Risk Management Planning Discussion Questions

Chapter 1 states that risks can be divided into three categories: hazard risks, control risks, and opportunity risks.  Review the definitions of these risks in Appendix B.  Using the format in Table 3.1 (page 37), replace the topic of “owing a car” with one from your company or an organization with which you are familiar.  Complete each section and include your new table in the discussion board.  Include at least 3 risks for each of the 3 sections of the table (you are welcome to include more if you really get into it!)  Respond to at least two of your colleague’s entries. i
Fundamentals
of Risk
Management
ii
THIS PAGE IS INTENTIONALLY LEFT BLANK
iii
Fundamentals
of Risk
Management
Understanding, evaluating
and implementing effective
risk management
Paul Hopkin
iv
Publisher’s note
Every possible effort has been made to ensure that the information contained in this book is accurate at
the time of going to press, and the publishers and authors cannot accept responsibility for any errors or
omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or
refraining from action, as a result of the material in this publication can be accepted by the editor, the
publisher or any of the authors.
First published in Great Britain and the United States in 2010 by Kogan Page Limited.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced,
stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licences issued by the
CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the
undermentioned addresses:
120 Pentonville Road
London N1 9JN
United Kingdom
www.koganpage.com
525 South 4th Street, #241
Philadelphia PA 19147
USA
4737/23 Ansari Road
Daryaganj
New Delhi 110002
India
© The Institute of Risk Management, 2010
The right of The Institute of Risk Management to be identified as the author of this work has been
asserted by them in accordance with the Copyright, Designs and Patents Act 1988.
ISBN 978 0 7494 5942 0
E-ISBN 978 0 7494 5943 7
British Library Cataloguing-in-Publication Data
A CIP record for this book is available from the British Library.
Library of Congress Cataloging-in-Publication Data
Hopkin, Paul.
Fundamentals of risk management : understanding, evaluating, and implementing effective risk management / Paul Hopkin.
p. cm.
Includes index.
ISBN 978-0-7494-5942-0 — ISBN 978-0-7494-5943-7 (ebook) 1. Risk management. I. Title.
HD61.H567 2010
658.15’5–dc22
2009046006
Typeset by Saxon Graphics Ltd, Derby
Printed and bound in India by Replika Press Pvt Ltd
v
Dedication
Michael, David and Kathy
vi
THIS PAGE IS INTENTIONALLY LEFT BLANK
vii
Contents
Dedication
List of Figures
List of Tables
Preface
Acknowledgements
Introduction
Part 1
v
xvii
xix
xxiii
xxv
1
Introduction to risk management
Learning outcomes for Part 1
Part 1 Further reading
9
9
10
1
Approaches to defining risk
Definitions of risk
Types of risks
Risk description
Inherent level of risk
Risk classification systems
Risk likelihood and magnitude
11
11
13
14
16
16
17
2
Impact of risk on organizations
Risk importance
Impact of hazard risks
Attachment of risks
Risk and reward
Risk and uncertainty
Attitudes to risk
20
20
21
22
23
25
26
viii
Contents
3
Types of risks
Timescale of risk impact
Hazard, control and opportunity risks
Hazard tolerance
Management of hazard risks
Uncertainty acceptance
Opportunity investment
28
28
29
31
32
33
34
4
Development of risk management
Origins of risk management
Insurance origins of risk management
Specialist areas of risk management
Enterprise risk management
Levels of risk management sophistication
Risk maturity models
36
36
40
41
42
43
45
5
Principles and aims of risk management
Principles of risk management
Importance of risk management
Risk management activities
Efficient, effective and efficacious
Perspectives of risk management
Implementing risk management
46
46
47
48
49
50
52
6
Risk management standards
Scope of risk management standards
Risk management process
Risk management framework
COSO ERM cube
Features of RM standards
Control environment approach
53
53
56
56
58
59
62
Case study: Barclays Bank – risk management objectives
63
Risk strategy
Learning outcomes for Part 2
Part 2 Further reading
65
65
66
Part 2
Contents
ix
7
Risk management policy
Risk architecture, strategy and protocols
Risk management policy
Risk management architecture
Risk management strategy
Risk management protocols
Risk management guidelines
67
67
69
72
72
73
74
8
Risk management documentation
Record of risk management activities
Risk response and improvement plans
Event reports and recommendations
Risk performance and certification reports
Designing a risk register
Using a risk register
76
76
77
78
79
79
83
9
Risk management responsibilities
Allocation of responsibilities
Risk management and internal audit
Range of responsibilities
Statutory responsibilities of management
Role of the risk manager
Chief risk officer (CRO)
87
87
88
88
90
92
93
10
Risk architecture and structure
Risk architecture
Corporate structure
Risk committees
Risk communications
Risk maturity
Alignment of activities
95
95
97
98
100
101
103
11
Risk-aware culture
Styles of risk management
Defining risk culture
Components of a risk-aware culture
Measuring risk culture
104
104
105
106
107
x
Contents
Risk culture and risk strategy
Establishing the context
108
108
Risk training and communication
Risk training and risk culture
Risk information and communication
Shared risk vocabulary
Risk information on an intranet
Risk management information systems (RMIS)
Consistent response to risk
110
110
111
112
113
113
115
Case study: Tesco – risk management responsibilities
117
Risk assessment
Learning outcomes for Part 3
Part 3 Further reading
119
119
120
13
Risk assessment considerations
Importance of risk assessment
Approaches to risk assessment
Risk assessment techniques
Risk matrix
Risk perception
Risk appetite
121
121
122
123
125
126
127
14
Risk classification systems
Short, medium and long-term risks
Purpose of risk classification systems
Examples of risk classification systems
FIRM risk scorecard
PESTLE risk classification system
Hazard, control and opportunity risks
131
131
132
132
134
135
137
15
Risk likelihood and impact
Application of a risk matrix
Inherent and current level of risk
Control confidence
140
140
141
143
12
Part 3
Contents
xi
4Ts of risk response
Risk significance
Risk capacity
143
144
146
16
Loss control
Risk likelihood
Risk magnitude
Hazard risks
Loss prevention
Damage limitation
Cost containment
148
148
149
150
151
152
152
17
Defining the upside of risk
Upside of risk
Opportunity assessment
Riskiness index
Upside in strategy
Upside in projects
Upside in operations
154
154
156
157
160
161
162
18
Business continuity planning
Importance of BCP and DRP
Business continuity standards
Successful BCP and DRP
Business impact analysis (BIA)
BCP and ERM
Civil emergencies
163
163
164
166
168
168
169
Case study: Invensys – risks and uncertainties
171
Risk and organizations
Learning outcomes for Part 4
Part 4 Further reading
173
173
174
Corporate governance model
Corporate governance
OECD principles of corporate governance
175
175
176
Part 4
19
xii
Contents
LSE corporate governance framework
Corporate governance for a bank
Corporate governance for a government agency
Evaluation of board performance
177
179
180
182
20
Stakeholder expectations
Range of stakeholders
Stakeholder dialogue
Stakeholders and core processes
Stakeholders and strategy
Stakeholders and tactics
Stakeholders and operations
185
185
186
188
189
189
190
21
Analysis of the business model
Simplified business model
Core business processes
Efficacious strategy
Effective processes
Efficient operations
Reporting performance
192
192
193
194
195
196
196
22
Project risk management
Introduction to project risk management
Development of project risk management
Uncertainty in projects
Project life cycle
Opportunity in projects
Project risk analysis and management
198
198
199
200
200
202
202
23
Operational risk management
Operational risk
Definition of operational risk
Basel II
Measurement of operational risk
Difficulties of measurement
Developments in operational risk
205
205
206
207
208
210
212
Contents
24
xiii
Supply chain management
Importance of the supply chain
Scope of the supply chain
Strategic partnerships
Joint ventures
Outsourcing of operations
Risk and contracts
214
214
215
216
217
217
219
Case study: Hercules Incorporated – outsourcing logistics
221
Part 5
Risk response
Learning outcomes for Part 5
Part 5 Further reading
223
223
224
25
Enterprise risk management
Enterprise-wide approach
Definitions of ERM
ERM in practice
ERM and business continuity
ERM in energy and finance
Future development of ERM
225
225
226
227
229
229
231
26
Importance of risk appetite
Risk capacity
Risk exposure
Nature of risk appetite
Cost of risk controls
Risk management and uncertainty
Risk appetite and lifestyle decisions
233
233
235
236
239
240
242
27
Tolerate, treat, transfer and terminate
The 4Ts of hazard response
Risk tolerance
Risk treatment
Risk transfer
Risk termination
Project and strategic risk response
244
244
248
248
249
250
250
xiv
Contents
28
Risk control techniques
Hazard risk zones
Types of controls
Preventive controls
Corrective controls
Directive controls
Detective controls
253
253
254
257
258
258
259
29
Control of selected hazard risks
Risk control
Control of financial risks
Control of infrastructure risks
Control of reputational risks
Control of marketplace risks
Learning from controls
261
261
262
265
270
272
273
30
Insurance and risk transfer
Importance of insurance
History of insurance
Types of insurance cover
Evaluation of insurance needs
Purchase of insurance
Captive insurance companies
277
277
278
279
281
282
284
Case study: Intercontinental Hotels Group – loss-control strategy
287
Risk assurance and reporting
Learning outcomes for Part 6
Part 6 Further reading
289
289
290
Evaluation of the control environment
Nature of internal control
Purpose of internal control
Control environment
Features of the control environment
CoCo framework of internal control
Risk-aware culture
291
291
292
293
295
296
298
Part 6
31
Contents
xv
32
Activities of the internal audit function
Scope of internal audit
Financial assertions
Risk management and internal audit
Risk management outputs
Role of internal audit
Management responsibilities
