions of
and Diploma shows, a perfect storm of globalised supply I return to the role of deputy chair. I hand over the
chains, the impact of geopolitical risk, and the boom people in reins to our director of operations, Gail Easterbrook,
in energy extraction and infrastructure is creating new their hands who will be acting CEO until our new, permanent CEO
demand for skilled risk managers in all sectors. starts. During my seven months in the role, I have been
Unsurprisingly, competition for risk professionals is impressed by the knowledge of our IRM members, and
intense, with some industries and global regions forced your passion to communicate it.
into a merry-go-round of poaching. However, the You are a constant inspiration. You give up your
plum roles and greatest options continue to belong to time to drive our thought leadership forward, taking
the experienced and qualified. As one of our diploma topics – such as extended enterprise, which will be
interviewees points out: ‘A university degree is no longer published next month – to new levels of insight. You
enough for a risk-related career; you need to be able share emerging risks and practical solutions through our
to demonstrate you’ve got the right knowledge and network of special-interest and regional groups, and
qualifications.’ you help to build excellence in risk management in your
workplaces.
Standards and competence I would also like to extend my appreciation to
As risk management arguably becomes the world’s IRM’s staff, a much smaller team than I suspect many
newest profession, our industry cannot just be about members imagine. Their knowledge and commitment
qualifications passed, or time served. Those who advise has played a vital role in driving IRM’s growth.
others about risk hold the commercial and physical As we enter a new era of reach and influence, I look
safety of millions of people in their hands. Perhaps the forward to seeing the growing impact of IRM’s work in
most enduring legacy of both the lack of knowledge industries and organisations worldwide.
and ethics shown by some in professions as diverse n jeremy.harrison@theirm.org
RMPaut14 pp11 CEO's message.indd 11 09/09/2014 12:58

TOTAL
RECalls
A BADLY-HANDLED PRODUCT RECALL of spiral cables in the deployment mechanism of the
airbags, which may have broken. In addition to the recall
CAN HAVE A HUGE IMPACT ON BOTH replacement of these vehicles, Toyota has agreed to pay a
REPUTATION AND THE BOTTOM fine of US$1.2bn.
Manufacturers and exporters face a growing list of
LINE. SO WHAT LESSONS CAN RISK legislation, the latest of which are new food labelling
requirements in the European Union that will apply from
PROFESSIONALS LEARN FROM RECENT December 2014. The rules will require allergy information
EXAMPLES, ASKS HELEN YATES to be put on all food products sold in Europe.
Complying with regulatory frameworks becomes more
H
complex when you consider that between 65 per cent
istory is littered with examples of companies and 90 per cent of the content of any given end-product
taking too long to recall a product is provided by suppliers, often on the other side of the
and seeing their reputation and brand suffer world. Manufacturing and product quality standards do
as a result. not always match those in developed markets.
In an increasingly global world, with complex ‘Some of the claims we’ve seen involve complex
supply chains and tightening regulatory oversight in supply chains, which means they can be extremely
many markets, it is easy to see why product liability is difficult to deal with in terms of understanding where
a growing concern for many companies. In a highly- some of the contamination has actually taken place,’ says
regulated environment, particularly in markets such as Ross Macdonald, team leader of casualty specialty lines at
the US and EU, a supplier’s faulty component can have Zurich Global Corporate UK. ‘It’s important to understand
a big impact. the level of due diligence that our customers are carrying
Take Toyota’s latest recall. This involves a supplier out on the suppliers they are contracting with, to make
RMPAut14 pp12-15 Total Recall v2.indd 12 09/09/2014 12:58

analysis
PRODUCT RECALLS
A high-profile product
recall can result in a significant
financial loss to an organisation –
particularly if it is handled badly
than 1,000 tonnes of products were recalled in the

botulism scare, across seven different countries.
Although the contamination now looks to have been
a false alarm, the economic and reputational fallout was
significant. China instigated a temporary ban on dairy
imports from New Zealand, and French company Danone
is continuing its legal action, claiming it lost US$500m of
sales due to the recall.
Voting with their feet

HuMAnnet / SHutterStock
Another factor exacerbating modern recalls is consumer

activism. Today’s consumers have a strong voice and, if
a company takes the wrong approach to a recall, it can
quickly become a hot topic on Twitter and other social
media outlets.
Maclaren offers a cautionary tale. Back in 2009 the
company was condemned by Mumsnet bloggers for
undertaking recall action in respect of one million
sure they are dealing with someone who is providing ‘hazardous’ pushchairs in the US, but not taking the same
them with a safe product. action in Europe. ‘Maclaren adopted a different approach
‘It can be very complex to go back and deal with a in Europe because the regulation was slightly different in
claim involving a lengthy supply chain,’ he adds. ‘From the US, but they didn’t communicate it very well,’ says Jim
an insurer’s perspective, if you’re trying to subrogate back Sherwood, a partner who leads the product liability and
into different countries around the world, that can also recall team at law firm BLM. ‘There was a perception they
be a challenge. We had a situation where our customer’s were treating some consumers differently.’
supplier was based in China, and trying to take rights of Because a tarnished reputation can have a direct
subrogation in China is extremely hard.’ impact on a company’s share price, a high-profile
The difficulty in discovering the source of a product recall can result in a significant financial loss
contamination was aptly illustrated during the 2013 to an organisation – particularly if it is handled badly.
horsemeat scandal, where Dutch authorities recalled ‘Companies are now seeing recall as an occupational
50,000 tonnes of meat sold as beef across Europe. hazard, but also something that, if handled well, can
A pizza containing 35 ingredients from 60 different actually strengthen confidence in brand and reputation,’
countries was discovered by food safety testers. This says Sherwood. ‘It’s all about the trust of customers.
was used as an example by the National Audit Office ‘Until companies have a recall or safety issue, often
to illustrate how difficult it was to verify the origins of they may not appreciate the fallout and the real problems
processed food eaten in the UK. The watchdog warned that can occur if the business does not have an internal
that ‘food fraud’ was rife. plan and response team in place to deal with customers
In August 2013, Fonterra Group, a New Zealand- and regulators – including handling a press response
based firm, announced contaminated whey products urgently,’ he continues. ‘I know a lot of risk managers
could have been sold to third-parties, which used them think they should be more involved in the social media
to produce infant milk formula and sports drinks. More management of responses.’

Because of the importance of public perception, many the five months leading up to the recall. Health experts
modern recalls are prompted by ‘fear of a problem’, as were unable to say whether there was a link, but the
was the case with Coca-Cola in 2004. The UK launch Food Standards Agency said it should have been reported
of its new brand of bottled water, Dasani, was quickly immediately. ‘The event, which would have seriously
undermined by a cynical British media. Coca Cola acted impacted most companies, was mitigated by public loyalty
decisively and admitted it was just ‘purified’ tap water, to a popular brand,’ comments the Airmic report.
abandoning the UK launch within 24 hours. At Toyota, the car manufacturer’s slow reaction to
The company understood the central importance of safety problems was met with severe criticism in the
its reputation, according to Airmic and Cass Business media and social media in 2009. Its decision to recall
School study Roads to Ruin. ‘The speed of Coca-Cola’s more than 3.8 million vehicles after a deadly accident in
decision, made within 24 hours of the troubled UK California – attributed to sticky floor mats – came too
launch of Dasani, indefinitely to abandon the UK launch, late to protect the company name. Toyota was vilified
shows not only that Coca-Cola had a clear crisis strategy, and accused of being ‘safety deaf’, despite a study later
but also suggests that it had set its appetite for risks to finding no evidence of sudden, unintended acceleration.
the Coca-Cola reputation at nil,’ it says. ‘This decision
may well have been taken in the light of how its nine Managing a crisis
per cent owner, Berkshire Hathaway, had set its own As successful recalls often demonstrate, a quick, decisive
appetite for risks to reputation.’ and transparent response to product safety issues is
Berkshire Hathaway boss Warren Buffett has warned always the most effective. ‘In our Roads to Resilience
that while it takes many years to build up a reputation, report, we talk about companies that have amber and
it can take just five minutes to ruin it. ‘If you think about red alerts when a crisis hits,’ says Paul Hopkin, technical
that, you’ll do things differently,’ promises the Sage of director at Airmic. ‘Amber is using existing management,
Omaha. activating PR people, and so on, and the red alert is a
Except not every company heeds such advice. There whole separation between routine management and
are situations where reluctance to instigate a recall bringing in a crisis management team to minimise
has ended badly for a brand. In June 2006, Cadbury damage to reputation and coordinate business
initiated a precautionary recall of one million bars of continuity.’
chocolate contaminated by salmonella, five months after Helen Yates For many risk managers and PR professionals, Johnson
a contamination had occurred. is a freelance & Johnson’s handling of the Tylenol recall in 1982 is
Cadbury stressed the levels of salmonella were journalist the perfect case study for how to handle a crisis. The
minuscule, but cases of salmonella poisoning trebled in painkiller was recalled when seven people died in the US
StePHen BArneS/trAnSPort / AlAMy
Glyn rylAnD / AlAMy

analysis
PRODUCT RECALLS
city of Chicago after taking capsules of Tylenol that had stress-testing the organisation’s approach to a recall,
been laced with cyanide. At the time, it was thought the while ‘dark sites’ – websites set up to inform customers
drug’s brand would not recover from the sabotage. about a recall – are prepared in advance.
‘They had a 37 per cent market share of painkillers ‘As well as protecting their balance sheet, which is
when they first identified the problem,’ says Sherwood. obviously why they are buying the risk transfer, they
‘It went down to seven per cent pretty quickly, but it are looking to us to protect their reputation,’ says
rebounded back to 30 per cent within a year because Macdonald. ‘We give direct access to crisis consultants
they handled it so well. That’s a classic example of how who will be able to give them advice and tell them what
a business should handle a serious safety issue. Really statements they should be making to the media, and
good communication and very good coordination. They to certain government bodies that need to be notified.
withdrew all the products as soon as they knew what ‘These consultants also help them manage social media,’
was going on, issued numerous press releases and he adds. ‘What you don’t want is for it to get out of
updates, and management knew what was being done control on Facebook and Twitter. If you can demonstrate
and were completely open about it.’ you’re dealing with consumers’ concerns, that will help
These days, most product recall insurance products mitigate and protect the reputation.’
offer cover for reputational risk. Zurich’s customers For appropriate risk financing, buyers should be
receive access to crisis management experts and have looking to take out dedicated product recall cover, thinks
a hotline they can call in case a product needs to be Macdonald. This covers: the cost of recalling the product
withdrawn from the market. A proportion of the itself; its destruction; repair or replacement; business
premium is spent on risk improvement, mitigation and interruption costs; and the public relations expense
inherent in protecting and rehabilitating the brand.
‘Many people who aren’t familiar with product recall
think they will have coverage under their product liability
If you can demonstrate policy,’ he explains. ‘One of the main differences between
the two is that – in order for the product liability policy to
you’re dealing with consumers’ be triggered – it has to have caused actual injury to third
parties, and is restricted to third-party damages and costs.
concerns, that will help mitigate Conversely, a product recall policy is triggered where it has
and protect the reputation – or would – cause injury or damage, and covers the recall
costs and financial losses of the policyholder, so it is very
different in trigger and coverage.’
Derrick Alderman / Alamy

