international certificate in enterprise risk management · pdf fileoverview of module 1:...

International Certificate in Enterprise Risk Management

ii | © 2016 Institute of Risk Management

Published by:

Institute of Risk Management

2nd Floor, Sackville House, 143–149 Fenchurch Street, London EC3M 6BN

Tel: +44 (0) 20 7709 9808

Fax: +44 (0) 20 7709 0716

Email: [email protected]

www.theirm.org

© 2016, 2015, 2014 Institute of Risk Management

First published 2014. This revised edition published September 2016.

All rights reserved. No part of this publication may be reproduced, stored in a

retrieval system, or transmitted, in any form or by any means, electronic,

mechanical, photocopying, recording or otherwise, without permission of the

copyright owner.

While every effort has been made to ensure that references to websites are

correct at time of going to press, the World Wide Web is a constantly changing

environment and Institute of Risk Management cannot accept any responsibility

for any changes to addresses.

Institute of Risk Management acknowledges product, service and company

names referred to in this publication, many of which are trade names, service

marks, trademarks or registered trademarks.

Instructional design, and editorial and production project management by

Wordhouse Ltd, Reading, UK.

mailto:[email protected]

http://www.theirm.org/

© 2016 Institute of Risk Management | iii

Acknowledgements

Institute of Risk Management (IRM) wishes to thank and acknowledge the efforts

of Steve Shackleford, lead developer of this study guide, and reviewers Dorothy

Abade-Maseke, Niall Butler and Norman Sinclair.

IRM also thanks its global Education Advisory Board and current and past

examiners for their invaluable contribution and advice concerning the

redevelopment of the syllabus content.

Finally, we are grateful to Stephen Wellings and his team at Wordhouse Ltd for

their advisory and editorial services. Also to John Meed and Roger Merritt

Associates for their contributions to this revision.

iv | © 2016 Institute of Risk Management

Contents

Introduction ...................................................................................................... vii

Overview of Module 1: Principles of Risk and Risk Management.................. x

Unit 1 Concepts and definitions of risk and risk management ...................... 1

Introduction ....................................................................................................... 2

1.1 Approaches to defining risk ..................................................................... 2

1.2 Impact of risk on organisations ................................................................ 4

1.3 Types of risk ............................................................................................ 6

1.4 Development of risk management ........................................................... 6

1.5 Principles and aims of risk management ................................................. 9

Self-assessment questions ............................................................................. 10

Further reading ............................................................................................... 11

Feedback to activities ..................................................................................... 12

Answers to self-assessment questions ........................................................... 13

Unit 2 Risk management standards................................................................ 14

Introduction ..................................................................................................... 15

2.1 General risk management standards .................................................... 15

2.2 Alternative risk management approaches ............................................. 22


Further reading ............................................................................................... 25



Unit 3 Enterprise risk management ................................................................ 28

Introduction ..................................................................................................... 29

3.1 Defining Enterprise risk management ................................................... 29

3.2 Enterprise risk management overview .................................................. 31

© 2016 Institute of Risk Management | v

3.3 Implementing ERM ................................................................................ 33

3.4 Establishing the context for risk management ....................................... 34

3.5 Objective setting ................................................................................... 37


Further reading ............................................................................................... 42



Unit 4 Risk assessment 1: introduction and identification ........................... 48

Introduction ..................................................................................................... 48

4.1 Risk assessment considerations ........................................................... 49

4.2 Risk causes (sources) and consequences ............................................ 55

4.3 Risk classification systems .................................................................... 60


Further reading ............................................................................................... 70



Unit 5 Risk assessment 2: risk analysis and evaluation ............................... 74

Introduction ..................................................................................................... 75

5.1 Introduction to risk analysis ................................................................... 75

5.2 Risk likelihood and impact ..................................................................... 77

5.3 Risk evaluation and risk appetite ........................................................... 84

5.4 Loss control ........................................................................................... 89

5.5 Defining the upside of risk ..................................................................... 90


Further reading ............................................................................................... 96



vi | © 2016 Institute of Risk Management

Unit 6 Risk response and risk treatment ...................................................... 100