299
299
299
300
302
302
304
33
Risk assurance techniques
Audit committees
Role of risk management
Risk assurance
Hazard, control and opportunity risks
Control risk self-assessment
Benefits of risk assurance
306
306
308
309
310
311
312
34
Reporting on risk management
Risk documentation
Sarbanes–Oxley Act of 2002
Risk reports by US companies
Charities risk reporting
Public sector risk reporting
Government Report on National Security
313
313
314
315
317
318
320
35
Corporate social responsibility
CSR and corporate governance
CSR and risk management
CSR and reputational risk
CSR and stakeholder expectations
Supply chain and ethical trading
CSR reporting
321
321
322
323
323
324
326
36
Future of risk management
Review of benefits of risk management
Steps to successful risk management
Changing face of risk management
Concept of risk appetite
327
327
328
331
332
xvi
Contents
Concept of upside of risk
Future developments
333
334
Case study: BP – risk reporting
336
Appendix A: Glossary of terms
Appendix B: Implementation guide
Index
338
348
351
xvii
Figures
1.1
2.1
2.2
4.1
4.2
6.1
6.2
6.3
6.4
6.5
10.1
10.2
13.1
13.2
15.1
15.2
15.3
18.1
19.1
19.2
20.1
21.1
22.1
26.1
26.2
26.3
Risk likelihood and magnitude
Attachment of risks
Risk and reward
7Rs and 4Ts of (hazard) risk management
Risk management sophistication
IRM risk management process
Components of an RM framework
COSO ERM framework
Risk management framework from BS 31100
Risk management process from ISO 31000
RM architecture for a large corporation
RM architecture for a charity
Risk appetite matrix (risk averse)
Risk appetite matrix (risk aggressive)
Personal risk matrix
Risk matrix and the 4Ts of hazard management
Inherent, current and target levels of risk
Model for business continuity planning
Corporate governance framework
Corporate governance in a government agency
Importance of core processes
Simplified business model
Project life cycle
Risk and uncertainty
Risk appetite, exposure and capacity (optimal)
Risk appetite, exposure and capacity (vulnerable)
18
22
24
40
44
55
57
58
60
61
96
97
128
128
140
141
142
165
178
180
188
193
201
234
237
238
xviii
26.4
26.5
27.1
27.2
27.3
28.1
29.1
29.2
29.3
29.4
30.1
31.1
32.1
Figures
Illustration of control effect
Risk management and uncertainty
Types of controls for hazard risks
Risk versus uncertainty in projects
Risk versus reward in strategy
Hazard risk zones
Cost-effective controls
Cost–benefit analysis
Learning from controls
Risk and reward decisions
Role of captive insurance companies
Criteria of Control (CoCo) framework
Role of internal audit in ERM
239
241
246
251
252
254
262
274
275
276
285
293
303
xix
Tables
1.1
1.2
3.1
4.1
4.2
4.3
5.1
6.1
6.2
7.1
7.2
7.3
7.4
8.1
8.2
8.3
8.4
8.5
9.1
9.2
10.1
10.2
11.1
12.1
12.2
13.1
Definitions of risk
Risk description
Categories of disruption
Definitions of risk management
Importance of risk management
7Rs and 4Ts of (hazard) risk management
Principles of risk management
Risk management standards
COSO ERM framework
Risk management framework
Risk management policy
Risk management protocols
Types of RM documentation
Format for a basic risk register
Risk register for a sports club
Risk register for a hospital
Project risk register
Risk register attached to a business plan
Risk management responsibilities
Historical role of the insurance risk manager
Responsibilities of the RM committee
Four levels of risk maturity
Risk-aware culture
Risk communications guidelines
Risk management information system (RMIS)
Techniques for risk assessment
12
15
31
37
38
39
47
54
59
68
70
71
74
80
81
82
84
85
89
92
99
102
106
111
114
123
xx
13.2
14.1
14.2
14.3
14.4
15.1
16.1
17.1
17.2
18.1
19.1
19.2
19.3
20.1
22.1
23.1
23.2
23.3
24.1
25.1
25.2
27.1
27.2
28.1
28.2
30.1
30.2
31.1
31.2
32.1
33.1
33.2
34.1
34.2
35.1
Tables
Advantages and disadvantages of RA techniques
Risk classification systems
Attributes of the FIRM risk scorecard
PESTLE classification system
Personal issues grid
Benchmark tests for risk significance
Generic key dependencies
Upside of risk
Riskiness index
Key activities in business continuity planning
OECD principles of corporate governance
Nolan principles of public life
Evaluating the effectiveness of the board
Data for shareholders
PRAM model for project RM
ORM principles (Basel II)
Operational risk for a bank
Operational risk in financial and industrial companies
Risks associated with outsourcing
Definitions of enterprise risk management
Benefits of enterprise risk management
Description of the 4Ts of hazard response
Key dependencies and significant risks
Description of types of hazard controls
Examples of the hierarchy of hazard controls
Different types of insurance
Identifying the necessary insurance
Definitions of internal control
Components of the CoCo framework
Allocation of responsibilities
Responsibilities of the audit committee
Sources of risk assurance
Risk report in a Form 20-F
Government risk reporting principles
Scope of issues covered by CSR
124
133
135
136
138
145
150
155
158
165
177
181
183
187
203
208
209
211
218
226
228
245
247
255
255
280
282
291
294
304
307
309
316
319
322
Tables xxi
36.1
36.2
Achieving successful risk management
Implementation barriers and actions
329
330
xxii
THIS PAGE IS INTENTIONALLY LEFT BLANK
xxiii
Preface
Benefits of enterprise risk management
A string of large and highly public organizational and Governmental failures over the past 10
years (Woolworths, Golden Wonder, Northern Rock, Citigroup, Enron and even the entire
banking system of Iceland) has focused the attention of investors, customers and regulators on
the way in which directors, managers and boards are managing risk. This has led to a greater
appreciation of the wider scope of risks facing organizations, which in turn has led to risk
management becoming a core management discipline.
Risk is everywhere and derives directly from unpredictability. The process of identifying,
assessing and managing risks brings any business full circle back to its strategic objectives: for
it will be clear that not everything can be controlled. The local consequences of events on a
global scale, such as terrorism, pandemics and credit crunches, are likely to be unpredictable.
However, they can also include the creation of new and valuable opportunities. Many of
today’s household names were born out of times of adversity.
Risk management provides a framework for organizations to deal with and to react to uncertainty. Whilst it acknowledges that nothing in life is certain, the modern practice of risk management is a systematic and comprehensive approach, drawing on transferable tools and
techniques. These basic principles are sector-independent and should improve business resilience, increase predictability and contribute to improved returns. This is particularly important given the pace of change of life today.
Risk management involves a healthy dose of both common sense and strategic awareness,
coupled with an intimate knowledge of the business, an enquiring mind and most critically
superb communication and influencing skills.
The Institute of Risk Management’s International Certificate in risk management is an introductory qualification which reflects the changing and global nature of risk management. Recognizing both the enterprise-wide (or ‘ERM’) importance of comprehensive risk management
xxiv
Preface
and the growing use of international standards (such as ISO 31000), this qualification equips
future professional risk managers with the fundamental knowledge and tools to make invaluable contributions to long-term organizational growth and prosperity.
This textbook, as well as being the core reading for the IRM International Certificate, is a valuable resource for all organizations and indeed anyone with an interest in risk management.
Sophie Williams is Deputy Chief Executive of the Institute of Risk Management, risk management’s leading worldwide professional education, training and knowledge body. Further information about the International Certificate or the Institute is available from the IRM website
www.theirm.org.
Sophie Williams
xxv
Acknowledgements
The author is grateful to a large number of people who have helped with the development of
the ideas that are included in this book. In particular, the following individuals provided considerable input into the final version:
•
Richard Archer;
•
Bill Aujla;
•
Steve Fowler;
•
Alex Hindson;
•
Edward Sankey;
•
Paul Taylor;
•
Carolyn Williams;
•
Sophie Williams.
Paul Hopkin
xxvi
THIS PAGE IS INTENTIONALLY LEFT BLANK
1
Introduction
Risk management in context
This book is intended for all who want a comprehensive introduction to the theory and application of risk management. It sets out an integrated introduction to the management of risk
in public and private organizations. Studying this book will provide insight into the world of
risk management and may also help readers decide whether risk management is a suitable
career option for them.
Many readers will wish to use this book in order to gain a better understanding of risk and risk
management and thereby fulfil the primary responsibilities of their jobs with an enhanced
understanding of risk. This book is designed to deliver the syllabus of the International Certificate in Risk Management qualification of the Institute of Risk Management. However, it
also acts as an introduction to the discipline of risk management for those interested in the
subject but not (yet) undertaking a course of study.
An introduction to risk and risk management is provided in the first Part of this book and the
key features of risk management are set out in the next two Parts. Parts 4, 5 and 6 concentrate
on the application of risk management tools and techniques, as well as considering the outputs
from the risk management process and the benefits that arise.
We all face risks in our everyday lives. Risks arise from personal activities and range from those
associated with travel through to the ones associated with personal financial decisions. There
are considerable risks present in the domestic component of our lives and these include fire
risks in our homes and financial risks associated with home ownership. Indeed, there are also
a whole range of risks associated with domestic and relationship issues, but these are outside
the scope of this book.