Paul Marriott / Alamy

Dream
Would your organisation be adequately prepared for a sudden surge
in demand or popularity? risk discussions typically focus on potential
problems, but Tom Bovingdon explores how risk professionals also prepare
for opportunities and over-performance
W
hen white goods and floor-care specialist bought the deal, and the company had to shell out
Hoover was sitting on surplus stock in £12,500 on extra staff and distribution costs – while
1992, it struck upon a novel way to also losing around £3 per batch of cakes – thereby
get rid of it. Anyone purchasing more wiping out profits for the year.
than £100 worth of products would receive free airline
tickets. The company had gambled on the public being Success stories
put off by the small print – but it vastly underestimated There are numerous other
demand and the tenacity of consumers. similar stories: the Toys R Us
After 600,000 purchases, a consumer pressure group delivery delays of 1999, when
was formed to force the firm to honour the promotion. the company failed to fulfill a
After six years of legal wrangling, Hoover was left with large number of online orders;
a bill for £48m – and three senior executives were Sony’s struggles to manage
ushered out of the door. demand for its PlayStation 4 console; and a predicted
With many risk discussions focusing on negative crisis for the chocolate confectionery industry, brought
scenarios, this episode is a reminder of the risk of about by shortfalls in cocoa production. Other risks for
over-performance – unexpected surges in demand for businesses include unexpectedly high website traffic, or
a service, product or offer. an unpredictable event – such as a natural disaster –
Take, as another example, the Need A Cake bakery, that drives sudden demand.
Rob Hainer / Stefano Tinti / paul turner / shutterstock
based in Reading, in the UK. Eager to expand, the Such examples raise an intriguing question for risk
business owners advertised a 75 per cent discount on professionals: every organisation wants its product or
12 cupcakes through voucher site Groupon, hoping service to be in demand – but what happens when this
to attract some extra custom. However, 8,500 people demand exceeds supply or capability levels?
High-quality problem
Hans Læssøe, senior director,
Yes, negative risks should strategic risk management at The
LEGO Group, knows all about the
come first, but then you should challenges of a sell-out product.
The toy manufacturer consistently
turn the conversation around creates a buzz with new lines – be
it Harry Potter, Indiana Jones,
RMPAut14 pp16-18 Nightmare V2.indd 16 09/09/2014 12:59

analysis
Sudden Success
Ninjago or LEGO Friends – for which demand often
exceeds the company’s wildest expectations and
supply capacity.
Predicting demand, says Læssøe, ‘is part of standard
sales and operation planning but, if the product really
hits, that will not be enough – unless the company
has way too much capacity and, hence, a low asset-
utilisation ratio’.
Such demand can be difficult – if not impossible –
for organisations to anticipate. Recently, the runaway
success of animated Disney film Frozen resulted in
order quotas being imposed in an attempt to ensure
the supply was distributed fairly. In another example,
stocks of a stuffed toy wolf, sold by Swedish furniture
chain Ikea, suddenly ran out in Hong Kong when it was
adopted as an anti-government protest symbol.
‘At The LEGO Group, we prepare systematically,
on a monthly basis, as part of our standard sales and
operation planning process – also because we know we
have to,’ says Læssøe. ‘We launch some 20 lines/themes
annually, and we know that one, or maybe two, of
these will sell more than twice what we plan – we just
don’t know which.
‘So we deploy upside/capacity scenarios, where we
try out different combinations and decide on capacity
build-up according to these. Then, if we are still in
“trouble” – as was the case with LEGO Friends in
2012 – we sometimes postpone the launch in some
markets, and/or significantly reduce the marketing push
to reduce demand. However, we also have to realise
that if/when you have hype among children, it is very
difficult to reduce demand.’
The airline model

For John Ludlow FIRM – senior
vice-president of global risk
management at InterContinental
Newscast / Alamy
Hotels Group (IHG) – such

problems need to be considered
on a strategic, tactical and
operational level. As IHG has grown
over the past two decades, Ludlow says the business
has become ‘much smarter and more sophisticated’ at
responding to demand.
IHG strategically plans room pricing around demand
levels and customer type. Ludlow says: ‘If a hotel has
conference space, then we will always prioritise the
sale of that space and then look to sell the rooms. With
a big hotel, we might be looking at this three years
ahead. Once we have sold conference space, we will
look to sell rooms to business people attending the
event, who will typically spend more with us.
‘The old logic was to sell something at the last

analysis
Sudden Success
The pitfalls of a If you get this wrong, then

successful pitch you can lose market share, or
When security services outsourcing company G4S
won the contract to supply security personnel
see your reputation tumble
for the London 2012 Olympic Games, it was
no doubt delighted to have the opportunity
to showcase its capabilities on a global stage. Arguing that the question of juggling supply and
However, trouble emerged when the staffing demand hinges on the type of market you are serving,
target was changed from 2,000 to 10,400. Months Toomer says: ‘If you want to order a new car in the
later – despite agreeing to the increase in staff UK, you know it will take months to arrive. They tend
numbers – G4S had to admit it was struggling to manufacture them subject to demand. However, if
to recruit adequate numbers, and the UK you ordered it in the US and waited for more than a
government was forced to draft in military staff. week, then something is wrong. The two markets have
In the wake of the fiasco, more than £150m was completely different expectations.’
wiped off G4S’s market value in two days. Later,
the company ruled out bidding for the 2016 Tales of the unexpected
Olympics, in Brazil, for fear of a repeat disaster. So what should organisations and risk professionals
It then announced it would take a hit of £70m do to ensure these positive risks are taken into
on the Olympic Games contract, before issuing a consideration? Toomer says conversations ‘should be
profit warning. Finally, the chief executive, Nick had when launching any new product or service’. He
Buckles, stepped down. adds: ‘Yes, negative risks should come first, but then
you should turn the conversation around. “What would
we do if this was a runaway success? What would the
initial signs be that we need to be aware of? And what
can we do to mitigate this risk?” In a way, it’s about
closely monitoring your KPIs.’
Predicting success is never easy, but there are
occasions when demand spikes, in response to
unexpected events. For example, Ludlow says there are
numerous occasions when IHG hotels must respond to
incidents at competitor hotels, such as evacuations. In
Michael Kemp / Alamy
these instances, organisations must be mindful of their

reputations. ‘Our first priority is to look after our new
guests,’ he says. ‘There is no gouging of pricing. The
last thing we need is to be accused of making money
from someone’s misfortune. It’s all about keeping
people safe, protecting the brand reputation, and
minute, for a discounted rate; now it’s about selling acting in a responsible way.’
it earlier with extra conditions – for example, around At The LEGO Group, sales expectations are openly
cancellation terms. In essence, we consider this to be discussed with customers – the retailers – well ahead of
part of our revenue management, so hotel prices go product launch. Læssøe says: ‘We collaborate closely on
up in line with demand. In this regard, we’ve followed how to get the best solution for both parties when sales
airlines – which have cracked this model – and now exceed – or fall short of – shared expectations.’
plan our revenues over a much longer timeframe.’ Tom If risk professionals are able to consider the holistic
Charles Toomer FIRM – former risk manager at the Bovingdon picture more routinely – including how best to respond
BBC and Willis – thinks many organisations ‘might is former to a sudden surge in demand – then organisations will
dismiss this as a nice problem to have’, but stresses that managing be much better positioned for growth. In turn, demand
the impact can be significant. ‘If you get this wrong, editor of RM for skilled risk professionals who can help navigate this
you can lose market share, or see your reputation Professional growth will increase. That really would be a nice
tumble,’ he says. problem to have.

Interview
on the grapevine
BANKING ON IT
New to RMProfessional, each issue we think. For example – who is the audience that needs to
interview an expert for their take on the know, when do they need to know, and what do they
need to know? Proportionality is important.
current debates in their industry. IRM’s
Let me illustrate. Take the Cross-sector Safety & Security
sell-out Cyber Risk Summit in June (CSSC) system, which the private sector created together
showcased cyber risk experts from a range with law enforcement agencies for the London 2012
of sectors. Sush Amar caught up with Olympics. CSSC has the ability to communicate with 8.5
one, Don Randall MBE – chief information million people, across 36 different business sectors, in
security officer at the Bank of England... just 20 minutes. And we can use it for any preventative
purpose. When the tragic helicopter crash happened last
Given the well-documented and year in Vauxhall, we were able to let everyone in the area
frequent ‘denial of service’ failures of know and reassure them that we were on the case.
banks, what are your views on UK banks’ Now, proportionality in that case was clear. It isn’t
approach to investing in their digital always so clear when it comes to cyber breach and attack,
and technological infrastructure? where we need to identify both methodology and purpose.
I don’t think the issue here is investment. More often, it’s a Perhaps what we need are sub-sets of communications.
consequence of organisations working too much in silos, We now have very strong public/private communications at
rather than in partnerships. It’s clearly not possible to set a regional level, and we’ll be rolling out CSSC
meaningful benchmarks and evaluate your organisation’s
resilience across the piste if you operate in isolation.
This silo issue that exists in some organisations is
compounded by the way the methodologies of cyber
attacks keep changing. For example, 20 years ago, the
UK law enforcement focus was on counter-terrorism. We
put in a lot of resources and achieved buildings that were
bomb resistant. And so the methodology of terrorist
attacks changed, too. Now, instead of buildings being
bombed, terrorists have changed their tactics, and we
have terrible events like Boston and Kenya.
It’s the same with cyber attacks – what lens do you
use to determine where and what the next attack
will be? In this fast-moving risk landscape, financial
institutions should work far more in partnership to
identify the new methodologies and the actual risks.
Better partnership-working between organisations and
– importantly – sharing details of attempted, as well
as actual, attacks would help build up organisational
knowledge among all participants.
What’s your view on the way in which

organisations communicate – or fail to
communicate – after a breach?
Organisational victims of cyber breaches have come in for
a lot of criticism recently, but I think it’s often unjustified.
There’s a degree of misunderstanding; the issue of
communications is far more subtle than many people
RMPAut14 pp19-20 On the Grapevine.indd 19 09/09/2014 12:59

iNTERVIEW
ON THE GRAPEVINE
pan-nationally too. It’s knitting up the smaller, many more More generally, do you feel UK businesses
localised groups that presents the challenge. I’m optimistic ensure risk management is represented at
though; I think we will eventually crack this communication a sufficiently high level in organisations?
challenge; we’re certainly moving in the right direction. Risk has always been an issue at the ‘top of the house’
– it’s always been a board-level matter – but where it is
There appears to be a major flaw actually ‘managed’ varies, depending on how risk is seen
in the culture and governance of and prioritised. About 15 years ago, for example, risk
cyber security – a combination of management around terrorism had board-level focus in the
complacency and ‘it won’t happen to us’. UK; it got a lot of airtime and a high priority. That reduced
How do you think this can be changed? as risk management steps were put in place and the threat
I think there’s a general lack of awareness across the mitigated. It’s an issue that organisations in countries like
piste. Raising awareness among all the people in an Nigeria and Ukraine are currently having to get to grips
organisation, at different ages, with different learning with. But now, the UK’s priority is cyber. In future – in
preferences – the educational challenge is huge. But I’m global business terms – we’ll always be contending with
not a believer in taking a draconian approach; I think the triumvirate of corruption, terrorism and cyber security.
organisations should realise there is a strong ethical I don’t think they’ll ever be ‘solved’ – the time they get and
obligation to prioritise this. At the Bank of England, the level at which they’re dealt with in an organisation will
we run internal phishing exercises to benchmark staff change, depending how ‘active’ the risk is perceived to be.
responses and monitor improvement over time. You need
this kind of evidence to analyse change – without the Given your experience, what advice
evidence, you can’t keep up with the technology of would you give risk managers?
cyber crime. Learn how to translate the sometimes-mysterious concept
of risk management into something non-practitioners can
Given the interconnectivity of global understand. Talk about impact and opportunities; show
systems, what is the impact of inconsistent the role it plays in operational success.
policing on global cyber security?
My take on this is analogous to the days when poor
extradition agreements made Spain a haven for criminals. You cannot give attackers the
Weaknesses in international cooperation and legislation
create openings for cyber criminals. It is the potential for power by not reporting a hack, theft
these gaps that let them in. Poor international operability or breach – the more information
slows down response and detection everywhere. So one company can provide, the less
my view is that, instead of prioritising comparative
vulnerable we all are
legislation, we must prioritise cooperation to shut down
the gaps that open up in its absence.
And don’t overplay your hand. Be realistic and don’t
Do you think the commercial ‘stigma’ of exaggerate. Work in partnership with your organisation
owning up to a cyber breach acts as an to develop risk culture, appetite and tolerance – these
inhibitor to organisations sharing their should be created in tandem, not imposed.
experience and learning from each other?
Not anymore. In the early days of cyber, if one particular What do you think is the emerging
organisation was susceptible to breach it was more likely technological development that no-one
to be a reflection of poor security and risk management currently sees coming?
practice. Now that everyone is vulnerable, the stigma is When it comes to these kinds of things, I would always
gone. This is also an important ethical issue; you cannot say: ‘Go outside your own head and ask someone who
give attackers the power by not reporting a hack, theft imagines the future’ – someone like a Steven Spielberg.
or breach – the more information one company can Look outside the limits of your own imagination and get
provide, the less vulnerable we all are. For example, when the views of people who think like this. We can all get
Barclays and Santander promptly reported the KVM stuck in our own psychological boxes; the more diversity
device thefts, the police were able to catch the criminals of thoughts and ideas we can actively seek, the wider our
and stop them targeting others. These two banks were horizons become.
– rightly – lauded for their openness, and that’s the way I n Don’s views are based on his own experience, and
think all organisations should be going. are not necessarily those of the Bank of England.
RMPAut14 pp19-20 On the Grapevine.indd 20 09/09/2014 12:59