Introduction ................................................................................................... 101

6.1 Introduction to risk treatment and risk response.................................. 101

6.2 The 4Ts ............................................................................................... 104

6.3 Risk control techniques (PCDD) .......................................................... 107

6.4 Control of selected hazard risks .......................................................... 110

6.5 Introduction to monitoring and review ................................................. 110

6.6 Insurance and risk transfer .................................................................. 117

6.7 Business continuity planning ............................................................... 118

Self-assessment questions ........................................................................... 123

Further reading ............................................................................................. 124

Feedback to activities ................................................................................... 125

Answers to self-assessment questions ......................................................... 130

References ...................................................................................................... 131

© 2016 Institute of Risk Management | vii

Introduction

This module provides an introduction to the fundamental principles and concepts

relating to risk and risk management. It asks you to consider the following

questions:

What do we mean by risk?

How did risk management develop into the profession that it is today?

What is enterprise risk management?

Which standards and frameworks exist to guide us through the process of

managing risk?

Module 1 underpins the remaining five modules of the International Diploma in

Enterprise Risk Management. Successful completion of modules 1 and 2 leads

to the award of International Certificate in Enterprise Risk Management.

About this study guide

This study guide will lead you step by step through the module in a series of

carefully planned units, and provide you with learning activities and self-

assessment questions to help you master the subject matter. The guide should

help you organise and carry out your studies in a methodical, logical and

effective way, but if you have your own study preferences you will find it a flexible

resource too.

Before you begin using this study guide, make sure you are familiar with the

advice, guidance and rules provided by IRM on such things as study and revision

skills, support and formal assessments in the Student Handbook which can be

found in The Study section of the IRM website.

If you are on a taught course, your tutor will explain how to use the guide in

conjunction with a programme of face-to-face workshops and seminars – when

to read the units, when to tackle the activities and questions, and so on.

If you are studying independently, you can use the study guide in the following

way:

viii | © 2016 Institute of Risk Management

The overview that follows will give you a feel for the nature and content of

the subject matter.

Plan your overall study schedule so that you allow enough time to

complete all units well before your examinations – in other words, leaving

plenty of time for revision. You can use the study and revision plan

template provided in the Student Handbook..

For each unit, set aside enough time for reading the text and other

essential readings, tackling all the learning activities and self-assessment

questions and the suggested further reading. And don’t forget the

opportunities to network with other students provided in the student

support area of the IRM website.

The study guide breaks the module content down into six units, which vary from

approximately 20 to 30 hours’ duration each. However, we are not advising you

to study for this sort of time without a break! The units are simply a convenient

way of breaking the syllabus into manageable chunks. Most people would try to

study one unit every two or three weeks, taking plenty of breaks within each unit.

You will quickly find out what suits you best.

Now let’s take a look at the structure and content of the individual units.

Each unit begins with an introductory page which sets out the overall learning

outcome for the unit, the main sections into which it is divided and the subsidiary

learning outcomes for each of those sections. The outcomes are designed to

help you understand exactly what you should be able to do after you’ve studied

the unit. You might find it helpful to tick them off as you progress through the unit.

You will also find them useful during revision. Following this, the resources

section will let you know which books, articles and web sources you will need to

access as ‘essential readings’ during the unit.

Then the main part of the unit begins, with the first of the numbered main

sections. Each unit contains essential readings which refer you to the relevant

textbooks, articles, and so on. It is essential that you do this reading, since it is

not possible to put everything you need to know in a single study guide. At this

level of study, wider reading is the key to developing deeper subject learning

through a contemporary, contextual and critical perspective.

© 2016 Institute of Risk Management | ix

At regular intervals in each unit, we have provided you with activities, which are

designed to get you actively involved in the learning process. You should always

try to complete the activities before reading on. You will learn much more

effectively if you are actively involved in doing something as you study, rather

than just passively reading the text in front of you. You will find the feedback on

the activities at the end of the unit.

Also featuring throughout each unit are Risk in the real world items, which are

brief case studies and examples showing how the key points relate to real world

organisations or events.