This book is primarily concerned with business and commercial risks and the roles that
we fulfil during our job or occupation. However, the task of evaluating risks and deciding
2
Introduction
how to respond to them is a daily activity not only at work, but also at home and during
leisure activities.
Nature of risk
Recent events in the world have brought risk into higher profile. Terrorism, extreme weather
events and the global financial crisis represent the extreme risks that are facing society and
commerce. These extreme risks exist in addition to the daily, somewhat more mundane risks
mentioned above.
Evaluating the range of risk responses available and deciding the most appropriate response in
each case is at the heart of risk management. Responding to risks should produce benefits for
us as individuals, as well as for the organizations where we work and/or are employed.
Within our personal and domestic lives, many of the responses to risk are automatic. Our
ways of avoiding fire and road traffic accidents are based on well-established and automatic
responses. Fire and accident are the types of risks that can only have negative outcomes and
they are often referred to as hazard risks.
Certain other risks have established or required responses that are imposed on us as individuals and/or on organizations as mandatory requirements. For example, in our personal lives,
buying insurance for a car is usually a legal requirement, whereas buying insurance for a house
is often not, but is good risk management and very sensible.
Keeping your car in good mechanical order will reduce the chances of a breakdown. However,
even vehicles that are fully serviced and maintained do occasionally break down. Maintaining
your car in good mechanical order will reduce the chances of breakdown, but will not eliminate them completely. These types of risks that have a large degree of uncertainty associated
with them are often referred to as control risks.
As well as hazard and control risks, there are risks that we take because we desire (and probably expect) a positive return. For example, you will invest money in anticipation that you will
make a profit from the investment. Likewise, placing a bet or gambling on the outcome of a
sporting event is undertaken in anticipation of receiving positive payback.
People participate out of choice in motor sports and other potentially dangerous leisure
activities. In these circumstances, the return may not be financial, but can be measured in
terms of pride, self-esteem or peer group respect. Undertaking activities involving risks of
this type, where a positive return is expected, can be referred to as taking opportunity
risks.
Introduction
3
Risk management
Organizations face a very wide range of risks that can impact the outcome of their operations.
The desired overall aim may be stated as a mission or a set of corporate objectives. The events
that can impact an organization may inhibit what it is seeking to achieve (hazard risks), enhance
that aim (opportunity risks), or create uncertainty about the outcomes (control risks).
Risk management needs to offer an integrated approach to the evaluation, control and monitoring of these three types of risk. This book examines the key components of risk management and how it can be applied. Examples are provided that demonstrate the benefits of risk
management to organizations in both the public and private sectors. Risk management also
has an important part to play in the success of not-for-profit organizations such as charities
and (for example) clubs and other membership bodies.
The risk management process is well established, although it is presented in a number of different ways and often uses differing terminologies. The different terminologies that are used
by different risk management practitioners and in different business sectors are explored in
this book. In addition to a description of the established risk management standards, a simplified description of risk management that sets out the key stages in the risk management process
is also presented to help with understanding.
The risk management process cannot take place in isolation. It needs to be supported by a
framework within the organization. Once again, the risk management framework is presented
and described in different ways in the range of standards, guides and other publications that
are available. In all cases, the key components of a successful risk management framework are
the communications and reporting structure (architecture), the overall risk management
strategy that is set by the organization (strategy) and the set of guidelines and procedures (protocols) that have been established. The importance of the risk architecture, strategy and protocols (RASP) is discussed in detail in this book.
The combination of risk management processes, together with a description of the framework
in place for supporting the process, constitutes a risk management standard. There are several
risk management standards in existence, including the IRM Standard and the recently published British Standard BS 31100. There is also the American COSO ERM framework. The
latest addition to the available risk management standards is the international standard, ISO
31000, published in 2009. The well established and respected Australian Standard AS 4360
(2004) was withdrawn in 2009 in favour of ISO 31000. AS 4360 was first published in 1995 and
ISO 31000 includes many of the features and offers a similar approach to that previously
described in AS 4360.
Further information on existing standards and other published guides is set out in Chapter 1.6.
Additionally, references are included in each Part of this book to provide further material to
enable the reader to gain a comprehensive introduction to the subject of risk management.
4
Introduction
Risk management terminology
Most risk management publications refer to the benefits of having a common language of risk
within the organization. Many organizations manage to achieve this common language and
common understanding of risk management processes and protocols at least internally. However,
it is usually the case that within a business sector, and sometimes even within individual organizations, the development of a common language of risk can be very challenging.
Reference and supporting materials have a great range of terminologies in use. The different
approaches to risk management, the different risk management standards that exist and the
wide range of guidance material that is available often use different terms for the same feature
or concept. This is regrettable and can be very confusing, but it is inescapable.
Attempts are being made to develop a standardized language of risk, and ISO Guide 73 has
been developed as the common terminology that should be used in all ISO standards. The terminology set out in ISO Guide 73 will be used throughout this book as the default set of definitions, wherever possible. However, the use of a standard terminology is not always possible
and alternative definitions may be required.
To assist with the difficult area of terminology, Appendix A sets out the basic terms and definitions that are used in risk management. It also provides cross reference between the different
terms in use to describe the same concept. Where appropriate and necessary a table setting out
a range of definitions for the same concept is included within the relevant chapter of the book
and these tables are cross-referenced in Appendix A.
Benefits of risk management
There are a range of benefits arising from successful implementation of risk management.
These benefits are summarized in this book as compliance, assurance, decisions and efficiency/
effectiveness/efficacy (CADE3). Compliance refers to risk management activities designed to
ensure that an organization complies with legal and regulatory obligations.
The board of an organization will require assurance that significant risks have been identified
and appropriate controls put in place. In order to ensure that correct business decisions are
taken, the organization should undertake risk management activities that provide additional
structured information to assist with business decision making.
Finally, a key benefit from risk management is to enhance the efficiency of operations within
the organization. Risk management should provide more than assistance with the efficiency of
operations. It should also help ensure that business processes (including process enhancements by way of projects and other change initiatives) are effective and that the selected strategy is efficacious, in that it is capable of delivering exactly what is required.
Introduction
5
Risk management inputs are required in relation to strategic decision making, but also in relation to the effective delivery of projects and programmes of work, as well as in relation to the
routine operations of the organization. The benefits of risk management can also be identified
in relation to these three timescales of activities within the organization. The outputs from risk
management activities can benefit organizations in three timescales and ensure that the organization achieves:
•
efficacious strategy;
•
effective processes and projects;
•
efficient operations.
In order to achieve a successful risk management contribution, the intended benefits of any
risk management initiative have to be identified. If those benefits have not been identified,
then there will be no means of evaluating whether the risk management initiative has been
successful.
Therefore, good risk management must have a clear set of desired outcomes/benefits. Appropriate attention should be paid to each stage of the risk management process, as well as to
details of the design, implementation and monitoring of the framework that supports these
risk management activities.
Features of risk management
Failure to adequately manage the risks faced by an organization can be caused by inadequate
risk recognition, insufficient analysis of significant risks and failure to identify suitable risk
response activities. Also, failure to set a risk management strategy and to communicate that
strategy and the associated responsibilities may result in inadequate management of risks. It is
also possible that the risk management procedures or protocols may be flawed, such that these
protocols may actually be incapable of delivering the required outcomes.
The consequences of failure to adequately manage risk can be disastrous and result in inefficient operations, projects that are not completed on time and strategies that are not delivered,
or were incorrect in the first place. The hallmarks of successful risk management are considered in this book. In order to be successful, the risk management initiative should be proportionate, aligned, comprehensive, embedded and dynamic (PACED).
Proportionate means that the effort put into risk management should be appropriate to the level
of risk that the organization faces. Risk management activities should be aligned with other
activities within the organization. Activities will also need to be comprehensive, so that any risk
management initiative covers all the aspects of the organization and all the risks that it faces. The
means of embedding risk management activities within the organization are discussed in this
6
Introduction
book. Finally, risk management activities should be dynamic and responsive to the changing
business environment faced by the organization.
Book structure
The book is presented in six Parts, together with two appendices. Part 1 provides the introduction to risk management and introduces all of the basic concepts. These concepts are explored
in more detail in later Parts. Part 2 explores the importance of risk management strategy and
considers the vital importance of the risk management policy, as well as exploring the successful implementation of that policy.
Part 3 considers the importance of risk assessment as a fundamental requirement of successful risk management. Risk classification and risk analysis tools and techniques are considered in detail in this Part. Part 4 considers the impact of risk on organizations, and this
extends to the evaluation of corporate governance requirements. Also, the analysis of stakeholder expectations and the relationship between risk management and a simple business
model is considered.
Part 5 sets out the options for risk response in detail. Analysis of the various risk control techniques is presented, together with examples of options for the control of selected hazard risks.
This Part also considers the importance of insurance and risk transfer. Finally, Part 6 considers
risk assurance and risk reporting. The role of the internal audit function, together with the
importance of corporate social responsibility and the options for reporting on risk management are all considered.
Appendix A provides a glossary of terms and cross-references the different terminologies used
by different risk management practitioners. Appendix B provides a step-by-step implementation guide to enterprise risk management (ERM), as described in Chapter 25. It includes reference to all of the acronyms used in the book and sets out the key concepts relevant to each step
of the successful implementation of a risk management initiative.
Risk management in practice
In order to bring the subject of risk management to life, short illustrative examples are used
throughout the text. These examples focus on a small number of organizations in order to give
some context to the ideas described. Risk management activities cannot be undertaken out of
context, and so these organizations provide context to the ideas and concepts that are
described.