IRM – Qualified for today’s risks
ENTER THE NeXt

GeNeratioN
OF RISK MANAGERS…
R
isk management, the world’s newest
profession, is increasingly sought by
organisations across the globe. In 2002,
according to a Deloitte survey, 65 per
cent of financial institutions had a chief risk
officer (CRO); by 2012, this had risen to 89 per
cent. The need for risk management expertise
is not just confined to financial services. From
construction in Brazil to hospitals in the Middle
East and engineering in the North Sea, the
hunt is on for qualified risk management
professionals.
The challenges facing today’s risk
professionals are among the fastest evolving
of any industry. From cyber to construction,
energy to the environment, financial services
to infrastructure – the interdependencies of
a global economy require a deep, up-to-date
knowledge of enterprise risk management.
As leaders in the field of risk management
qualifications and training, IRM regularly
reviews its courses and programmes to ensure
they continue to meet the needs of the global
business community. IRM’s revised International
Diploma will be launched on 15 September
2014.
RMPAut14 pp21-28 Diploma supplement.indd 21 09/09/2014 13:00

The International Diploma in
Risk Management: Overview
Risk management is a major business function. The programme has six modules. Modules one and two
From managing ever-evolving cyber risk to form the International Certificate in Risk Management.
fraud prevention, complex supply chains, The remaining four modules make up the rest of the
and operational risk, today’s organisations International Diploma in Risk Management. Successful
increasingly value professional risk management completion of the Diploma entitles you to use
qualifications, such as the International Diploma designatory letters after your name.
in Risk Management.
This postgraduate-level qualification has been

developed by internationally recognised academics
and industry practitioners. The International Diploma
will provide you with both the theoretical knowledge
and practical skills to manage risk, and maximise
opportunities in your organisation.
Risk management is a
significant issue for all
businesses – taking many
forms, from cyber risk and
fraud to operational risk
> > > > >

Principles of Practice Risk Risk Risk Crises,
Risk and Risk of Risk Assessment Treatment Governance Resilience
Management Management and Culture and
Future Risks
International Certificate International Diploma

Employers
appreciate the
value of professional
qualifications
The International Certificate
A practical, introductory qualification, it can be taken as l n appreciation of current risk management thinking,
A
a stand-alone qualification, or form the first part of the standards and regulations across the world
International Diploma. It gives you:
l T he basis for advancement to the
l comprehensive introduction to the principles and
A International Diploma in Risk Management
practice of risk and risk management
Further information on course content for the
l n understanding of the multidisciplinary nature of risk
A International Certificate can be found at
management within any organisation www.theirm.org/qualifications.
The International Diploma
Builds on the foundation of the International Certificate. l critical understanding of the influence of
A
It provides a deep understanding of the impact of organisational culture, attitudes and appetite
organisational culture, attitudes and appetite for risk, for risk
as well as the way risk is perceived and treated within
an organisation. l critical appreciation of the relationships between
A
risk management, governance, internal control,
The course will help you develop: and compliance
l T he competencies to design and implement risk l T he ability to make informed risk management decisions
management strategies for both current and emerging risks
l Proficiency in choosing and using the tools and l T he opportunity to analyse and appraise real-life case
techniques required to assess and treat risks studies from different sectors and countries
Enrolment is open between 1 October and 15 December 2014, and 1 February and 15
May 2015. The examination sessions take place in June or November, respectively.
For more information and the full syllabus, please go to www.theirm.org/qualifications

Qualification provides clear benefits to both students
and employers. Adam Skene, currently studying for
the International Diploma in Risk Management and his
manager, Alison Lyall, exchange experiences
The employer’s view

Alison Lyall has nearly 30 years’ experience in banking, regulation, consultancy and business
management, and is now a director of security risk specialist, Harnser Group. In that time,
she’s seen some major changes in the risk management landscape.
‘Risk specialists used to work in “silos” labelled market, credit or operational risk, with the
compliance function turning risk into a tick-box exercise.’ she says. ‘Nowadays, an increasing
Alison Lyall, Director,
number of employers recognise how crucial a broader perspective is, with risk managers
Harnser Risk Group capable of taking a helicopter view across the landscape and working with the business in
managing the risk/reward balance. This enterprise approach is the right way forward.’
When Alison first met Adam, she wanted to see if Harnser could bring young people into
the company at the start of their risk management careers, train and develop them.
‘There’s a finite pool of experienced risk managers. More businesses need to put systems
in place to “grow their own”, as they do with other functions. Adam had already started
doing the IRM Diploma, and I was really impressed with his enthusiasm and his commitment.’
Alison says Harnser has benefited from the changes in Adam since he’s been studying for
the qualification.
‘The Diploma has had a significant impact. His confidence has increased, both in terms of
his knowledge and his contribution to the business. We value his enthusiasm and initiative.
His studies teach him theory, which he then puts into practice at work. So I would say the
Diploma has provided Adam with a very solid foundation. The only downside for us is that
he’s now aware of all the career opportunities available to him!’
The student’s view

Adam Skene’s risk management career started just five years ago, but it already demonstrates
how the requirements of today’s risk managers are changing.
After graduating from the University of Aberdeen with an MA (Hons) in politics and
international relations, he started working in supply-chain logistics, in the local offshore
oil and gas industry. Keen to expand his risk management knowledge, Adam took
Adam Skene, Risk Adviser,
IRM’s Management of Risk and Uncertainty course in 2009, and realised he wanted to
Harnser Risk Group specialise in risk.
Local opportunities were limited, but IRM membership gave him access to a much wider
risk management community. ‘I brought my CV up to date, and sent it to the head of IRM’s
regional group in the north east of Scotland, asking them to send it to all their members.’ he
explained. ‘Before long, I was approached by the director of Harnser Group and offered a role
in Norwich. It’s given me the opportunity to work on some amazing projects.’
Adam was keen to develop a much deeper understanding of risk management theories
and practice. For the past two years, he has been studying IRM’s International Diploma in
Risk Management.
‘Harnser are specialists in security risk management, and keen to support me in becoming
qualified. As well as funding the Diploma, they have also given me half a day a week to study
during working hours. It’s a win-win for both of us – I’ve used concepts, processes and ideas
from the Diploma to add value to our client deliverables.’

The time when we are treated like a

profession is when we act like a profession
T
Risk managers are under he expertise and professionalism of staff in the financial services sector
growing pressure to prove came under question in the economic crisis of the late noughties.
their competencies with Post-mortems showed not just wilful disregard of the rules by
employees, but plenty of examples of incompetence.
regulators and rating agencies, Since that crisis, legislators and supervisors have started to look a lot
write Amlin’s Alex Hindson and harder at the people, as well as the process. The EU Directive Solvency II,
Aviva’s Jose Morago for example, requires that personnel have the skills, knowledge and
expertise to fulfil their responsibilities. Those holding key functions – such
as in the risk management or actuarial teams – must meet ‘fit and proper’
criteria. After the Paul Flowers debacle at the UK’s Co-operative Bank in
2013, regulators’ antennae are also increasingly attuned to these attributes
in the banking sector. The Banking Standards Review Council is charged
with ensuring banks and building societies commit to a programme of
continuous improvement in culture, competence and outcomes.
While actuaries have the benefit of well-known professional
qualifications – requiring evidence of continual development – risk
Alex Hindson Jose Morago
management tends to be less formalised. Among those trying to change
that is the Institute of Risk Management (IRM).
The need for new skills

IRM has also broadened its focus to encompass wider support for the
profession of risk management, including certification of risk professionals.
The skills set for risk managers is clearly changing. Part of IRM’s work to
support them is the development of a professional standards framework,
due to be published at the end of 2014.
Financial institutions are being challenged externally, and not just
by regulators. Ratings agencies, too, are beginning to ask for proof of
competence as part of their focus on an organisation’s risk culture. At least
one European insurance regulator – while not formally endorsing IRM’s
Diploma – has suggested it would be suitable for proving a risk manager’s
credentials in an ‘appointed person’ regime.
The drive to professionalism

These changes provide an opportunity for people working in risk
management to ‘professionalise’ themselves. The time when we are
treated like a profession is when we act like a profession.
Whether there should be a specialist qualification for risk managers
working in different areas of financial services is an interesting question.
Risk management is a broad topic. People working in the sector may do
better to avoid specialisation, and learn universal principles and practice
that can be applied directly in any setting.
This is an edited version of an article that first appeared in Insurance

Enterprise Risk Management, June 2014 (www.insurancerm/com)

Industry snapshots
Banking and finance
Tighter regulation was in the pipeline for many countries even before 2008, but post-crash
EU and US regulation has radically reformed risk-governance frameworks. In other financial
hubs – such as Singapore – there is a movement to regulatory equivalence, particularly in
the insurance industry. Yet, according to a recent survey by EY (previously Ernst & Young),
many chief risk officers continue to battle to embed risk appetite successfully into business
decisions. Silo thinking on risk by many boards means risk professionals who are able to
explain clearly the principles, practice and impact of enterprise-wide risk management, will
have the competitive edge.
Energy
From Iraq to Russia, the energy industry has proved particularly vulnerable to geopolitical
unrest this year. In Europe, reconciling the tensions between environmental, output and
security risks continues to be an intrinsic part of the risk role.
Across the world, the energy industry faces ongoing volatility in commodity pricing, making
long-term investment more problematic. As much of the world emerges from austerity – and
high-growth economies resume their development – it is inevitable that energy demand will
accelerate. Experienced risk professionals in this field are among the most highly sought-after
in the world.
Law
The trend continues towards global expansion of law firms to meet the growing needs of
international clients. International mergers and growth are creating increasingly large and
complex organisations, establishing new structural and management risks. From cultural
diversity, consistency of service and different regulatory regimes, to information security and
data privacy requirements, new opportunities and threats are developing from recent entrants
to the sector and evolving business models.
Firms are becoming more sophisticated in their risk management practices, particularly
when managing conflicts of law and practice across jurisdictions. The role of general counsel is
evermore critical, and effective enterprise-wide risk management more challenging.
Construction
The 2013 study by Global Construction Perspectives and Oxford Economics forecasts global
construction growth of more than 70 per cent, reaching US$15tn by 2025. While this growth
will be disproportionately concentrated in China, the US and India, the end of austerity in
Europe is already leading to increased demand for housing, particularly in the UK.
Europe’s ageing infrastructure urgently needs updating, while governments are recognising
the vital role that transport infrastructure plays in economic growth. Large infrastructure
projects – including high-speed rail in the UK and continental Europe, major construction
projects in the Middle East, and new building from foreign direct investment (FDI) in many
African industries – indicate that the need for skilled risk professionals in this sector is on the
verge of a global boom.