The further reading section at the end of each unit will enable you to find more

detailed information, or suggest where you might explore a particular topic in

more depth. A full list of all sources referred to, both here and in the essential

readings, is given in a separate references section at the end of the study guide.

We provide a number of self-assessment questions at the end of each unit.

These are to help you to decide for yourself whether you have achieved the

learning outcomes set out at the beginning of the unit. Once again, there are

answers at the end of the unit. If you still do not understand a topic, having

attempted the self-assessment question, always try to reread the relevant

passages in the unit itself and the essential readings, or follow the advice on

further reading.

Good luck in your studies!

x | © 2016 Institute of Risk Management

Overview of Module 1: Principles of

Risk and Risk Management

Module aims

This module introduces the principles and concepts of risk and risk management.

The history of risk management is explored as a means of understanding the

current drivers of enterprise risk management, and the development and impact

of international standards. This leads to an examination of the ways in which

risks are classified and the models or frameworks that are utilised to identify,

assess and treat them.

Module learning outcomes

By the end of the module you should be able to:

Recognise the origins and key concepts relating to risk management.

Compare and contrast the main risk management standards.

Apply the concepts of enterprise risk management.

Examine the main approaches to risk identification.

Use the main approaches to the analysis and evaluation of risk.

Distinguish the main features of risk control techniques.

Main learning units and topics

Unit 1: Concepts and definitions of risk and risk management

Definitions of risk, impact of risk on organisations, introduction to types of risk,

definitions and development of risk management, principles and aims of risk

management.

Unit 2: Risk management standards

General risk management standards, alternative risk management approaches.

© 2016 Institute of Risk Management | xi

Unit 3: Enterprise risk management

COSO 2004, enterprise risk management, implementing ERM, establishing the

context for risk management.

Unit 4: Risk assessment 1: introduction and identification

Risk assessment considerations, risk classification systems (risk identification),

risk causes (sources) and consequences.

Unit 5: Risk assessment 2: risk analysis and evaluation

Introduction to risk analysis, risk likelihood and impact, loss control, defining the

upside of risk, the importance of risk appetite (risk evaluation).

Unit 6: Risk response and risk treatment

Introduction to risk treatment and risk response, the 4Ts, risk control techniques

(PCDD), control of selected hazard risks, introduction to monitoring and review,

insurance and risk transfer, business continuity planning (BCP).

Essential reading list

These are the texts we refer to in the essential reading sections. Hopkin (2014) is

the core text; you should be able to download the others on-line from the links

below.

Adams, J (2007) ‘Risk Management: It’s Not Rocket Science – It’s Much More

Complicated’, Public Risk Forum, May 2007. Valby, Denmark: European

Institute for Risk Management in collaboration with PRIMO (Public Risk

Management Organisation) Europe. Available at:

http://www.eirm.dk/en/Who%20We%20Are/~/media/Business%20Card/Articles

%20-%20EIRM/Publications%20by%20EIRM/PRF%20May%202007.ashx

Airmic/Alarm/IRM (2010) A structured approach to Enterprise Risk Management

(ERM) and the requirements of ISO 31000. London: Association of Risk

Managers/Public Risk Management Association/Institute of Risk

Management. Available at:

http://www.theirm.org/media/886062/ISO3100_doc.pdf

http://www.eirm.dk/en/Who%20We%20Are/~/media/Business%20Card/Articles%20-%20EIRM/Publications%20by%20EIRM/PRF%20May%202007.ashx

http://www.eirm.dk/en/Who%20We%20Are/~/media/Business%20Card/Articles%20-%20EIRM/Publications%20by%20EIRM/PRF%20May%202007.ashx


xii | © 2016 Institute of Risk Management

COSO (2004) Enterprise Risk Management: Integrated Framework, Executive

Summary. Committee of Sponsoring Organizations of the Treadway

Commission. Available at:

http://www.coso.org/documents/coso_erm_executivesummary.pdf

COSO (2014) Improving organizational governance and performance: How the

COSO frameworks can help. Committee of Sponsoring Organizations of

the Treadway Commission. Available at:

http://www.coso.org/documents/2014-2-10-COSO%20Thought%20Paper.pdf

HM Treasury (2004) The Orange Book: Management of Risk – Principles and

Concepts. London: HM Treasury. Available at:

http://hm-treasury.gov.uk/orange_book.htm

Hopkin, P (2014) Fundamentals of Risk Management, London: Kogan Page

RIMS (2011) An overview of widely used risk management standards and

guidelines. Risk and Insurance Management Society, Inc. Available at:

http://www.rims.org/resources/ERM/Documents/RIMS%20Executive%20Report

%20on%20Widely%20Used%20Standards%20and%20Guidelines%20March%2

02010.pdf

StrategicRISK (2012) ‘StrategicRISK 2012 Risk Report: The top concerns of

European risk managers’. Sponsored by Marsh Risk Consulting. London:

Newsquest Specialist Media. Available at:

http://www.strategic-risk-global.com/risk-report-2012-update/1397747.article




http://www.rims.org/resources/ERM/Documents/RIMS%20Executive%20Report%20on%20Widely%20Used%20Standards%20and%20Guidelines%20March%202010.pdf




Unit 1 Concepts and definitions of

risk and risk management

Unit learning outcome

After studying this unit, you should be able to:

Recognise the origins and key concepts relating to risk management

Unit contents Section learning outcomes

1.1 Approaches to defining risk…2 Provide a range of definitions of risk and risk management

1.2 Impact of risk on organisations…4 Analyse how risks impact on organisations, for example by way of the attachment of risks theory

1.3 Types of risk…6 Describe options for classifying risks according to the nature, source and timescale of impact

1.4 Development of risk management…6 Outline the history of risk management, including the various specialist areas and approaches

1.5 Principles and aims of risk management…9

Consider the principles and aims of risk management and risk management’s importance to operations, projects and strategy

Resources

You will also need to consult the following resources:

Hopkin (2014), chapters 1–5

The Orange Book (HM Treasury, 2004), chapter 1

MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT

2 | © 2016 Institute of Risk Management

Introduction

This unit provides a general introduction to some basic risk management

concepts. It will take you through some common definitions of risk and will look at

the positive and negative impact that risk has on organisations. It will introduce

key features of risk and risk management and introduce methods of classifying

risks. It moves on to discuss the history of risk management, and the principles

and benefits to organisations of good risk management.

1.1 Approaches to defining risk

There have been many attempts over the years to define risk. Frank Knight

(Knight, 1921), one of the fathers of modern risk management, said:

Risk can be applied to a situation where there are several possible

outcomes and, on the basis of past relevant experience, probabilities can

be assigned to the various outcomes that could prevail.

Uncertainty can be applied to a situation where there are several possible

outcomes but there is little past relevant experience to enable the

probability of the possible outcomes to be predicted.

This suggests that risk management covers the management of both quantifiable

risk and unquantifiable uncertainty.

As most if not all of the decisions made by an organisation will be ones with an

uncertainty of outcome (in other words, risky decisions), Douglas Barlow, another

very early writer on risk aptly stated in 1962, ‘all management is risk

management’ (Sedgwick Law, 2006).

A widely used definition of risk comes from the International Organization for

Standardization (ISO, 2009) which states that risk is

‘The effect of uncertainty on objectives’.

So the overriding purpose of risk management is to help organisations to identify,

understand and manage their risks and opportunities, and thereby increase the

likelihood of achieving their objectives by reducing uncertainty.

UNIT 1 | CONCEPTS AND DEFINITIONS OF RISK AND RISK MANAGEMENT

© 2016 Institute of Risk Management | 3

For examination purposes, it is vital to have in your mind one general definition

each of risk and risk management, such as the ISO one. IRM has stated that:

‘Organisations of all types face a variety of factors and influences that

make it uncertain whether and when they will achieve their objectives. The

effect of this uncertainty is termed ‘risk’. Effective risk management helps

organisations to identify, understand and manage the risks, thereby

maximising the likelihood of achieving their objectives. And this is the first

and overriding purpose of risk management.