The most often used examples to illustrate a point are a haulage company, a sports club, a theatre,
a publisher and the large stock-exchange-listed company that, for the sake of illustration, owns
Introduction
7
the sports club and the haulage company. Examples are also used of how risk management principles can be applied to the personal risks faced in private life.
In addition to these general examples, real life situations and examples are also used, where a
case study is helpful. Each Part of the book concludes with a brief extract from the report and
accounts of a selected company to illustrate the main risk management topics covered in the
Part. Although many of these examples are from the UK, the principles are equally applicable
to other parts of the world.
Future for risk management
As the global financial crisis has enfolded, there is an increasing tendency for news reports to
indicate that risk is bad and risk management has failed. In reality, neither of these two statements is correct. Organizations have to address the risks that they face because many of them
have to undertake high-risk activities, either because these activities cannot be avoided, or
because the activities are undertaken in order to produce a positive outcome for the organization and its stakeholders.
The global financial crisis does not demonstrate the failure of risk management, but rather the
failure of the management of organizations to successfully address the risks that they faced.
Achieving benefits from risk management requires carefully planned implementation of the
risk management process in the organization, as well as the design and successful embedding
of a suitable and sufficient risk management framework.
By setting out an integrated approach to risk management, this book provides a description of
the fundamental components of successful management of business/corporate risks. It
describes a wealth of risk management tools and techniques and provides information on successful delivery of an integrated and enterprise-wide approach to risk management.
Global financial crisis
The extract below offers a summary of the actions that would help to avoid a repeat of the
global financial crisis. Many organizations lack a common risk management framework across
the enterprise. This has many elements, each of which is required to help avoid similar disasters in the future:
•
First, there should be common processes, terminology and practices for managing risks
of all kinds.
•
Second, it is essential that risk tolerances be fully understood, communicated and
monitored across the enterprise.
8
Introduction
•
Third, risk management practices should be incorporated into all key business processes and decisions.
•
And, fourth, management should make risk-related decisions using dedicated high
quality risk information.
9
Part 1
Introduction to risk management
Learning outcomes for Part 1
•
provide a range of definitions of risk and risk management and describe the usefulness
of the various definitions;
•
list the characteristics of a risk that need to be identified in order to provide a full risk
description;
•
describe options for classifying risks according to the nature, source and timescale of
impact;
•
outline the options for the attachment of risks to various attributes of an organization
and describe advantages of each approach;
•
use a risk matrix to represent the likely impact of a risk materializing in terms of likelihood and magnitude;
•
outline the principles (PACED) and aims of risk management and its importance to
operations, projects and strategy;
•
describe the nature of hazard, control and opportunity risks and how organizations
should respond to each type;
10
Introduction to risk management
•
outline the development of the discipline of risk management, including the various
specialist areas and approaches;
•
describe the key benefits of risk management in terms of compliance, assurance, decisions and efficiency/effectiveness/efficacy (CADE3);
•
describe the key stages in the risk management process and the main components of a
risk management framework;
•
briefly describe the key features of the best-established risk management standards and
frameworks.
Part 1 Further reading
British Standard BS 31100 (2008) Risk management – Code of practice, www.standardsuk.com.
COSO Enterprise Risk Management – Integrated Framework (2004) Executive Summary, www.coso.org.
Financial Reporting Council Internal Control Revised Guidance for Directors on the Combined Code
(2005), www.frc.org.uk.
Institute of Risk Management A Risk Management Standard (2002), www.theirm.org.
International Standard ISO 31000 (2009) Risk management – Principles and guidelines, www.iso.org.
ISO Guide 73 (2009) Risk management – Vocabulary – Guidelines for use in standards, www.iso.org.
11
1
Approaches to defining risk
Definitions of risk
The Oxford English Dictionary definition of risk is as follows: ‘a chance or possibility of danger,
loss, injury or other adverse consequences’ and the definition of at risk is ‘exposed to danger’.
In this context, risk is used to signify negative consequences. However, taking a risk can also
result in a positive outcome. A third possibility is that risk is related to uncertainty of
outcome.
Take the example of owning a motorcar. For most people, owning a motorcar is an opportunity to become more mobile and gain the related benefits. However, there are uncertainties in
owning a motorcar that are related to maintenance and repair costs. Finally, motor cars can be
involved in accidents, so there are obvious negative outcomes that can occur.
Definitions of risk can be found from many sources and some key definitions are set out in
Table 1.1. An alternative definition is also provided to illustrate the broad nature of risks that
can affect organizations. The Institute of Risk Management (IRM) defines risk as the combination of the probability of an event and its consequence. Consequences can range from positive to negative. This is a widely applicable and practical definition that can be easily applied.
The international guide to risk-related definitions is ISO Guide 73 and it defines risk as ‘effect
of uncertainty on objectives’. This definition appears to assume a certain level of knowledge
about risk management and it is not easy to apply to everyday life. The meaning and application of this definition will become clearer as the reader progresses through this book.
Guide 73 also notes that an effect may be positive, negative, or a deviation from the expected.
These three types of events can be related to risks as opportunity, hazard or uncertainty, and
this relates to the example of motorcar ownership outlined above. The guide notes that risk is
often described by an event, a change in circumstances, a consequence, or a combination of
these and how they may affect the achievement of objectives.
12
Introduction to risk management
Table 1.1
Definitions of risk
Organization
Definition of risk
ISO Guide 73
ISO 31000
Effect of uncertainty on objectives. Note that an effect may be
positive, negative, or a deviation from the expected. Also, risk
is often described by an event, a change in circumstances or a
consequence.
Institute of Risk
Management (IRM)
Risk is the combination of the probability of an event and its
consequence. Consequences can range from positive to
negative.
“Orange Book” from
HM Treasury
Uncertainty of outcome, within a range of exposure, arising
from a combination of the impact and the probability of
potential events.
Institute of Internal
Auditors
The uncertainty of an event occurring that could have an
impact on the achievement of the objectives. Risk is measured
in terms of consequences and likelihood.
Alternative Definition by
the author
Event with the ability to impact (inhibit, enhance or cause
doubt about) the mission, strategy, projects, routine
operations, objectives, core processes, key dependencies and /
or the delivery of stakeholder expectations.
The Institute of Internal Auditors (IIA) defines risk as the uncertainty of an event occurring
that could have an impact on the achievement of objectives. The IIA adds that risk is measured
in terms of consequences and likelihood. Different disciplines define the term risk in very different ways. The definition used by health and safety professionals is that risk is a combination
of likelihood and magnitude, but this may not be sufficient for more general risk management
purposes.
Risk in an organizational context is usually defined as anything that can impact the fulfilment
of corporate objectives. However, corporate objectives are usually not fully stated by most
organizations. Where the objectives have been established, they tend to be stated as internal,
annual, change objectives. This is particularly true of the personal objectives set for members
of staff in the organization, where objectives usually refer to change or developments, rather
than the continuing or routine operations of the organization.
It is generally accepted that risk is best defined by concentrating on risks as events, as in the
definition of risk provided in ISO 31000 and the definition provided by the Institute of
Internal Auditors, as set out in Table 1.1. In order for a risk to materialize, an event must
occur. Greater clarity is likely to be brought to the risk management process if the focus is
on events. For example, consider what could disrupt a theatre performance.
Approaches to defining risk
13
The events that could cause disruption include a power cut, absence of a key actor, substantial
transport failure or road closures that delay the arrival of the audience, as well as the illness of
a significant number of staff. Having identified the events that could disrupt the performance,
the management of the theatre needs to decide what to do to reduce the chances of one of
these events causing the cancellation of a performance. This analysis by the management of
the theatre is an example of risk management in practice.
Types of risks
Risk may have positive or negative outcomes or may simply result in uncertainty. Therefore,
risks may be considered to be related to an opportunity or a loss or the presence of uncertainty
for an organization. Every risk has its own characteristics that require particular management
or analysis. In this book, as in the Guide 73 definition, risks are divided into three categories:
•
hazard (or pure) risks;
•
control (or uncertainty) risks;
•
opportunity (or speculative) risks.
It is important to note that there is no ‘right’ or ‘wrong’ subdivision of risks. Readers will
encounter other subdivisions in other texts and these may be equally appropriate. It is, perhaps,
more common to find risks described as two types, pure or speculative. Indeed, there are many
debates about risk management terminology. Whatever the theoretical discussions, the most
important issue is that an organization adopts the risk classification system that is most suitable for its own circumstances.
There are certain risk events that can only result in negative outcomes. These risks are hazard
risks or pure risks, and these may be thought of as operational or insurable risks. In general,
organizations will have a tolerance of hazard risks and these need to be managed within the
levels of tolerance of the organization. A good example of a hazard risk faced by many organizations is that of theft.
There are certain risks that give rise to uncertainty about the outcome of a situation. These can
be described as control risks and are frequently associated with project management. In
general, organizations will have an aversion to control risks. Uncertainties can be associated
with the benefits that the project produces, as well as uncertainty about the delivery of the
project on time, within budget and to specification. The management of control risks will
often be undertaken in order to ensure that the outcome from the business activities falls
within the desired range.
At the same time, organizations deliberately take risks, especially marketplace or commercial
risks, in order to achieve a positive return. These can be considered as opportunity or speculative risks, and an organization will have a specific appetite for investment in such risks.