Regional snapshots
Africa
The ongoing geopolitical tensions in Nigeria, Kenya, Somalia and South Sudan are inevitably
affecting predictions for economic growth. There is corresponding demand for risk professionals
with expertise and experience in political risk, supply chain and business continuity.
However, the headlines obscure the fact that African businesses tend to avoid the leveraging
that brought many western institutions to the brink of collapse six years ago. FDI, particularly
from China, is meeting a strong culture of due diligence from domestic businesses ready to
expand. Large infrastructure projects in Kenya and Nigeria have recently been given the green
light. Mining, engineering and oil and gas are all set to expand across the continent, while
tourism in those countries with stable governance – such as South Africa – continues to be a
booming industry. While the domestic risk management profession in many African countries
is still in its infancy, the sheer diversity of regional industry is creating growing interest in risk
management as a profession.
Asia
Many countries in Asia are experiencing high levels of political risk. While Thailand is now
under military rule, India has its first majority government in 20 years, giving the ruling BJP the
freedom to make fundamental economic and social changes. While GDP growth in the region
has slowed in recent years, SMEs continue to grow. The liberalisation of Malaysia’s financial
services has brought in FDI, as foreign insurance companies make plans to enter these markets.
Telecoms, technology, financial services and manufacturing are thriving. The groundswell
of demand for improvements in the infrastructure and conditions of many factories has
added to the pressure on manufacturers to clean up their supply chains. Risk management is
moving up company agendas across the region, with demand outstripping the available pool
of risk professionals.
Europe
As Europe emerges from the 2008 financial crash, employment rates in most countries are
starting to climb, and consumers are buying again. The rise in online financial and retail
transactions has made cyber security a permanent priority, and governments and businesses are
joining forces to combat cyber crime.
The aftermath of the financial downturn has resulted in a slimmed-down financial services
sector in the UK, and an EU-wide focus on systemic risk. While EU regulations to strengthen
banks’ balance sheets have led to a slowdown in investment in SMEs, technology, services and
the professions are all resuming growth. However, sanctions against Russia are likely to slow
down economic recovery in the EU, as the impact on the cost and security of energy supply
becomes apparent during winter 2014/15.
Middle East
IRM’s conference in Dubai this year demonstrated the enormous appetite for risk management
in the region. From huge projects such as Dubai’s proposed Sheikh Zayed Road mall to Saudi
Arabia’s ambition to produce a third of its electricity from renewables by 2032, risk professionals
are in high demand. The rate of start-ups is also growing, offering greater opportunities for
those in the relatively early stages of their risk management careers. Qatar’s critical industries
are still oil and gas, but the 2022 World Cup has spurred further infrastructure development
and construction.
The chemicals, automotive, defence and maritime sectors are also experiencing an uplift, as
western economies emerge from austerity. States in the region are moving away from an
over-reliance on oil and gas, and increasingly diversifying to ensure continued economic growth.

MAG1708 IRM A4 Press Ad_FINAL.pdf 1 21/08/2014 15:41
Institute of Risk Management
MIND
THE
C
M
GAP
GET THERE FASTER.
Y
CM
MY
CY
GET RISK QUALIFIED WITH IRM.
CMY
Enrolment for the International

Diploma in Risk Management is
open from 1 October 2014
For more information:
studentqueries@theirm.org
+44 (0) 207 709 9808
www.theirm.org

analysis
SPACE TOURISM
As Virgin Galactic prepares to take

fare-paying passengers into space,
RichardBakerFarnborough / ALAMY
Mark Turner CIRM asks how the risks associated

with space tourism are being managed
I
magine – it is early 2015, and you and five fellow
passengers brace yourselves as the aircraft in which
you sit suddenly drops away from the mother
ship. As the sound of WhiteKnightTwo’s (WK2’s)
Pratt & Whitney jet engines fade, you feel the nose
of SpaceShipTwo (SS2) pitch upwards, and then the
gut-lurching fall is suddenly replaced by a massive
4G of pressure pushing you deep into your seat. The
vehicle shakes, and the sound of the rocket engine fills
the aircraft with a near-deafening roar. This is it. In 90
seconds’ time you will reach peak altitude and feel the
weightlessness of a sub-orbital space flight – officially
making you an astronaut.
RMPAut14 pp29-32 Virgin Galactic.indd 29 09/09/2014 13:00

The technology to make this space-tourist flight of take-off on the rocket have resulted in some terrible
possible has reduced in price to such a point that it is accidents during re-entry, as witnessed in the Space
now viable for industry to compete in a domain hitherto Shuttle Columbia disaster.
only available to superpower nations. With the UK However, despite the risks, rocket technology has
government forecasting that the global space market remained the mainstay of space-delivery vehicles.
will be worth £400bn by 2030, the rewards for business Then, in 2004, a private aircraft manufacturer, Scaled
are clear. But what are the risks associated with this, and Composites, successfully launched SpaceShipOne (SS1)
other, new space-tourist ventures – and how are they into sub-orbit, twice within a couple of weeks, to win the
being managed? US$10m Ansari X Prize as the world’s first commercially
built, reusable spacecraft.
Rockets and space planes Rather than using a rocket, the Scaled Composite
Rocket technology developed rapidly in Germany during approach employed a much simpler, space-plane
World War II, with the creation of the first ballistic technique. A ‘mother ship’ – WK1 – took off like a
missile – the V2. After the war, Russia and America both conventional aircraft, but attached to its undercarriage
made great strides in rocket development, culminating in was the small SS1, which was taken to 50,000ft and
the 1969 Moon landing. Since then, many nations have dropped. The craft then angled upwards, and ignited
used rockets to put people into space. the hybrid solid-fuel and gas engine, launching itself to
However, these pioneering days of rocket travel 63 miles above the Earth to achieve sub-orbital flight.
came at a significant cost to life: almost five per cent of In order to return to Earth, SS1 feathered its wings into
people attempting to travel into space have lost their a ‘shuttlecock’ configuration, which slowed the craft
lives. Disasters on launch have been commonplace, enough to allow it to drop into the thicker atmosphere.
particularly in the early years. In addition, the stresses Once the air had thickened sufficiently, it reconfigured its

ANALYSIS
SPACE TOURISM
injured three more. Since then, a number of concerns
This new space race has have been raised about the viability of the endeavour.
Supersonic, high-altitude test flights of SS2, in 2013
the potential to have a dramatic and 2014, resulted in reports – in newspapers and online
– about the original engine’s ability to achieve the desired
effect on the way people take peak altitude of 62 miles. In May 2014, Virgin Galactic
announced that it was changing the fuel type in SS2 in
holidays in the 21st century order to achieve the minimum guaranteed altitude of 50
miles. However, even this late change in technology has
done little to assuage the critics.
In addition, there have been reports that cracks have
been discovered in the wings of WK2. While these
Spaceport UK have been dismissed as ‘adhesive imperfections’ by
Virgin Galactic, it is yet another demonstration of the
In July, the British government announced that
risks associated with this cutting-edge, carbon-fibre
it intended to start developing a UK spaceport,
technology, and the close scrutiny of Virgin Galactic by
with the intention of sending space planes into
the world’s media.
sub-orbital flights. One potential vehicle for
use at this spaceport is being developed by UK
company Reaction Engines. Named ‘Skylon’, Risk appetite and regulatory control
this unpiloted space plane is designed to use The Virgin Galactic space plane is deemed to be an
the British-invented Synergetic Air-Breathing aircraft for much of its trip, so its flights within US
Rocket Engine (Sabre). This allows Skylon to airspace are regulated by the Federal Aviation Authority
take off like a conventional aircraft, then rocket (FAA). Appreciating the experimental nature of the
itself into a sub-orbital trajectory. However, space-plane approach, the FAA has taken a ‘hands-
unlike the Virgin Galactic up-and-down tourist off’ attitude to regulating the development of the
flights, Skylon would fly inter-continental routes, technology, allowing for a learning period. By law, the
VIRGIN GALACTIC
making it possible to travel from the UK to FAA cannot impose safety regulations on space-tourism
Australia in two hours. flights until October 2015 – with certain exceptions to
protect other airspace users – and all fliers are deemed
to be ‘participants’ rather than ‘passengers’, who fully
understand the risks involved.
wings, and – like a glider – returned to the runway in the However, the balance between the risk of space
Mojave Desert. flight and regulatory control is currently being hotly
Seeing the intrinsic safety advantages of the debated in Washington, at NASA, and in the wider
space-plane approach, Virgin Atlantic owner Sir aerospace community. In Rand Simberg’s contentious
Richard Branson teamed up with the owner of Scaled book Safe Is Not An Option, published in 2013, the
Composites, Burt Rutan, and Abu Dhabi’s Aabar author – an aerospace engineer – argues that NASA’s
Investments PJS, to form Virgin Galactic. obsession with ‘bringing everyone back alive’ has
In addition to the aircraft, Virgin Galactic promises to stifled space exploration for the past 40 years. The
deliver a unique experience, including astronaut training aforementioned five per cent loss of life is considered
at its purpose-built facility – designed by Sir Norman to be significantly less than might be expected for
Foster – at Space Port America, again in the Mojave such a boundary-pushing endeavour. He argues, while
Desert. To date, the group has invested approximately nobody wants to see astronauts killed, as with all forms
US$400m. While this may sound a lot, Branson points of transportation, it almost has to be expected. The big
out that it is equivalent to the cost of buying a new 747 difference with space travel is the very public way in
aircraft from Boeing. which disaster is likely to occur, as well as the political
fallout that inevitably follows.
Setbacks and detractors The reputational risk faced by Virgin Galactic is
Virgin Galactic optimistically announced that the first somewhat different from that experienced by NASA, and
fee-paying passengers would be flying by 2010, but the this has been recognised by the company from the outset.
venture hit a major setback in 2007. During a ground It has virtually to guarantee that all its passengers will stay
test of the equipment for the hybrid rocket engine, an alive; even one fatality at this early stage of development
explosion killed three Scaled Composites technicians, and could destroy the future of the business. In addition,

analysis
SPACE TOURISM
Mark Greenberg / Virgin galactic

Sir Richard Branson and Burt Rutan after
Virgin Galactic breaks the speed of sound
Apart from the technical developments, the pilots

have been able to gain hands-on experience with the
Virgin Galactic virtually has to aircraft as it manoeuvres and transitions from plane to
guarantee its passengers will stay spaceship. Such experience would not be possible with
a conventionally launched spacecraft, thus giving Virgin
alive; one fatality could destroy Galactic confidence in the human element of the flight.
Once testing is complete, Branson and his children
the future of the business will be among the first passengers. It is certain, therefore,
that the risks will have been minimised as far as possible.
The sky’s the limit

Beyond the sub-orbital flights planned by Virgin Galactic,
with passengers paying upwards of US$250,000 for the several entrepreneurs are looking to the next step in
privilege of flying, this failure is really not an option. space tourism. Fancy spending a few evenings with the
The space-plane approach adopted by Virgin Galactic Earth revolving outside your bedroom window? Look
is considered many times safer than other technologies no further than Russian company Orbital Technologies,
for launching into space. By taking the spacecraft high which is planning the world’s first orbiting hotel, to
into the atmosphere before igniting the engine, not be placed into the heavens as early as 2016. Not high
only is it less risky for the passengers and ground crews, enough for you? Then Bigelow Aerospace may be your
but significantly less fuel is required to achieve a sub- supplier of choice. With experience gained from placing
orbital flight. The size and complexity – as well as cost inflatable extensions onto the International Space
– of the craft has been markedly reduced through the Station, the US company wants to site giant inflatable
extensive use of carbon fibre in the design of WK2 and habitats on the moon, for commercial and industrial
SS2. The hybrid rocket engine uses hydroxyl-terminated purposes. These businesses – plus many more – are
polybutadiene (HTPB) as a fuel grain, and nitrous oxide rapidly developing the technology to open up space
as an oxidiser. tourism for those who can afford it.
This design enables the rocket to be throttled, This new space race has the potential for a dramatic
significantly reducing the risk associated with effect on the way people take holidays in the 21st
conventional liquid-fuel rockets, or solid boosters, century. The risks associated with such adventures are
which – once ignited – cannot be extinguished. currently high; however – just as with the dawn of
The ‘shuttlecock’ wing configuration also materially commercial air travel in the 20th century – financial
contributes to the overall safety of the design, by doing investment and time will bring those risks to the point
away with parachutes or heat shields. All these attributes where hopping onto a space plane will be as common
help to ‘de-risk’ every stage of the flight. as taking a plane from London to New York.

legal analysis
claims
Handle with care

recently published NHS data signal a warning for the medical devices industry
about inflated expectations of patients, explains Peter Rudd-Clarke
O
f the many complex risks human aspect to consider when procedure beyond reasonable levels
faced by the medical it comes to medical products. This – or a patient is led to expect the
devices industry, recent is particularly important to bear in worst – then they are more likely
NHS data show that mind if a manufacturer is sued by A patient’s to form a negative view of their
one problem may be impossible to a patient who considers that the condition. Claimant law firms are
eradicate: the expectation of patients medical device implanted in their reaction well placed to capitalise on such
that their new prosthesis will be as body is defective. may be reports, thus fanning the flames of
good as their original limb. The Proms data suggest that affected the ‘Daily Mail effect’.
People who undergo elective emotion will play a part if a dispute
hip- and knee-replacement arises over the performance of a
by media Response
surgery are asked to complete a medical product, and that some reports What should manufacturers, and
questionnaire before and after their patients may expect too much their insurers, do to cater for this
operation. These patient reported from orthopaedic devices that can human factor and media interest?
outcome measures (Proms) assess – at best – only attempt to restore Claims brought by patients
improvement in health as perceived functionality in a patient who against manufacturers should be
by the patient. Their subjective view may have other complex medical treated carefully. To determine
is collated – together with objective conditions. Allegations of failure may the merit of a claim, insurers and
data recorded by their doctors – to be based on pain, which is difficult lawyers should put claimants to
assess the functionality of medical to measure, or the discomfort of proof. Objective criteria can measure
devices after surgery. further medical intervention to whether a medical device has failed.
The latest Proms – published on replace a device that the patient For example, the Oxford Knee
14 August – reveal that there can simply feels has not worked – further Score assesses whether a prosthesis
be remarkable differences between underlining the fact that the cause Peter
has improved a patient’s ability to
Rudd-Clarke
a patient’s view of the performance of a patient’s disappointment may is a senior perform day-to-day tasks – such
of a medical device and their not be the device itself, but the associate at as using public transport or going
objective performance. patient’s co-morbidities. City law firm shopping. Expert medical opinion
Taking knee replacements as A patient’s reaction may also be RPC. Contact can review statements over the
peter.rudd-
an example, 45.6 per cent of affected by media reports criticising clarke@rpc.
alleged defectiveness of a device,
questionnaire respondents – when particular medical devices. If publicity co.uk which may be based purely – or in
comparing the state of their health raises expectations of a device or part – on a patient’s subjective or
before and after surgery – reported ‘gut’ feeling.
that they had not experienced any If a manufacturer faces more
increase in their general health. than a handful of isolated claims,
However, when the health of and is forced to deal with litigation
patients before and after surgery involving multiple claimants – as
was compared against objective and well as critical media coverage
established scoring criteria – the – well-timed statements using
Oxford Knee Score – the condition objective data to demonstrate the
wavebreakmedia / shutterstock
of 93.1 per cent of patients was effectiveness of a medical device

found to have improved. may go a long way to reassure
worried patients. Last month’s Proms
Lessons data show that disputes, involving
What does this tell manufacturers a mix of complex medical devices
of prosthetic devices? Compared and patient expectation, must be
to other products, there is a handled with care.
RMPAut14 pp33 Legal.indd 33 09/09/2014 13:01

The case
for
leadership
David Hancock calls for a greater focus from risk
professionals on the softer behavioural aspects of risk
away from a statistical and numerical bias to focus

on the ‘softer’ behavioural aspects of risk. This,
We’re better at predicting events of course, will come as no surprise to a few risk
at the edge of the galaxy or inside the management professionals, many of whom are
nucleus of an atom than whether it’ll aware that the early stages of risk’s development
rain on auntie’s garden party three has tended to be dominated by the worlds of
mathematics and engineering.
Sundays from now – because the Frank Knight distinguished between three
problem turns out to be different. We different types of probability, which he termed
can’t even predict the next drip from a ‘a priori probability’, ‘statistical probability’ and
dripping tap when it gets irregular. It’s ‘estimates’. The standard example of the first
the best possible time to be alive, when type is the odds of rolling any number on a dice.
Where the probability of occurrence is known
almost everything you thought you
specifically – that is, if there are n mutually exclusive
knew is wrong and exhaustive events, and if they are equally likely,
From Arcadia, then the probability of a given event occurring is 1/n; for
by Tom Stoppard a six-sided dice, n = 6 and the probability of throwing any
T
single number becomes 1/6. There is no debate or opinion
he general perception that through the application around this outcome and we accept it unconditionally.
of the risk management process we can somehow The second type – statistical probability – identifies
control the future is, in my opinion, one of the probability with relative frequency over a long series of
greatest misconceptions in our understanding of events, or the proportion of an event in a large population.
risk. However, we have made at least two advances in the In this case, we need to have observed enough relevant
Tribalium / shutterstock
right direction. Firstly, we can have a better understanding data to enable us to make predictions.
around the likelihood of unpleasant surprises and – more However, there is a third type, when there is no valid
importantly – we are learning how to pre-empt their basis of any kind for classifying instances; here, then, only
occurrence early and, subsequently, be better able to estimates can be made. In this final case, the use of any
manage the consequences should they occur. However, kind of statistical analysis would be meaningless. This
I feel that the time is right for risk management to move becomes increasingly relevant where we are dealing with
RMPAut14 pp34-37 The case for risk leadership.indd 34 09/09/2014 13:02

focus
SOFT SKILLS
The time is right for

risk management to move
away from a statistical and
numerical bias to focus
on the ‘softer’ behavioural
aspects of risk

Feynman. Meanwhile, risk management appears largely to
have remained stuck to those early principles of the 1950s
What we really need to that predominantly rely on process, models, policy and
develop are great risk leaders legislation. In my view, it is time for us to move on.
who understand that risk is more Tame, messes and wicked problems
One of the first areas to be investigated is whether our
of an art than a science current simple classification and use of risk is a correct
assumption. The general view, at present, appears to
treat the system under review as linear, deterministic and
so-called ‘Black Swan’ events that, by their very nature, lack predictable, in which a complex system or problem can be
the availability of a high level of statistically-relevant data. reduced into simple forms for the purpose of analysis. It
Most risk management practised today focuses is then believed that the analysis of those individual parts
predominantly on the first two types of probability: either will give an accurate insight into the working of the whole
that the outcomes are known definitively, or that there system, supporting the strongly-held feeling that science
is an underlying number or ‘truth’ that can be found will explain everything.
simply by further data analysis and interpolation. This type However, this type of problem – which can be termed
of uncertainty is termed ‘epistemic’. It is due to a lack ‘tame’ – appears to be only part of the story when it
of knowledge about the behaviour of the system. The comes to defining our risks. Tame problems are those that
epistemic uncertainty can – in principle – be eliminated have straightforward, simple linear causal relationships and
with sufficient study and, therefore, expert judgements can be solved by analytical methods – sometimes called
may be useful in its reduction. the cascade, or waterfall, method. Here, lessons can be
However, the third type of risk – that of ‘aleatoric’ learned from past events and behaviours and applied to
uncertainty – arises because of natural, unpredictable future problems, so that best practices and procedures can
variation in the performance of the system under study. be identified.
The knowledge of experts cannot here be expected to In contrast ‘messes’ have high levels of system
reduce this type of uncertainty, although their knowledge complexity and are clusters of interrelated or
may be useful in quantifying the uncertainty. This is the interdependent problems. Here, the elements of the
part that present risk practices tend to ignore or overlook system are normally simple, with the complexity lying in
with their concepts of Risk = Likelihood x Consequence the nature of the interaction of its elements. The principal
equations. These types of problems have already been characteristic of these is that they cannot be solved in
encountered in the worlds of science, mathematics, and isolation, but rather need to be considered holistically.
economics, creating a shift towards a more behavioural Using strategies for dealing with messes is fine, as long as
understanding – the so-called ‘new sciences’ – led by most of us share an overriding social theory or social ethic;
eminent scholars in the field, such as Einstein, Lorenz and if we don’t, we face ‘wickedness’.
‘Wicked’ problems are termed as ‘divergent’ – as
Boston Matrix opposed to ‘convergent’ – problems. Wicked problems
are characterised by high levels of behavioural complexity.
Here, uncertainty as a dominant factor is replaced by
re
tu
Resolution
Fu
t
ambiguity – there is no optimum answer, just a series

en
is social/
m
High Wicked
ss
Wicked of ‘satisfactory’ solutions. What confuses real decision-

t
political/
se
en
mess
as
ethical/ moral/
e
ss
tiv
making is that behavioural and dynamic complexities

se
behavioural
ita
Ambiguity
as
al
e
iv
qu
co-exist and interact in what we call ‘wicked messes’.

at
Behavioural
on
tit
an
e
Dynamic complexity requires high-level conceptual and

nc
complexity
qu
lia
on
re
systems-thinking skills; behavioural complexity requires

g
e
sin
nc
Solution is
lia
ea
Low Tame Mess

high levels of relationship and facilitative skills. The fact that
re
scientific
cr
In
g
sin
problems cannot be solved in isolation from one another

ea
cr
In
makes it even more difficult to deal with people’s differing

st
Pa
Low High assumptions and values; people who think differently must
Dynamic systems complexity learn about and create a common reality, one which none
Uncertainty of them initially understands adequately.
Figure 1: Boston Matrix, showing the four problem types – adapted The main thrust to the resolution of these types of
from Roth and Senge problems is stakeholder participation and ‘satisficing’.

focus
SOFT SKILLS
Many risk planning and forecasting exercises are still being
Risk management Risk leadership
undertaken on the basis of tame problems assuming the
variables on which they are based are few, fully understood 1.Works to a defined scope, budget, quality Recognises the possibility of different
and able to be controlled. However, uncertainties in and programme. outcomes and tries to ensure risk activities
focus on making an acceptable outcome more
economics, politics and society have become so great as to likely.
render counterproductive – if not futile – this kind of risk
management, which many organisations still practice. 2.Uses the instrumental lifecycle image of Uses concepts and images that focus on social
risk management as a linear sequence interaction among people, understanding
of tasks to be performed on an objective the flux of events and human interaction,
Chaos and risk entity, using knowledge and procedures. and the framing of events within an array of
At best, I believe problems under scrutiny should be social agenda, practices, stakeholder relations,
considered as deterministic, chaotic systems rather than politics and power.
tame problems. Here, I am not using the term ‘chaos’ 3. Manages process to ensure complicated Develops team behaviours and confidence
as defined in the English language, which tends to be projects of people and technology run through scenario planning and team
associated with absolute randomness and anarchy (Oxford smoothly. building to identify and respond to risks and
opportunities.
English Dictionary describes chaos as ‘complete disorder
and confusion’) but based on the chaos theory developed 4. Establishes detailed steps, processes and Understands the ‘many acceptable futures’
in the 1960s. This theory showed that for systems with a timetables. proposition and manages risk to produce the
changes needed to achieve the acceptable
degree of feedback incorporated into them, tiny differences outcomes.
in input could produce overwhelming differences in output
5. Applies concepts and methodologies that Applies concepts and frameworks that focus
(the so-called ‘butterfly effect’, Gleick 1987). focus on risk management for creation on risk management as value creation,
Here, chaos is defined as ‘aperiodic’ (irregular) banded or improvement of a product, system while aware that ‘value’ and ‘benefit’ will
dynamics (a finite range) of a deterministic system or facility, and so on, monitored and have multiple meanings linked to different
controlled against specification (quality), purposes.
(definite rules) that is sensitive to initial conditions. This cost and time.
appears to describe real-life events much better than the
6. Attempts to control risk by monitoring Adapts the risk process to overcome political,
linear deterministic and predictable view, in which both results, identifying deviations from the bureaucratic and resource barriers to
randomness and order can exist simultaneously within plan and developing mitigation actions to developing change in behaviours, through
those systems. The characteristics of this type of problem return to plan. trust and managing expectations.
are that it is not held in equilibrium, either among its parts 7. Works on the assumption that the risk Is based on the development of new risk
or within its environment, and the system operates ‘at the model is the actual ‘terrain’ (that is, the models and theories that recognise the
actual reality ‘out there’ in the world). complexity of risk and its management and
edge of chaos’, where small changes in input can cause the that the model is one part of a complex
system to either settle into a pattern or, just as easily, veer ‘terrain’.
into total discord. 8. Implementer of the risk process. Training Is a reflective listener: learning and
For those who are sceptical, consider the failing project and development produces practitioners development facilitates the development of
that receives new leadership – it can just as easily move into who can follow detailed procedures and reflective practitioners who can learn, operate
abject failure as settle into successful delivery and, at the techniques. and adapt effectively in complex environments
outset, we cannot predict with any certainty which one will 9. Seeks predictability and order. Has learnt to live with chaos, complexity,
prevail. At worst, they are wicked messes. ambiguity and uncertainty, and leads, through
example, to a successful conclusion.
Conclusion
How should the risk professional exist in this world of What does this all mean?
future uncertainly? Not by returning to a reliance on This means we must apply a new approach for risk
quantitative assessments, statistics and determinism, where management when dealing with problems that are
none exists. We need to embrace its complexities and not tame.
understand the type of problem we face. To address risk in Also, that we should seek to enhance our
the future tense, I believe we need to develop the concept Dr David understanding of the behavioural aspects of the profession
of ‘risk leadership’, which consists of: Hancock MBA and move away from a blind application of process and
n Guiding rather than prescribing CEng FCIPD generic standards towards an informed implementation of
n Adapting rather than formalising FAPM is head loose guidance.
n Learning to live with complexity rather than simplifying of risk and But what we really need to develop are great risk
n Inclusion rather than exclusion benefits at leaders who understand that risk is more of an art than a
n Leading rather than managing Transport for science, and that this, truly, is the best time to be alive and
The implications of the new concept of risk leadership are London (TfL) working in risk – at a time that, perhaps, almost everything
described in the table (right). we thought we knew may just turn out to be wrong.