14
Introduction to risk management
The application of risk management tools and techniques to the management of hazard risks
is the best and longest-established branch of risk management, and much of this text will concentrate on hazard risks. There is a hierarchy of controls that apply to hazard risks and this will
be discussed in a later chapter. Hazard risks are associated with a source of potential harm or
a situation with the potential to undermine objectives in a negative way. Hazard risks are the
most common risks associated with organizational risk management, including occupational
health and safety programmes.
Control risks are associated with unknown and unexpected events. They are sometimes
referred to as uncertainty risks and they can be extremely difficult to quantify. Control risks
are often associated with project management. In these circumstances, it is known that the
events will occur, but the precise consequences of those events are difficult to predict and
control. Therefore, the approach is based on minimizing the potential consequences of these
events.
There are two main aspects associated with opportunity risks. There are risks/dangers associated with taking an opportunity, but there are also risks associated with not taking the opportunity. Opportunity risks may not be visible or physically apparent, and they are often financial
in nature. Although opportunity risks are taken with the intention of having a positive
outcome, this is not guaranteed. Opportunity risks for small businesses include moving a
business to a new location, acquiring new property, expanding a business and diversifying into
new products.
Risk description
In order to fully understand a risk, a detailed description is necessary so that a common understanding of the risk can be identified and ownership/responsibilities may be clearly understood. Table 1.2 provides information on the range of information that must be recorded to
fully understand a risk. The list of information set out in Table 1.2 is most applicable to hazard
risks and the list will need to be modified to provide a full description of control or opportunity risks.
So that the correct range of information can be collected about each risk, the distinction
between hazard, control and opportunity risks needs to be clearly understood. The example
below is intended to distinguish between these three types of risk, so that the information
required in order to describe each type of risk can be identified.
Approaches to defining risk
Table 1.2
Risk description
• Name or title of risk
• Statement of risk, including scope of risk and details of possible events and
•
•
•
•
•
•
•
•
•
•
•
•
dependencies
Nature of risk, including details of the risk classification and timescale of potential
impact
Stakeholders in the risk, both internal and external
Risk attitude, appetite, tolerance or limits for the risk
Likelihood and magnitude of event and consequences should the risk materialize at
current/residual level
Control standard required or target level of risk
Incident and loss experience
Existing control mechanisms and activities
Responsibility for developing risk strategy and policy
Potential for risk improvement and level of confidence in existing controls
Risk improvement recommendations and deadlines for implementation
Responsibility for implementing improvements
Responsibility for auditing risk compliance
Computer viruses
In order to understand the distinction between hazard, control and opportunity risks,
the example of the use of computers is useful. Virus infection is an operational or
hazard risk and there will be no benefit to an organization suffering a virus attack on
its software programs. When an organization installs or upgrades a software package,
control risks will be associated with the upgrade project.
The selection of new software is also an opportunity risk, where the intention is to
achieve better results by installing the new software, but it is possible that the new
software will fail to deliver all of the functionality that was intended and the
opportunity benefits will not be delivered. In fact, the failure of the functionality of the
new software system may substantially undermine the operations of the organization.
15
16
Introduction to risk management
Inherent level of risk
It is important to understand the uncontrolled level of all risks that have been identified. This
is the level of the risk before any actions have been taken to change the likelihood or magnitude of the risk. Although there are advantages in identifying the inherent level of risk, there
are practical difficulties in identifying this with certain types of risks.
Identifying the inherent level of the risk enables the importance of the control measures in
place to be identified. The Institute of Internal Auditors (IIA) has the view that the assessment
of all risks should commence with the identification of the inherent level of the risk. The guidance from the IIA states that ‘in the risk assessment, we look at the inherent risks before considering any controls.’ The new International Risk Management Standard, ISO 31000,
recommends that risks are assessed at both inherent and current levels.
Often, a risk matrix will be used to show the inherent level of the risk in terms of likelihood
and magnitude. The reduced or current level of the risk can then be identified, after the control
or controls have been put in place. The effort that is required to reduce the risk from its inherent level to its current level can be clearly indicted on the risk matrix.
Terminology varies and the inherent level of risk is sometimes referred to as the absolute risk
or gross risk. Also, the current level of risk is often referred to as the residual level or the
managed level of risk. The example in the box below provides an example of how inherently
high-risk activities are reduced to a lower level of risk by the application of sensible and practical risk response options.
Crossing the road
Crossing a busy road would be inherently dangerous if there were no controls in place
and many more accidents would occur. When a risk is inherently dangerous, greater
attention is paid to the control measures in place, because the perception of risk is
much higher. Pedestrians do not cross the road without looking and drivers are always
aware that pedestrians may step into the road. Often, other traffic calming control
measures are necessary to reduce the speed of the motorists or increase the risk
awareness of both motorists and pedestrians.
Risk classification systems
Risks can be classified according to the nature of the attributes of the risk, such as timescale
for impact, and the nature of the impact and/or likely magnitude of the risk. They can also
Approaches to defining risk
17
be classified according to the timescale of impact after the event occurs. The source of the
risk can also be used as the basis of classification. In this case, a risk may be classified according to its origin, such as counterparty or credit risk.
A further way of classifying risks is to consider the nature of the impact. Some risks can cause
detriment to the finances of the organization, whereas others will have an impact on the activities or the infrastructure. Further, risks may have an impact on the reputation of the organization or on its status and the way it is perceived in the marketplace.
Individual organizations will decide on the risk classification system that suits them best,
depending on the nature of the organization and its activities. Also, many risk management standards and frameworks suggest a specific risk classification system. If the organization adopts one of these standards, then it will tend to follow the classification system
recommended.
The risk classification system that is selected should be fully relevant to the organization concerned. There is no universal classification system that fulfils the requirements of all organizations. It is likely that each risk will need to be classified in several ways in order to clearly
understand its potential impact. However, many classification systems offer common or
similar structures, as will be described in later chapters.
Risk likelihood and magnitude
Risk likelihood and magnitude are best demonstrated using a risk map, sometimes referred
to as a risk matrix. Risk maps can be produced in many formats. Whatever format is used
for a risk map, it is a very valuable tool for the risk management practitioner. The basic style
of risk map plots the likelihood of an event against the magnitude or impact should the
event materialize.
Figure 1.1 is an illustration of a simple risk matrix, sometimes referred to as a heat map. This
is a commonly used method of illustrating risk likelihood and the magnitude (or severity) of
the event should the risk materialize. The use of the risk matrix to illustrate risk likelihood and
magnitude is a fundamentally important risk management tool. The risk matrix can be used
to plot the nature of individual risks, so that the organization can decide whether the risk is
acceptable and within the risk appetite and/or risk capacity of the organization.
Throughout this book, a standard format for presenting a risk map has been adopted. The
horizontal axis is used to represent likelihood. The term likelihood is used rather than frequency, because the word frequency implies that events will definitely occur and the map is
registering how often these events take place. Likelihood is a broader word that includes frequency, but also refers to the chances of an unlikely event happening. However, in risk management literature, the word probability will often be used to describe the likelihood of a risk
materializing.
18
Introduction to risk management
Magnitude
Low likelihood
High magnitude
High likelihood
High magnitude
Low likelihood
Low magnitude
High likelihood
Low magnitude
Likelihood
Figure 1.1
Risk likelihood and magnitude
The vertical axis is used to indicate magnitude in Figure 1.1. The word magnitude is used
rather than severity, so that the same style of risk map can be used to illustrate hazard, control
and opportunity risks. Severity implies that the event is undesirable and is, therefore, related
to hazard risks.
Figure 1.1 maps likelihood against the magnitude of an event. However, the more important
consideration for risk managers is not the magnitude of the event, but the impact or consequences. For example, a large fire could occur that completely destroys a warehouse of a distribution and logistics company. Although the magnitude of the event may be large, if the
company has produced plans to cope with such an event, the impact on the overall business
may be much less than would otherwise be anticipated.
The magnitude of an event may be considered to be the inherent level of the event and the
impact can be considered to be the risk-managed level. Because the impact (or consequences)
of an event is usually more important than its magnitude (or severity), then every risk matrix
used in the remainder of this book will plot impact against likelihood, rather than magnitude
against likelihood.
The risk matrix will be used throughout this book to provide a visual representation of risks.
It can also be used to indicate the likely risk control mechanisms that can be applied. The
risk matrix can also be used to record the inherent, current (or residual) and target levels of
the risk.
Colour coding is often used on the risk matrix to provide a visual representation of the importance of each risk under consideration. As risks move towards the top right-hand corner of the
Approaches to defining risk
19
risk matrix, they become more likely and have a greater impact. Therefore, the risk becomes
more important and immediate and effective risk control measures need to be introduced.
As a practical example of risk management in action at strategic level, consider the uncertainties embedded in the merger involving Delta Airlines and Northwest Airlines. This illustrates
that organizations take strategic decisions that involve high levels of risk and uncertainty.
There will be considerable uncertainties relating to whether all of the benefits outlined below
can be delivered in practice.
Uncertainty in strategic decisions
An agreement has been reached and, barring any roadblocks from antitrust authorities,
Delta Airlines and Northwest Airlines are merging and will operate under the Delta
Airlines name. Delta Airlines released information outlining the basic elements of the
deal and the ramifications it foresees for the new airline and its passengers.
The list of benefits it sees by merging
• Combining Delta and Northwest will create a global US carrier that can
compete with foreign airlines that continue to increase service to the United
States.
• Customers and communities will benefit from access to a global route system
and a more financially stable airline.
• More destinations will result in more schedule options and more opportunities
to earn and redeem frequent flyer miles.
• Delta customers will benefit from Northwest’s routes to Asian markets and
Northwest’s customers will benefit from Delta’s routes to other markets.