book
review
Opening up
Risk-based performance
the silos use of the three indicators make it clear that the only
management: integrating strategy way to achieve a targeted, strategic ‘sustainable (and
and risk management defendable) position – which enables the organisation
(Palgrave Macmillan) to achieve its objectives while operating within defined
By Andrew Smart and James Creelman risk appetite boundaries’ – is through integrating strategy
and risk management.
By looking at how to The authors include an ‘appetite and exposure
integrate strategy and alignment matrix’. This amalgamation of strategy and
risk management, risk management provides a simple way of showing
Smart and Creelman non-risk professionals how, together, risk management
have made a and strategy can deliver tangible value. They provide
significant contribution examples of firms using the matrix to save money,
towards helping where they are underexposed, by reducing risk controls,
risk and strategy or pursuing profitable opportunities due to their
professionals improve superior risk-management capabilities. These are strong
their organisations’ arguments for the as-yet-unconverted to bring together
performance by risk management and strategy.
strategically reducing
risk. The book is quite Integration
academic, with detailed Despite the strength of the authors’ case, I suspect it
analysis of risk and will be several more years before more firms take the
strategic concepts plunge and truly integrate the two disciplines. Many
and frameworks. organisations say they integrate strategy and risk
More robust editing – and integrated case studies management; some even make a big deal of this in
incorporating all of their recommendations – would their external communications. However, in practice,
have helped to make it an easier read but, that said, the these functions are usually managed by two separate
authors present some powerful tools that help move the teams, with distinct reporting lines to the executive
risk profession forward. management team and the board. Often, the closest
Where the book really comes into its own is in strategy and risk teams actually get to working together
discussing key risk, performance, and control indicators. is when the strategy team provides content to the
Particularly insightful is the analysis of the interplay risk section of the annual report, or when the risk
between the three indicators, and how they combine management team provides limited content to senior
to drive strategy execution and risk management to management strategy sessions.
achieve a set strategy. Examples of integrating the True integration is overdue for many. For those
forward-looking companies aiming to integrate risk
management and strategy, this book is a useful guide to
These are strong arguments for the bringing that date forward.
as-yet-unconverted to bring together risk Erik Johnson MIRM ACII is assistant vice-
management and strategy president, business development, at Allied
World Assurance Company (Europe).
RMPAut14 pp38 Books.indd 38 09/09/2014 13:03

irm focus
DIRECTOR’S CUT
GLOCAL HERO
IRM BOARD DIRECTOR NICOLA CRAWFORD FIRM REFLECTS ON ‘GLOCALISATION’
AND THE CHALLENGES IT PRESENTS TO RISK PROFESSIONALS
A
s the summer draws to an end, I am reviewing ranging from fluctuations in interest and exchange rates to
the menu in a Turkish resort, considering what IRM board supply chain piracy. As these risks become more strategic,
constitutes a ‘full English’ breakfast, costing £1. director Nicola they often involve greater levels of uncertainty that can
The Turks have adapted their services to Crawford hit capital investments. Firms, therefore, need a more
cater for UK tourists, even pricing food in sterling rather FIRM is comprehensive risk framework and the ability to analyse
than lira. Bacon is not included, replaced instead by a managing scenarios and model specific risks and costing options.
version of chicken ham – reflecting the availability of certain director of Regulatory obstacles – Fast-changing regulations and
meats driven by cultural differences. This is an example of i-Risk Europe, local policies can have a dramatic effect on the profitability
local services adapted to meet global needs. But does this and chair of of cross-border investments, heightening uncertainty in
happen in the other direction? And how are risks and their IRM’s regional rapid-growth markets. By adopting a global platform and
management affected by the concept of ‘glocalisation’? group in capability for managing the risk portfolio, greater visibility
Blending ‘local’ and ‘global’, the terms ‘glocal’ and Turkey can be gained into the procedures for overcoming regional
‘glocalisation’ have been adapted by the business world barriers – and for developing suitable contingency plans.
to refer to ‘global localisation’. The term was modelled on Cultural differences – Managing workforces when
the Japanese word ‘dochakuka’, which meant adapting operations are separated by distance, time zones, cultural
farming techniques to one’s own local condition. and religious differences can be a challenge. The central
Glocalisation of risk is, therefore, concerned with organisation must be able to refine its risk management
understanding and managing risks arising from local capability and create an infrastructure that both maintains
conditions that could have a global impact, and/or risks the diversity of international teams, and allows local delivery.
that are global in nature but have a specific local impact at Resource constraints – Increased competition for
an industry- or business-specific level. talent often results in skills shortages in key areas. This
creates demand for effective training and development of
Global localisation local resources in key risk management areas.
The 21st century has spun a worldwide web of IRM is well placed to support both global enterprises
interdependencies. People from practically all societies are and local companies to reach the capability required to
confronted with aspects of other cultures through tourism, manage risks arising from globalisation and glocalisation.
the media and consumer goods. This has led to significant However, like any other enterprise expanding globally,
benefits – including growth in incomes, education, there is a challenge in mastering the trade-off
innovation, and technology. But it has also created unease. between localisation to match local requirements and
What were once considered independent and unrelated standardisation to realise economies of scale.
risks are now interconnected, more complex and systemic. The customisation of IRM qualifications and services to a
The types of risk include: economic and financial; global region is called localisation, but glocalisation is the standard
pandemic; infrastructure; supply chain; food security; and to which the IRM should aspire. To this end, IRM’s regional
geo-political. They can affect local functioning of firms group structure allows cultural, linguistic, political, religious
operating worldwide, but can also be the source of local and ethnic affiliations to be simultaneously researched and
risks with a global impact. How can we manage them? integrated into one solution. In this manner, the intended
We have to acknowledge that we live in a world region and market is given a stake in the process, and not
characterised by multiplicity, uncertainty, ambiguity and just in the end result.
ambivalence. Accordingly, we have to learn to manage the
differing risk appetites that these factors bring.
Glocalisation may offer enterprises exciting opportunities What were previously considered
in emerging markets – but it can also introduce complex
challenges. These include: independent and unrelated risks are now
A shifting risk profile – The increased scale of interconnected, more complex and systemic
globalised operations is matched by the level of risk,
RMPAut14 pp39 Directors cut.indd 39 09/09/2014 13:04

virtual but vital A model
MAksiM kABAkou / shutterstoCk
IRM’s new free webinar service covered subjects including

solution for
is a real find for time-poor risk
professionals keen to keep
crisis reputation management,
the critical stages involved in
insurance
up to speed. Launched in effective decision-making, and While Solvency II is still
June, these 45-minute online business risk and resilience. – officially – scheduled
presentations feature some of Catch up with previous for implementation in
our most popular trainers and sessions and find out what’s January 2016, the use
topics. coming up at www.theirm.org/ and validation of internal
so many products, Webinars so far have training/webinars/ risk models remains a
so little knowledge potentially confusing issue.
Despite the launch of more IRM’s practitioners’ forum
than 70 new cyber insurance is currently undertaking
products in the last two years, research to identify proven
80 per cent of UK businesses good practice, with results
are still without it.
The evolution of cyber due to be presented at a
threats has created gaps forthcoming forum.
in existing products and For more information
uncertainty around policy see www.theirm.org/
wording. IRM’s one-day
knowledge-and-resources/
Cyber Risk and Insurance
conference in London on 27 thought-leadership/creating-
October focuses on practical value-through-internal-
guidance from industry models/
leaders and experts to
analyse your needs, explore
risk Leaders 2014 – tackling

your options and resolve the
uncertainty. Find out more
at www.theirm.org/events/
cyber-risk-and-insurance-the-
risk-managers%E2%80%99-
forum/ today’s business threats
economic resilience
As European farmers, American results of this month’s Scottish Transport non-executive director
As Italy falls back into
recession and other countries drugs companies and foreign referendum, the Atomic Mary Reilly will evaluate the
waver on the edge, the OECD investors in Russia are currently Weapons Establishment will common challenges facing risk
has published a report into finding out, the unpredictability explain how it prioritises risk at leaders across industry.
how effective risk governance of this year’s business risks board level. And, as the EU calls for
can boost economic resilience
to shocks. provides a compelling argument In addition, Department for tougher enforcement of
The report – Boosting for tackling them at board antitrust rules, Lord Currie,
resilience through innovative level. IRM’s Risk Leaders 2014 chair of the Competition and
risk governance – references conference brings together Markets Authority, will open
IRM’s risk appetite
chief risk officers, heads of risk the conference by analysing
principles, and explores risk
management and global and those responsible for risk the risks of falling foul of
corporate governance in at board level to share their competition law.
several jurisdictions. Find it at experiences, discuss strategy and The day concludes with
ANDY BuChANAN / ALAMY
IRM’s online resource centre or develop solutions. an entertaining and universal

via the OECD library at
www.oecd-ilibrary.org/ The conference takes place risk perspective from BBC and
governance/boosting- at the Inmarsat conference Channel 4’s NASA and the NHS
resilience-through-innovative- centre in London on 11 expert, Kevin Fong.
risk-management November. With the future For more information, visit:
_9789264209114-en
of Trident decided by the www.theirm.org/events
RMPAut14 pp40-43 RG & SIG News.indd 40 09/09/2014 13:04

irm focus
news
Training Focus:
The haves
and the
have-yachts
Christos Georghiou / shutterstock
IRM trainer Liz Taylor

admits she may well
have watched too many
James Bond movies. In
her popular – but
intensive – two-day
Unravelling a tangled web Practical Risk Appetite

course, students are
given an aspirational exercise that involves
From hacking attacks by volatility, uncertainty, complexity in 21st century playing the board of the super yacht builder
affecting major online complexity and ambiguity. organisations guide will Moonray Ltd.
retailers to the impact of A wide range of experts be launched at a one-day It builds glamorous, high-end vessels, the
sanctions, it is clear that have been involved this conference on 9 October kind that attract more than their fair share of
the days of self-contained year in researching and and will be available to IRM risks. Its designers and specialist engineers are
businesses are over. Today’s compiling one of the most members via our website among the world’s best, and customers in the
organisations rely on a comprehensive guides to shortly afterwards. Full Middle East and Asia Pacific are flocking to buy.
complex and interconnected date for managing these details at: www.theirm. On the downside, it is carrying a lot of debt,
web. They operate in a world risks. IRM’s Extended org/events/extended- relies heavily on CAD, and both timing and
increasingly characterised enterprise: managing enterprise-2014/ communication are critical.
Working in groups, students take different
roles on the board. Together, they make
Facing new decisions on risk appetite and tolerance,
determine business drivers and the complexities
competition of numerous stakeholder requirements. They
risks
then develop a strategic risk register, undertake
key risk-mapping, risk scenarios and root
cause analyses. As with any exercise involving
With the move to tighten role play, students tend to end up inhabiting
competition law enforcement their role on the Moonray board with total
across Europe, IRM is working commitment.
with the UK Competition Practical Risk Appetite is a challenging
and Markets Authority to course. Both the volume and level of content
raise awareness of the risks are high, yet student feedback is consistently
of contravention. We will be of the ‘Eureka’ kind – even if the yachts must
A night to remember publishing our joint guidance remain forever imaginary.
From Australia to China, Turkey to Ghana, in the coming months. In the
the entries for IRM’s Global Risk Awards keep meantime, any IRM members n The next Practical Risk Appetite course takes
coming in. The 2015 Awards, held in London who would like to help by place in London on 7 October. Contact:
on 19 February, look likely to be the biggest
reviewing and commenting on training@theirm.org for more details. For
yet. Full details of categories and how to enter
are available on the website: www.theirm.org/ this guidance please contact information on all IRM short courses visit
events/global-risk-awards-2015/ Carolyn Williams at Carolyn. www.theirm.org/training/all-courses/
Williams@theirm.org

irm focus news
cyber impact annual Lecture 2014 in Berlin. Many IRM members contact its secretary,
will have read his fascinating David Adamson, at
The majority of cyber security Gut instincts – books on risk perception and david.adamson@bsigroup.com
research featured by the fundamental or communication, and followed
his debates with Kahneman
Centre for the Protection of the flawed? and Twersky about whether our
National Infrastructure (CPNI) We are delighted to announce gut instincts are fundamentally
focuses on prevention. Recently, that Professor Gerd Gigerenzer reliable aids to decision-making
however, it has been looking at will deliver IRM’s annual lecture or hopelessly prone to biases
the broader risks involved, and on 2 December. Gigerenzer, and flaws. For more details, visit
who is an Honorary Fellow www.theirm.org/events/annual-
the types of business impact on of IRM, is director of the Max lecture/
victim companies. Planck Institute for Human
A report commissioned from Development and of the contribute to raising
Oxford Economics provides Harding Centre for Risk Literacy a moving experience
British standards All change at IRM HQ. We have
useful findings on the business
The RM1 UK Committee run moved to new offices, with
impact of cyber breaches. This by BSI (the British Standards an improved and integrated
is particularly useful for risk Institution) is currently reviewing training suite. From 12
professionals looking to build a its membership to ensure it fully September our new address
model that can quantify cyber represents those working in risk is: IRM, 2nd Floor, Sackville
in both businesses and the public House, 142–149 Fenchurch
risk in a more meaningful way. sector. IRM members who would Street, London EC3M 6BV. Our
It can be found at www.cpni. like to nominate themselves for telephone numbers and email
gov.uk/advice/cyber/Cyber- the committee are invited to details stay the same.
risk-and-business-impact/
regionaL groUPs/sPeciaL inTeresT groUPs

The doctor can see you now
The UK North East regional group is running
a series of ‘risk clinics’. These three-hour
roundtable events are open to everyone
interested in sharing experiences and
knowledge around risk management.
The next roundtable, ‘Getting value from
AGehriG / shutterstoCk
QQ7 / shutterstoCk
risk management’, takes place in Sheffield

on 6 October. It will look at the difficulties
risk professionals encounter in embedding
risk across their organisations, with insights
from both an internal auditor and a previous
auditor who jumped ship to join the risk Special interest groups
Regional groups management team. See the group’s webpage insurance insight
swiss action for more information at www.theirm.org/ The ERM in insurance special interest group’s
The Swiss regional group’s next meeting will events/regional-groups/north-east-england/ next meeting on 30 October will be looking
host a presentation on the findings of the at ERM maturity levels, their pros and cons,
IRM’s Extended Enterprise report, a discussion and the training needed to achieve targeted
on the challenges of modelling operational levels. On 20 November, the group will be
risk, and career path research on what it takes discussing the sometimes-vexed question
to be a chief risk officer. The meeting takes of the relationship between the risk and
place on 22 September in Zurich. compliance functions.
The following meeting on 17 November The ERM in insurance annual survey,
JoN Le-BoN / shutterstoCk
– again in Zurich – will explore safety risk seeking member priorities for the next year,
management in air traffic management and is open until the end of September. Give
‘the absurdity of root-cause analysis of risk your views at www.surveymonkey.com/s/
events’. See the website for more details at ERMinInsurance2014 Find out more about
www.theirm.org/events/regional-groups/ the group’s work at www.theirm.org/events/
switzerland/ special-interest-groups/erm-in-insurance/

The
The Institute
Institute of
of Risk
Risk Management
Management –
– Events
Events
The Institute of Risk Management – Events
Extended
2O14
2O14
Extended Extended
2O14
Enterprise
2O14
Enterprise Enterprise
Managing
Managing risk
volatility,
risk in
in the
the world
uncertainty,
world of
of ‘vuca’
‘vuca’
complexity and
Managing risk in the world of ‘vuca’ volatility,
Managinguncertainty, complexity
risk in the world and ambiguity
of ‘vuca’ ambiguity
volatility, uncertainty, complexity and ambiguity volatility, uncertainty, complexity and ambiguity
ALL
ALL WILLWILL BE BE REVEALED...
REVEALED...
IRM’s Global Risk Awards provide
provide the
the perfect
ALL
IRM’s WILL
Global BE
Risk AwardsREVEALED... perfect
showcase for excellence in risk management across
In association with
In association with
showcase for excellence in risk management across 11 day
day conference
conference
IRM’s
the Global
the world.
world. Riskan
With
With anAwards provide
intriguing
intriguing the perfect
masquerade
masquerade theme,
theme,
1 day
showcase conference
In association with
9
9 October
October 2014
2014
2015’s Awards look set to be the biggest yet.across
2015’s for
Awards excellence
look set in
to risk
be management
the biggest yet. 1 day conference
the9world.
October 2014
With an intriguing masquerade theme,
Submissions
Submissions
2015’s Awards look close
close seton
on 15
15the
to be September
September
biggest yet. 9
CassOctober
Cass Business School 2014
Business School
Executive
Executive Education
Education
so get
so Cass ready
get ready to tell
tell us why it should be
to School
Business
us why it should be you.
you. 200
CassAldersgate
200 Street
Business School
Aldersgate Street
Submissions close on 15 September
Executive Education London, EC1A 4HD
For award categories, and ExecutiveEC1A
London, Education
4HD
so 200
For get ready
award to tell
categories,
Aldersgate Street and further
us why further information
it should be you. on
information on 200 Aldersgate Street
how
how to
London,submit
EC1A an
to submit an entry visit:
4HDentry visit:
For award categories, and further information on
theirm.org/events/global-riskawards-2015
Book
London, now
Book EC1A
now4HD at
at
theirm.org/events/global-riskawards-2015 www.theirm.org/events/
howBook
email
email atnow
toussubmit
us at
anatentry visit:
events@theirm.org
events@theirm.org www.theirm.org/events/
Book now at
extended-enterprise-2014
call us on +
us on + 44
44 (0)20
(0)20 7709
7709 9808
theirm.org/events/global-riskawards-2015
callwww.theirm.org/events/ 9808 extended-enterprise-2014
email us at events@theirm.org www.theirm.org/events/
extended-enterprise-2014
call us on + 44 (0)20 7709 9808 extended-enterprise-2014
BOOK
BOOK BY
BY 26
26 SEPTEMBER
SEPTEMBER TO
TO SAVE
SAVE 15%
15%
BOOK BY 26 SEPTEMBER TO SAVE 15%
Risk Leaders Cyber Risk

Cyber
RiskRisk
Leaders
2014
Practical
Practical Strategies
Strategies for
for Cyber
& Insurance Risk
& Insurance
Sky’s
Risk
2014
at Board Level
Risk at Board Level
Practical Strategies for
&
The Insurance
The Risk
Risk Managers’
Managers’ Forum
Forum
Sky’s the
the limit
Risk at Board Level
limit
The Risk Managers’ Forum The Risk Managers’ Forum
Sky’s the limit
Tuesday
Tuesday 11
11 November
November 2014
2014 1-day
1-day conference
conference 27
27 November
November 2014
2014
1-day conference Inmarsat
Inmarsat Conference
Conference Centre,
27 November 2014
Centre, Cyber
1-dayRisk and
and Insurance
Insurance focuses on
on practical
Tuesday
99 11 November 2014 Cyber conference
Risk 27 November
focuses practical 2014
99 City
City Road,
Road, London,
London, EC3N EC3N 3AX
3AX guidance
guidance for insuring your organisation’s cyber
for insuring your organisation’s cyber
Cyber Risk and Insurance focuses
Inmarsat on practical
Conference Centre, for:
The
The 1 day
1Road, conference
day London,
conference for:
Cyber
risk. It Risk and
includes Insurance
a focuses
problem-solving on practical
roundtable
risk. It includes a problem-solving roundtable
guidance for insuring your99 organisation’s
City cyberEC3N 3AX
Chief Risk Officers, Heads of Risk and guidance
forum
forum andandfor insuring
aa panel
panel your organisation’s
discussion
discussion to
to enable cyber
enable you
you to
to fully
fully
Chief
risk. It includes a problem-solvingRisk Officers,
roundtable Heads of Risk and
The
anyone
anyone 1 day conference
responsible
responsible for
for risk
risk at
at for:
board
board level
level risk. It includes
participate and a problem-solving
get the answers toroundtable
your questions.
participate and get the answers to your questions.
forum and a panel discussion to enable you to fully
Chief Risk Officers,
With thanks to our sponsors: Heads of Risk and forum and a panel discussion to enable you to fully
participate and get the With
answers
thanks to to your questions.
our sponsors:
etc.venues, Dexter
anyone responsible for risk at board level participate
etc.venues,and get House,
Dexter 22 Royal
the answers
House, to Mint
Royal your House,
Mint questions.
House,
Industry partner
Industry partner London, EC3N
London, EC3N 4QN 4QN
etc.venues, Dexter House, 2 Royal Mint House,
With thanks to our sponsors:
etc.venues, Dexter House, 2 Royal Mint House,
London, EC3N 4QN For further info, please
London,
For EC3N
further please contact:
info,4QN contact:
Industry partner
Book today: www.theirm.org/events

www.theirm.org/events
jason.williams@theirm.org
For further Book today:contact:
info, please
For further info, please contact:
Book today: www.theirm.org/events jason.williams@theirm.org
The Institute of Risk Management, 2nd
6 Floor,
Lloyd’s Sackville
Avenue,
The Institute of Risk Management, 6 Lloyd’s Avenue, London, EC3N 3AX House,
London, 142-149
EC3N Fenchurch
3AX +44
+44 Street,
(0)20London
(0)20 7709
7709 9808 EC3M 6BVwww.theirm.org
9808 www.theirm.org
, EC3N 3AX +44 (0)20 7709 9808 www.theirm.org
The Institute of Risk Management, 6 Lloyd’s Avenue, London, EC3N 3AX +44 (0)20 7709 9808 www.theirm.org