• Delta and Northwest complementary common membership in the SkyTeam
alliance will ease the integration risk that has complicated some airline mergers.
20
2
Impact of risk on organizations
Risk importance
Following the events in the world financial system during 2008, all organizations are taking a
greater interest in risk and risk management. It is increasingly understood that the explicit
management of risks brings benefits. By taking a proactive approach to risk and risk management, organizations will be able to achieve the following three areas of improvement:
•
Operations will become more efficient because events that can cause disruption will be
identified in advance and actions taken to reduce the likelihood of these events occurring, reducing the damage caused by these events and containing the cost of the events
that can cause disruption to normal efficient production operations.
•
Processes will be more effective, because consideration will have been given to selection
of the processes and the risks involved in the alternatives that may be available. Also,
process changes that are delivered by way of projects will be more effectively and reliably delivered.
•
Strategy will be more efficacious in that the risks associated with different strategic
options will be fully analysed and better strategic decisions will be reached. Efficacious
refers to the fact that the strategy that will be developed will be fully capable of delivering the required outcomes.
It is no longer acceptable for organizations to find themselves in a position whereby unexpected events cause financial loss, disruption to normal operations, damage to reputation and
loss of market presence. Stakeholders now expect that organizations will take full account of
the risks that may cause disruption within operations, late delivery of projects or failure to
deliver strategy.
The exposure presented by an individual risk can be defined in terms of the likelihood of the
risk materializing and the impact of the risk when it does materialize. As risk exposure
Impact of risk on organizations
21
increases, then likely impact will also increase. Throughout this book, the term impact is used
in preference to the alternative word, consequences. This is because the term impact is preferred in business continuity planning evaluations.
Injury to key player
A sports club will wish to reduce the chances of a key player being absent through
injury. However, key players do get injured and the club will need to consider the
impact of such an event in advance of it happening. If the injury is serious, the player
may be absent for a significant length of time. There is likely to be a substantial impact,
which will be most obvious on the pitch where the success of the team is likely to be
reduced. However, other consequences may also result and these could include the loss
of revenue from the sale of shirts and other merchandise with that player’s name and
number. Arrangements to reduce the potential for loss of income should also be
considered.
Impact of hazard risks
Hazard risks undermine objectives, and the level of impact of such risks is a measure of their
significance. Risk management has its longest history and earliest origins in the management
of hazard risks. Hazard risk management is closely related to the management of insurable
risks. Remember that a hazard (or pure) risk can only have a negative outcome.
Hazard risk management is concerned with issues such as health and safety at work, fire prevention, damage to property and the consequences of defective products. Hazard risks can
cause disruption to normal operations, as well as resulting in increased costs and poor publicity associated with disruptive events.
Hazard risks are related to business dependencies, including IT and other supporting services.
There is increasing dependence on the IT infrastructure of most organizations and IT systems
can be disrupted by computer breakdown or fire in server rooms, as well as virus infection and
deliberate hacking or computer attacks.
Theft and fraud can also be significant hazard risks for many organizations. This is especially
true for organizations handling cash or managing a significant number of financial transactions. Techniques relevant to the avoidance of theft and fraud include adequate security procedures, segregation of financial duties, and authorization and delegation procedures, as well
as the vetting of staff prior to employment.
22
Introduction to risk management
Attachment of risks
Although most standard definitions of risk referred to risks as being attached to corporate
objectives, Figure 2.1 provides an illustration of the options for the attachment of risks. Risks
are shown in the diagram as being capable of impacting the key dependencies that deliver the
core processes of the organization. Corporate objectives and stakeholder expectations help
define the core processes of the organization. These core processes are key components of the
business model and can relate to operations, projects and corporate strategy.
The intention of Figure 2.1 is to demonstrate that significant risks can be attached to features
of the organization other than corporate objectives. Significant risks can be identified by considering the key dependencies of the organization, the corporate objectives and/or the stakeholder expectations, as well as by analysis of the core processes of the organization.
In the build-up to the recent financial crisis, banks and other financial institutions established
operational and strategic objectives. By analysing these objectives and identifying the risks that
could prevent the achievement of them, risk management made a contribution to the achievement of the high-risk objectives that ultimately led to the failure of the organizations. This
example illustrates that attaching risks to attributes other than objectives is not only possible
but may well have been desirable in these circumstances.
Mission statement
Strategic or business plan
(and annual budget)
Corporate objectives
Stakeholder expectations
Core processes
Key dependencies
Significant risks
Figure 2.1
Attachment of risks
Support
or
deliver
Impact
or
attach
Impact of risk on organizations
23
It is clearly the case that risks are greater in circumstances of change. Therefore, linking risks
to change objectives is not unreasonable, but the analysis of each objective in turn may not
lead to robust risk recognition/identification. In any case, business objectives are usually stated
at too high a level for the successful attachment of risks.
To be useful to the organization, the corporate objectives should be presented as a full statement of the short, medium and long-term aims of the organization. Internal, annual, change
objectives are usually inadequate, because they may fail to fully identify the operational (or
efficiency), change (or competition) and strategic (or leadership) requirements of the organization.
The most important disadvantage associated with the ‘objectives-driven’ approach to risk and
risk management is the danger of considering risks out of the context that gave rise to them.
Risks that are analysed in a way that is separated from the situation that led to them will not
be capable of rigorous and informed evaluation. It can be argued that a more robust analysis
can be achieved when a ‘dependencies-driven’ approach to risk management is adopted.
It remains the case that many organizations continue to use an analysis of corporate objectives
as a means of identifying risks, because some benefits do arise from this approach. For example,
using this ‘objectives-driven’ approach facilitates the analysis of risks in relation to the positive
and uncertain aspects of the events that may occur, as well as facilitating the analysis of the
negative aspects.
If the decision is taken to attach risks to the objectives of the organization, then it is important
that these objectives have been fully and completely developed. Not only do the objectives
need to be challenged to ensure that they are full and complete, but the assumptions that
underpin the objectives should also receive careful and critical attention.
Core processes will be discussed later in this book and may be considered as the high level
processes that drive the organization. In the example of a sports club, one of the key processes
is the operational process ‘delivering successful results on the pitch’. Risks may be attached to
this core process, as well as being attached to objectives and/or key dependencies.
Although risks can be attached to other features of the organization, the standard approach is
to attach risks to corporate objectives. One of the standard definitions of risk is that it is something that can impact (undermine, enhance or cause doubt) the achievement of corporate
objectives. This is a useful definition, but it does not provide the only means of identifying significant risks.
Risk and reward
Another feature of risk and risk management is that many risks are taken by an organization
in order to achieve a reward. Figure 2.2 illustrates the relationship between the level of risk and
24
Introduction to risk management
the anticipated size of reward. A business will launch a new product because it believes that
greater profit is available from the successful marketing of the new product. In launching a
new product, the organization will put resources at risk because it has decided that a certain
amount of risk taking is appropriate. The value put at risk represents the risk appetite of the
organization with respect to the activity that it is undertaking.
When an organization puts value at risk in this way, it should do so with the full knowledge of
the risk exposure and it should be satisfied that the risk exposure is within the appetite of the
organization. Even more important, it should ensure that it has sufficient resources to cover
the risk exposure. In other words, the risk exposure should be quantified, the appetite to take
that level of risk should be confirmed and the capacity of the organization to withstand any
foreseeable adverse consequences should be clearly established.
Not all business activities will offer the same return for risk taken. Start-up operations are
usually high risk and the initial expected return may be low. Figure 2.2 demonstrates the probable risk–return development for a new organization or a new product. The activity will commence in the bottom right-hand corner as a start-up operation, which is high risk and low
return.
As the business develops, it is likely to move to a higher return for the same level of risk. This
is the growth phase for the business or product. As the investment matures, the reward may
remain high, but the risks should reduce. Eventually, an organization will become fully mature
and move towards the low-risk and low-return quadrant. The normal expectation in very
mature markets is that the organization or product will be in decline.
Potential
reward
Mature
operation
Growth
Decline
Start-up operation
Risk exposure
Figure 2.2
Risk and reward
Impact of risk on organizations
25
The particular risks that the organization faces will need to be identified by management or by
the organization. Appropriate risk management techniques will then need to be applied to the
risks that have been identified. The nature of these risk responses and the nature of their
impact will be considered in a later chapter.
The above discussion about risk and reward applies to opportunity risks. However, it must
always be the case that risk management effort produces rewards. In the case of hazard risks, it is
likely that the reward for increased risk management effort will be fewer disruptive events. In the
case of project risks, the reward for increased risk management effort will be that the project is
more likely to be delivered on time, within budget and to specification/quality. For opportunity
risks, the risk–reward analysis should result in fewer unsuccessful new products and a higher
level of profit or (at worst) a lower level of loss for all new activities or new products.
Risk versus reward
In a Formula 1 Grand Prix, the Ferrari team decided to send a driver out on wetweather tyres, before the rain had actually started. Wet-weather tyres wear out very
quickly in dry conditions and make the car much slower. If the rain had started
immediately, this would have proved to be a very good decision.
In fact, the rain did not start for four or five laps, by which time the driver had been
overtaken by most other drivers and his set of wet-weather tyres were ruined in the dry
conditions. He had to return to the pits for a further set of new tyres more suited to the
race conditions. In this case, a high-risk strategy was adopted in anticipation of
significant rewards. However, the desired rewards were not achieved and significant
disadvantage resulted.
Risk and uncertainty
Risk is sometimes defined as uncertainty of outcomes. This is a somewhat technical, but nevertheless useful definition and it is particularly applicable to the management of control risks.