I
IRM FOCUS
CAREERS
in the name GAME

David Imison is delivery director of risk consulting at Schillings
How did you enter the world of risk my mid-afternoon client meetings. By 3pm, I’ll be
management? facilitating a crisis-management exercise for one of
I graduated from university with degrees in Classics our corporate clients, before heading back to the
and law, without knowing exactly what I wanted to office to conduct interviews as we go about finding
do, career-wise. When an opportunity arose to join the best talent for our growing team. As we move
a fast-growing company on its graduate scheme, I towards the daily print deadline, one of our lawyers
went for it, knowing that this was an opportunity will come to me with a breaking news story that
to work on the commercial side of an interesting has the potential to affect one of our clients. The
business. Our clients at the time were operating in research team will then be scrambled to gather
high-risk industries, and our job was to help them intelligence on the matter in question – and a take- C
manage risks in their supply chain. Since then, I have away ordered in. M
worked in a global risk consultancy – for one of the Y
‘Big Four’ advisory firms – and now head up the What are the best and worst aspects
risk consulting team at Schillings. of your role? CM
The unpredictability – which applies to both the best MY
What does best-practice risk and worst parts of the role. Sometimes, keeping all CY
management look like? the plates spinning is a challenge, but – at the same
Earning the right to be in the big time – I am energised by the sheer excitement and CMY
conversations. Clients come to us because they profile of the things that I am working on. K
want our counsel. They aren’t thinking in terms

of what is legal, what is risk management – What has been your greatest
or even, necessarily, what is best achievement?
practice. They are simply looking Professionally, it would have to be building the
for the best advice on how to foundations of a successful risk management
achieve their objectives. consultancy business here at Schillings. In terms of
activities, I’m proud to have trekked 250km through
Describe your the Gobi desert. Personally, my greatest achievement
typical day was buying my flat in London – it felt like finishing
My day often starts at 8am, an uphill marathon!
with a breakfast seminar
that colleagues and I run What advice would you give to an
for clients and prospects. aspiring, or up-and-coming, risk
This is followed by professional?
a team meeting to We work in an economy largely based on
discuss the priorities knowledge. Ask questions, study hard, be inquisitive,
and the issues of the and try not to stand still.
day – after which
it’s straight into calls What’s the best piece of advice
with HNW [high net anyone in the profession has
worth] clients and given you?
their PR advisers. Come ‘Eat the horse whole.’ No, this isn’t a metaphor; it
lunchtime, I will spend 10 actually refers to the national dish of Kazakhstan.
minutes reading up on I spent quite a long time working there in 2012, and
my beloved Arsenal, my boss at the time provided me with this valuable
before preparing for lesson in cultural assimilation.
RMPAut14 pp44-45 Careers.indd 44 09/09/2014 13:05

Institute of Risk Management
MIND
THE
C
M
GAP
GET THERE FASTER.
Y
CM
MY
CY
GET RISK QUALIFIED WITH IRM.
CMY
Enrolment for the International

Diploma in Risk Management is
open from 1 October 2014
For more information:
studentqueries@theirm.org
+44 (0) 207 709 9808
www.theirm.org
RMPAut14 pp44-45 Careers.indd 45 09/09/2014 13:05

irm focus
MEMBER PROFILE
Monika Narula
A self-confessed tea inventor with a shelf of awards and a passion for books
Why risk management? stepping stone. Sharpen up your soft skills and never,
Because it’s a role where you get to talk directly to every ever, stop being a student. Business acumen is a must
level of stakeholder – from staff to senior management, as you move forward in your career, and this helps you
vendors to customers and board members to regulators. anticipate risks ahead of the competition.
There’s no better way to both learn about every aspect The risk profession involves finding gaps and telling
of business and get a take on where the world’s going business owners about them. And that’s not easy! So
next. Risk professionals don’t – or shouldn’t – sit in learn the art of communicating not-so-good news
ivory towers. The volume of interactions we have without hampering relationship with stakeholders.
every day is a sure-fire path to growing both The art of writing – especially emails – is often
professionally and personally. overlooked, but I’ve found it’s a must.
Plus, in this situation, you have And – perhaps most importantly
the opportunity to innovate – join a professional forum that
continuously, which is exciting. can keep you updated on different
And – on a practical career domains in risk management,
note – when the rest of the world help you connect to experienced
is shedding staff and economists professionals, and keep bringing
pore over unemployment figures, opportunities to you. A word of
risk management professionals caution though: don’t expect
stay in demand, as we’ve seen to be spoon-fed; you need to
with the recent global recession. keep yourself open and flexible
to absorb new ideas and exploit
What are your passions opportunities fully.
outside work?
I love to explore new places Who or what inspires you?
and read about people who I’m deeply inspired by real-life stories
have made it in life. Knowing of people who have dared to take
about different cultures across a different path in life, made it to
the world, meeting people with the top and changed the world in
different backgrounds, thrills me. some way.
These things can totally challenge Sir Richard Branson is someone
and change the perspective I admire for his guts on taking
you’ve been carrying all your life. risks in business and doing things
Keynote and Letters by JRD no-one had previously imagined. He
Tata are my all-time favourite started so much from scratch. There
reads. He urges people to ‘live life a little dangerously’! are a lot of lessons there.
I’m also fascinated by Greek mythology. It’s not just He’s written a number of inspiring books, using his
interesting in its own right, but I think it also quite subtly tells real-life experiences, that are all worth reading. Above
you about the realities of life and how to deal with them. all, he is in continuous touch with society as a whole for
New places and good books are important to me, but philanthropic reasons, which seems responsible.
I can’t beat catching up with my parents and brothers and Monika
sisters, as I live in a different city from them. Narula is an Tell us something surprising about
operational yourself
What’s the most important advice you risk manager I am a tea inventor. I’ve experimented and created more
would give young risk managers starting with RBS, than 50 flavours of tea. What could be a better stress-
out on their careers? India buster for a busy risk professional than an aromatic
First, view every small opportunity and assignment as a cuppa?
RMPaut14 pp46 Member profile.indd 46 09/09/2014 13:05

DIRECTORY
RISK MANAGEMENT PROFESSIONALS
RISK CONSULTING, REPUTATION LAW & INFORMATION SECURITY
From reputation resilience to reputation defence, the steps you take to Schillings
protect your reputation are as crucial as those you take to build it. At a 41 Bedford Square
time when successful individuals and businesses face a huge variety of London
threats with the potential to affect their reputations negatively, Schillings WC1B 3HX
help clients assert a more powerful commentary in the face of attacks Tel: +44 (0)20 7034 9000
on their reputations, by anticipating and containing these threats
through a combination of risk consulting, law and information security. Email: David.Imison@schillings.co.uk
Web: www.schillings.co.uk
INSURANCE CLAIMS HANDLING & RISK MANAGEMENT SOFTWARE

At JC Applications Development Ltd, we believe that our commitment Phil Walden
to providing simple-to-use, yet feature-rich, applications for claims JC Applications Development
and risk management is what has enabled us to grow a successful Manor Barn
and satisfied client-base of more than 160 organisations. Although Hawkley Rd
our clients can occupy very different sectors of business – for instance, Hawkley
UK central and local government, US government, and commercial – Liss
sentiments converge when looking for a proven technology solution Hampshire GU33 6JS
provider. If you are looking to improve the way you handle claims or Tel: +44 (0)1730 712020
manage risk, then JCAD has the right mix of products and services to Email: phil@jcad.co.uk
guarantee a cost-effective and timely implementation. Web: www.jcad.co.uk
RISK MANAGEMENT TECHNOLOGY

Riskonnect, Inc. is the provider of a premier, enterprise-class technology Ross Ellner
platform for the risk management industry. As an independent Director, EMEA
innovator in risk management technology, Riskonnect develops and Riskonnect, Ltd.
markets a growing suite of technology solutions on a world-class 52 Kingsway Place,
cloud computing model, helping clients elevate their risk management Clerkenwell, EC1R 0LU
programs, safety solutions and programs for management of risks Tel: +44 (0) 7714 262351
across the enterprise. Through Riskonnect RMIS, Riskonnect ERM,
Riskonnect EHS and other Riskonnect applications, the company Email: ross.ellner@riskonnect.com
provides the risk management industry with the specific, configurable Web: www.riskonnect.com
solutions needed to reduce losses, control risk and affect shareholder
value.
Insurance Claims Handling and Risk Management Software

The InsuBiz solution is an established modular-based software for Elaine Barclay
captives and risk and insurance managers that enables you to take Client Services Manager - UK
greater control of your insurance, claims and risk management data. InsuBiz UK Limited
By providing you with an overview of your insurance programme, 22 Cawder Road
aligning this to a full incident and claims administration system, and Cumbernauld
tying it into your risk management models and scorecards, InsuBiz gives Glasgow G68 0BF
you a powerful management and workflow tool to navigate, manage Tel: +44 (0)7900 503751
and analyse the risks to your business. Email: eb@insu.biz
Web: www.insu.biz
TO ADVERTISE HERE, CALL MICHAEL NISKIN ON +44(0)1223 273 535 OR EMAIL michael.niskin@rmprofessional.com
RMPAut14 pp47-48 Directory.indd 47 09/09/2014 13:06

RMPAut14 pp47-48 Directory.indd 48 09/09/2014 13:06

RMPAut14 Web

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RMPAut14 Web

Uploaded by

Copyright:

Available Formats

More art than IRM International Geared up Getting it

science Diploma special for success? back on track

RMPAut14 pp01 Cover.indd 1 09/09/2014 13:34

Strategic risk forecasting www.schillings.co.uk

RMPAut14 pp02-03 Editorial.indd 2 09/09/2014 13:34

RMPAut14 pp01 Cover.indd 1 09/09/2014 13:26

| Autumn 2014 | www.rmprofessional.com | 3

RMPAut14 pp02-03 Editorial.indd 3 09/09/2014 13:34

RMPAut14 pp04-05 Contents.indd 4 09/09/2014 13:09

| Autumn 2014 | www.rmprofessional.com | 5

RMPAut14 pp04-05 Contents.indd 5 09/09/2014 13:09

Effects of ebola Ukraine crisis threatens with a £15m fine by

reach UK economy eurozone recovery

6 | www.rmprofessional.com | Autumn 2014 |

RMPAut14 pp06-09 News v3.indd 6 10/09/2014 13:23

FOOD FRAUD squad IMF fears

Monkey Business Images / shutterstock

The UK’s Financial Conduct Authority (FCA) has placed a

households to tighten their Despite the concerns, normalisation process

| Autumn 2014 | www.rmprofessional.com | 7

RMPAut14 pp06-09 News v3.indd 7 09/09/2014 12:55

Wall Street banks warn US Treasury about risk-taking

8 | www.rmprofessional.com | Autumn 2014 |

RMPAut14 pp06-09 News v3.indd 8 09/09/2014 12:55

Jeremy Reddington / shutterstock

autonomous S-class saloon. by senior bankers that regulation is

| Autumn 2014 | www.rmprofessional.com | 9

RMPAut14 pp06-09 News v3.indd 9 09/09/2014 12:55

10 | www.rmprofessional.com | Autumn 2014 |

RMPAut14 pp10 Letters.indd 10 09/09/2014 12:56

| Autumn 2014 | www.rmprofessional.com | 11

RMPaut14 pp11 CEO's message.indd 11 09/09/2014 12:58

12 | www.rmprofessional.com | Autumn 2014 |

RMPAut14 pp12-15 Total Recall v2.indd 12 09/09/2014 12:58

than 1,000 tonnes of products were recalled in the

Voting with their feet

Another factor exacerbating modern recalls is consumer

| Autumn 2014 | www.rmprofessional.com | 13

RMPAut14 pp12-15 Total Recall v2.indd 13 09/09/2014 12:58

Glyn rylAnD / AlAMy

14 | www.rmprofessional.com | Autumn 2014 |

RMPAut14 pp12-15 Total Recall v2.indd 14 09/09/2014 12:59

Derrick Alderman / Alamy

| Autumn 2014 | www.rmprofessional.com | 15

RMPAut14 pp12-15 Total Recall v2.indd 15 09/09/2014 12:59

16 | www.rmprofessional.com | Autumn 2014 |

RMPAut14 pp16-18 Nightmare V2.indd 16 09/09/2014 12:59

The airline model

Hotels Group (IHG) – such

| Autumn 2014 | www.rmprofessional.com | 17

RMPAut14 pp16-18 Nightmare V2.indd 17 09/09/2014 12:59

The pitfalls of a If you get this wrong, then

these instances, organisations must be mindful of their

18 | www.rmprofessional.com | Autumn 2014 |

RMPAut14 pp16-18 Nightmare V2.indd 18 09/09/2014 12:59

What’s your view on the way in which

| Autumn 2014 | www.rmprofessional.com | 19

RMPAut14 pp19-20 On the Grapevine.indd 19 09/09/2014 12:59

20 | www.rmprofessional.com | Autumn 2014 |

RMPAut14 pp19-20 On the Grapevine.indd 20 09/09/2014 12:59

ENTER THE NeXt

| Autumn 2014 | www.rmprofessional.com | 21

RMPAut14 pp21-28 Diploma supplement.indd 21 09/09/2014 13:00