Control risks are the most difficult to identify and define, but are often associated with projects.
The overall intention of a project is to deliver the desired outcomes on time, within budget
and to specification.
For example, when a building is being constructed, the nature of the ground conditions may
not always be known in detail. As the construction work proceeds, more information will be
available about the nature of the ground conditions. This information may be positive news
that the ground is stronger than expected and less foundation work is required. Alternatively,
it may be discovered that the ground is contaminated or the ground is weaker than expected
26
Introduction to risk management
or that other potentially adverse circumstances exist, such as archaeological remains being discovered.
Given this uncertainty, these risks should be considered to be control risks and the overall
management of the project should take account of the uncertainty associated with these different types of risk. It would be unrealistic for the project manager to assume that only adverse
aspects of the ground conditions will be discovered. Likewise, it would be unwise for the
project manager to assume that conditions will be better than he has been advised, just because
he wants that to be the case.
Because control risks cause uncertainty, it may be considered that an organization will have an
aversion to these risks. Perhaps, the real aversion is to the potential variability in outcomes. A
certain level of deviation from the project plan can be tolerated, but it must not be too great.
Tolerance in relation to control risks can be considered to have the same meaning as in the
manufacture of engineering components, where the components must be of a certain size,
within acceptable tolerance limits.
Attitudes to risk
Different organizations will have different attitudes to risk. Some organizations may be considered to be risk averse, whilst other organizations will be risk aggressive. To some extent, the
attitude of the organization to risk will depend on the sector and the nature and maturity of
the marketplace within which it operates, as well as the attitude of the individual board
members.
Risks cannot be considered outside the context that gave rise to the risks. It may appear that
an organization is being risk aggressive, when in fact, the board has decided that there is an
opportunity that should not be missed. However, the fact that the opportunity is high risk may
not have been fully considered.
One of the major contributions from successful risk management is to ensure that strategic
decisions that appear to be high risk are actually taken with all of the information available.
Improvement in the robustness of decision-making processes is one of the key benefits of risk
management.
Other key factors that will determine the attitude of the organization to risk include the stage
in the maturity cycle, as shown in Figure 2.2. For an organization that is in the start-up phase,
a more aggressive attitude to risk is required than for an organization that is enjoying growth
or one that is a mature organization in a mature marketplace. Where an organization is operating in a mature marketplace and is suffering from decline, the attitude to risk will be much
more risk averse.
Impact of risk on organizations
27
It is because the attitude to risk has to be different when an organization is a start-up operation compared with a mature organization, that it is often said that certain high-profile
businessmen are very good at entrepreneurial start-up, but are not as successful in running
mature businesses. Different attitudes to risk are required at different parts of the business
maturity cycle.
Chicken farmer
Consider the example of a very successful breeder and reseller of chicken in a mature
marketplace involving little risk and steady and manageable growth prospects. The
CEO saw an opportunity to transform his family’s company. Overturning the family
tradition of avoiding debt, he borrowed $500,000 and set about fundamentally
changing the operation from a chicken farmer and reseller to a fully automated
chicken raising and retail operation.
It is not surprising that many great CEOs and founders had a strong propensity for risk
– without taking at least some calculated risks, the businesses would not have
flourished and more importantly lasted. Some had nothing to lose, but for others,
there was a tremendous amount at stake – both personally and professionally.
Like vision, an appetite for risk taking is considered almost a prerequisite for success.
Knowing when to be a risk taker and opportunistic is critical to being able to
successfully take advantage of the times. It can also be disastrous when the context of
the times changes sharply. The same act performed too soon or too late or in the
wrong scene may make a person a fool rather than a hero. That analysis fully applies to
risk taking in business.
28
3
Types of risks
Timescale of risk impact
Risks can be classified in many ways. Hazard risks can be divided into many types of risks, including risks to property, risks to people and risks to the continuity of the business. There are a range
of formal risk classification systems and these will be considered in a later part of this book.
Although it should not be considered to be a formal risk classification system, this part considers
the value of classifying risks according to the timeframe for the impact of the risk.
The classification of risks as long, medium and short-term impact is a very useful means of
analysing the risk exposure of an organization. These risks will be related to the strategy, tactics
and operations of the organization, respectively. In this context, risks may be considered as
related to events, changes in circumstances, actions or decisions.
In general terms, long-term risks will impact several years, perhaps up to five years, after the
event occurs or the decision is taken. Long-term risks therefore relate to strategic decisions.
When a decision is taken to launch a new product, the impact of that decision (and the success
of the product itself) may not be fully apparent for some time.
Medium-term risks have their impact some time after the event occurs or the decision is taken,
and typically this will be about a year later. Medium-term risks are often associated with
projects or programmes of work. For example, if a new computer software system is to be
installed, then the choice of computer system is a long-term or strategic decision. However,
decisions regarding the project to implement the new software will be medium-term decisions
with medium-term risk attached.
Short-term risks have their impact immediately after the event occurs. Accidents at work,
traffic accidents, fire and theft are all short-term risks that have an immediate impact and
immediate consequences as soon as the event has occurred. These short-term risks cause
immediate disruption to normal efficient operations and are probably the easiest types of risks
to identify and manage.
Types of risk
29
Insurable risks are quite often short-term risks, although the exact timing and magnitude/
impact of the insured events is uncertain. In other words, insurance is designed to provide
protection against risks that have immediate consequences. In the case of insurable risks, the
nature and consequences of the event may be understood, but the timing of the event is unpredictable. In fact, whether the event will occur at all is not known at the time the insurance
policy is taken out.
By way of example, consider the operation of a new computer software system in more detail.
The organization will install the new software in anticipation of gaining efficiency and greater
functionality. The decision to install new software and the choice of the software involves
opportunity risks. The installation will require a project, and certain risks will be involved in
the project. The risks associated with the project are control risks. After the new software has
been installed, it will be exposed to hazard risks. It may not deliver all of the functionality
required and the software may be exposed to various risks and virus infection. These are the
hazard risks associated with this new software system.
Hazard, control and opportunity risks
We have already seen in Chapter 1 that risks can be divided into three categories: Definitions
of these three types of risk are also given in Appendix A. They are:
•
hazard risks;
•
control risks;
•
opportunity risks.
A common language of risk is required throughout the organization if the contribution of risk
management is to be maximized. The use of a common language will also enable the organization to develop an agreed perception of risk. Part of developing this common language and
perception of risk is to agree a risk classification system or series of such systems.
For example, consider people reviewing their financial position and the risks they currently
face regarding finances. It may be that the key financial dependencies relate to achieving adequate income and managing expenditure. The review should include an analysis of the risks to
job security and pension arrangements, as well as property ownership and other investments.
This part of the analysis will provide information on the risks to income and the nature of
those risks (opportunity risks).
Regarding expenditure, the review will consider spending pattern to determine whether cost
cutting is necessary (hazard risks). It will also consider leisure time activities, including holiday
arrangements and hobbies, and there will be some uncertainties regarding expenditure and
the costs of these activities (control risks).
30
Introduction to risk management
Hazard risks are the risks that can only inhibit achievement of the corporate mission. Typically, these are insurable type risks or perils, and will include fire, storm, flood, injury and so
on. The discipline of risk management has strong origins in the management and control of
hazard risks. Normal efficient operations may be disrupted by loss, damage, breakdown, theft
and other threats associated with a wide range of dependencies, as shown in Table 3.1, and
these may include (for example):
•
people;
•
premises;
•
assets;
•
suppliers;
•
information technology (IT);
•
communications.
Control risks are risks that cause doubt about the ability to achieve the mission of the organization. Internal financial control protocols are a good example of a response to a control risk.
If the control protocols are removed, there is no way of being certain about what will happen.
Control risks are the most difficult type of risk to describe, but later Parts of this book will
assist with understanding.
Control risks are associated with uncertainty, and examples include the potential for legal
non-compliance and losses caused by fraud. They are usually dependent on the successful
management of people and successful implementation of control protocols. Although most
organizations ensure that control risks are carefully managed, they may, nevertheless, remain
potentially significant.
Opportunity risks are the risks that are (usually) deliberately sought by the organization. These
risks arise because the organization is seeking to enhance the achievement of the mission,
although they might inhibit the organization if the outcome is adverse. This is the most important type of risk for the future long-term success of any organization.
Many organizations are willing to invest in high-risk business strategies in anticipation of a
high profit or return. These organizations may be considered to have a large appetite for
opportunity investment. Often, the same organization will have the opposite approach to
hazard risks and have a small hazard tolerance. This may be appropriate, because the attitude
of the organization may be that it does not want hazard-related risks consuming corporate
resources, when it is putting so much value at risk investing in opportunities.
Types of risk
Table 3.1
31
Categories of disruption
Category
Examples of disruption
People
Lack of people skills and / or resources
Unexpected absence of key personnel
Ill-health, accident or injury to people
Premises
Inadequate or insufficient premises
Denial of access to premises
Damage to or contamination of premises
Assets
Accidental damage to physical assets
Breakdown of plant or equipment
Theft or loss of physical assets
Suppliers
Disruption caused by failure of supplier
Delivery of defective goods or components
Failure of outsourced services and facilities
Information
technology (IT)
Failure of IT hardware systems
Disruption by hacker or computer virus
Inefficient operation of computer software
Communications
Inadequate management of information
Failure of internal or external communications
Transport failure or disruption
Hazard tolerance
As discussed earlier in this part, organizations face exposure to a wide range of risks. These
risks will be hazard risks, control risks and opportunity risks. Organizations need to tolerate a
hazard risk exposure, accept exposure to control risks and invest in opportunity risks.
In the case of health and safety risks, it is generally accepted that organizations should be
intolerant of these risks and should take all appropriate actions to eliminate them. In practice, this is not possible and organizations will manage safety risks to the lowest level that is
cost-effective and in compliance with the law.
For example, an automatic braking system fitted to trains to stop them passing through red
lights is technically feasible. However, this may represent an unreasonable investment for the
train operating company. The consequences of trains going through red lights may be regarded
as the risk exposure or hazard tolerance of the organization but the cost of introducing the
automatic braking system may be considered to be prohibitively high.
32
Introduction to risk management
A less emotive example is related to theft. Most organizations will suffer a low level of petty
theft and this may be tolerable. For example, businesses based in an office environment will
suffer some theft of stationery, including paper, envelopes and pens. The cost of eliminating
this petty theft may be very large and so it becomes cost-effective for the organization to accept
that these losses will occur. The approach to theft in shops may be very different in different
retail sectors, as illustrated by the example below.
Security standards
An example can be seen in the operation of a security-conscious jewellery shop.
Customers are allowed into the shop one at a time. They are recorded on CCTV as
they wait to enter. Items are held securely, and customers are invited to ask to see
specific items under the suspicious gaze of the shop assistants. Of course, some
customers are put off, but equally the shops suffer negligible rates of shoplifting.
Contrast this with a supermarket, where there are no barriers on entry and customers
are allowed to handle all of the items. There is CCTV monitoring the shops, and there
are likely to be store detectives patrolling – but the object of the security is to deter
rather than to prevent shoplifting. Shoplifting does occur, but at rates that are
acceptable to the shop owners. Conversely, few potential customers are put off visiting
the shop because of the measures.
Management of hazard risks
The range of hazard risks that can affect an organization needs to be identified by the organization. Hazard risks can result in unplanned disruption for the organization. Disruptive events
cause inefficiency and are to be avoided, unless they are part of, for example, planned maintenance or testing of emergency procedures. The desired state in relation to hazard risk management is that there should be no unplanned disruption or inefficiency from any of the reasons
shown in Table 3.1.
Table 3.1 provides a list of the events that can cause unplanned disruption or inefficiency.
These events are divided into several categories, such as people, property, assets, suppliers,
information technology and communications. For each category of hazard risks, the organization needs to evaluate the types of incidents that could occur, the sources of those incidents
and their likely impact on normal efficient operations.
Management of hazard risks involves analysis and management of three aspects of the hazard
risk. This will be discussed in more detail in a later Part of this book. In summary, the organi-
Types of risk
33
zation should look at the necessary actions to prevent the loss occurring, limit the damage that
the event could cause and contain the cost of recovering from the event.
Hazard management is traditionally the approach adopted by the insurance world. Organizations will have a tolerance of hazard risks. The approach should be based on reducing the likelihood and magnitude/impact of hazard losses. Insurance represents the mechanism for
limiting the financial cost of losses.
When an organization considers the level of insurance that it will purchase, the hazard tolerance of the organization needs to be fully analysed. Organizations may be willing to accept a
certain cost of motor accidents as a financial cost that will be funded from the day-to-day
profit and loss of the organization. This will only be tolerable up to a certain level and the
organization will need to determine what level is acceptable. Insurance should then be purchased to cover losses that are likely to exceed that level.
Uncertainty acceptance
When undertaking projects and implementing change, an organization has to accept a level
of uncertainty. Uncertainty or control risks are an inevitable part of undertaking a project.
A contingency fund to allow for the unexpected will need to be part of a project budget, as
well as contingent time built into project schedules. When looking to develop appropriate
responses to control risks, the organization must make necessary resources available to
identify the controls, implement the controls and respond to the consequences of any
control risk materializing.
The nature of control risks and the appropriate responses depend on the level of uncertainty
and the nature of the risk. Uncertainty represents a deviation from the required or expected
outcome. When an organization is undertaking a project, such as a process enhancement, the
project has to be delivered on time, within budget and to specification. Also, the enhancement
has to deliver the benefits that were required. Deviation from the anticipated benefits of a
project represents uncertainties that can only be accepted within a certain range.
Control management is the basis of the approach to risk management adopted by internal
auditors and accountants. The UK Turnbull Report will be mentioned later in this book, and
it concentrates on internal control with little reference to risk assessment. Control management is concerned with reducing the uncertainty associated with significant risks and reducing
the variability of outcomes.
There are dangers if the organization becomes too concerned with control management. The
organization should not become obsessed with control risks, because it is sometimes suggested that over-focus on internal control and control management suppresses the entrepreneurial effort.
34
Introduction to risk management
Opportunity investment
Some risks are taken deliberately by organizations in order to achieve their mission. These
risks are often marketplace or commercial risks that have been taken in the expectation of
achieving a positive return. These opportunity risks can otherwise be referred to as commercial, speculative or business risks. Opportunity risks are the type of risk with potential to
enhance (although they can also inhibit) the achievement of the mission of the organization.
These risks are the ones associated with taking advantage of business opportunities.
All organizations have some appetite for seizing opportunities and are willing to invest in
them. There will always be a desire for the organization to have efficient operations, effective
processes and efficacious strategy. Opportunity risks are normally associated with the development of new or amended strategies, although opportunities can also arise from enhancing
the efficiency of operations and implementing change initiatives.
Every organization will need to decide what appetite it has for seizing new opportunities and
the level of investment that is appropriate. For example, an organization may realize that there
is a requirement in the market for a new product that its expertise would allow it to develop
and supply. However, if the organization does not have the resources to develop the new
product, then it may be unable to implement that strategy and it would be unwise for the
organization to embark on such a potentially high-risk course of action.
It will be for the management of the company to decide whether they have an appetite for
seizing the perceived opportunity. Just because the organization has that appetite, it does not
mean that it is the correct thing to do. The board of the company should therefore be aware of
the fact that, although they may have an appetite for seizing the opportunity, the organization
might not have the risk capacity to support that course of action.
Opportunity management is the approach that seeks to maximize the benefits of taking
entrepreneurial risks. Organizations will have an appetite for investing in opportunity risks.
There is a clear link between opportunity management and strategic planning. The desire is
to maximize the likelihood of a significant positive outcome from investments in business
opportunities.
The example below related to personal lifestyle decisions considers risk factors by classifying
them as controllable and uncontrollable. Although the example relates to personal health risk
factors, consideration of whether business risks are within the control of the organization or
not is an important component of successful business risk management.
Types of risk
Heart disease risk factors
Controllable risk factors for heart disease and stroke are those that can be changed
through diet, physical activity and no tobacco use. These risk factors are in contrast to
those that are uncontrolled, such as age, gender, race or genetic traits. Having one or
more uncontrollable risk factors does not mean a person will have a heart attack or
stroke; however, with proper attention to those risk factors that are controllable, one
may reduce the impact of those risk factors that cannot be controlled or changed.
Controllable risk factors for heart disease or stroke include high blood pressure, high
blood cholesterol, type-2 diabetes and obesity. Healthy lifestyle habits, such as
developing good eating habits, increasing physical activity and abstaining from tobacco
use, are effective steps in both preventing and improving the controllable risk factors.
35
36
4
Development of risk management
Origins of risk management
Risk management has a variety of origins and is practised by a wide range of professionals.
One of the early developments in risk management was in the United States out of the insurance management function. The practice of risk management became more widespread and
better co-ordinated because the cost of insurance in the 1950s had become prohibitive and the
extent of coverage limited. Organizations realized that purchasing insurance was insufficient,
if there was also inadequate attention to the protection of property and people. Insurance
buyers therefore became concerned with the quality of property protection, the standards of
health and safety, product liability issues and other risk control concerns.
This combined approach to risk financing and risk control developed in Europe during the
1970s and the concept of total cost of risk became important. As this approach became established, it also became obvious that there were many risks facing organizations that were not
insurable. The tools and techniques of risk management were then applied to other disciplines, as discussed later in this chapter.
The maturity of the risk management discipline is now such that the links with insurance are
much less strong. Insurance is now seen as one of the risk control techniques, but it is only
applicable to a portion of hazard risks. Risks related to finance, commercial, marketplace and
reputational issues are recognized as being hugely important, but outside the historical scope
of insurance. The range of different approaches to risk management is illustrated by the definitions of risk management as set out in Table 4.1.
Development of risk management
Table 4.1
37
Definitions of risk management
Organization
Definition of risk management
ISO Guide 73
BS 31100
Coordinated activities to direct and control an
organization with regard to risk
Institute of Risk Management Process which aims to help organizations understand,
(IRM)
evaluate and take action on all their risks with a view to
increasing the probability of success and reducing the
likelihood of failure
HM Treasury
All the processes involved in identifying, assessing and
judging risks, assigning ownership, taking actions to
mitigate or anticipate them, and monitoring and reviewing
progress
London School of Economics Selection of those risks a business should take and those
which should be avoided or mitigated, followed by action
to avoid or reduce risk
Business Continuity Institute Culture, processes and structures that are put in place to
effectively manage potential opportunities and adverse
effects
The increasing importance of risk management can be explained by the list of issues set out in
Table 4.2. Many of these issues demonstrate that the application of risk management has
moved a long way from the origins in the insurance world. Nevertheless, the insurance origins
of risk management remain vitally important and are still the part of the approach to hazard
management.
This chapter considers the nature of risk management and the established stages that build
into the risk management process. Historically, the term…