‘Risk management is a core management discipline. Like general

management or project/change management, risk management is a

discipline that supports all organisational activities. The risks that

organisations face change all the time, so the art of good risk

management is to combine planning for what we already know has

happened and might occur, with preparation for unknown situations.

‘With the general public, however, risk management often has a poor

perception. Stories in the media of risk management getting in the way of

common sense are not infrequent. The failure of some health and safety

practitioners to properly communicate the immense benefits of their work

and the perceived failure of risk management in the world’s banks have all

added to these perceptions.’

Every organisation that wants to practise risk management should produce its

own clear, shared definition of what it means by the terms ‘risk’ and ‘risk

management’. There are specific tools we can use to describe risks, the most

common being the risk register. In module 2, we shall see the range of means of

storing such information from manual records, to spreadsheets, to fully blown

dedicated risk information management systems (RIMS).

Organisations have to first quantify (analyse) the relative severity of the risk

before any actions have been taken to manage it. This is called the inherent (or

gross) risk. We then again measure the same risk after risk management actions

have been taken. This we call the residual (or net, or current) risk.



Essential reading

Read the first three sections of chapter 1 of Hopkin, which cover ‘definitions of

risk’, ‘types of risk’ and ‘risk description’.

Have a quick look over the rest of the chapter – however, we will discuss these

issues in much more detail in later units of this module.

Activity 1.1

1 From your reading of this unit so far, and Chapter 1 of Hopkin, which definition

of risk seems most appropriate to you?

2 What is the difference between ‘hazard’, ‘control’ and ‘opportunity’ risks?

3 Does your organisation have a formal definition of risk? If so, how many people

are aware of it? If not, what do you think are the reasons for its absence?

Check your answers with those at the end of this unit.

Essential reading

Read The Orange Book, chapter 1. This provides a succinct, two-page

introduction to risk and risk management. Note carefully section 1.6, which also

uses Hopkin’s three dimensions, but adds that different skills and competencies

are required to manage risks at each of these levels.

1.2 Impact of risk on organisations

We have seen how one of the most well used definitions of risk relates to the

effect of uncertainty on objectives. Risks do indeed impact on corporate

objectives, but, as your next reading will show, they can also impact on key

dependencies, core processes and stakeholder expectations. We call this the

‘attachment of risk’ and organisations should map out how risks are attached to

each of these elements in order to fully analyse their impact.



Let’s consider the meaning of these three additional points of impact now,:

Key dependencies are the key things that the organisation needs to be

successful; they might be internal or external things but in short, they are

what the business depends upon for its future success.

Core processes are fundamental to organisational success because they

are the means of delivery of strategy and continuity of operations. A core

process can be defined as “the collection of activities that deliver a specific

stakeholder expectation”.

Stakeholders are the groups of individuals who have a stake in the

business, or are affected by what the organisation does – such as

investors, suppliers, customers, the wider society and government.

The rationale for the attachment of risk is that organisations should map out the

consequences of risk in order to fully analyse their impact.

Essential reading

Read Chapter 2 of Hopkin – pay particular attention to the third subject on the

attachment of risks, because this is a recurring theme throughout the module.

See also the boxes on page 26, which examines the difficulties in balancing risk

and reward in Formula 1 racing, and page 28, which looks at propensity for

taking risks.

Activity 1.2

1 Note down what Hopkin means by key dependencies, core processes and

stakeholder expectations.

2 With your colleagues, try to identify a key dependency and a core process

within your organisation. Then try to identify what types of risk your

dependency and your process might be vulnerable to.



A report issued by the International Integrated Reporting Council in December

2013 (IIRC, 2013) shows how risk can impact on an organisation’s capital value

– see the further reading section at the end of unit 1.

RISK IN THE

REAL WORLD

Hopkin (on page 24) provides an example of an external key

dependency when talking about Northern Rock. Look also at

further context to the Northern Rock events in the table on

page 30.

1.3 Types of risk

You will now look more closely at classifying risks as hazard risks, control risks

and opportunity risks.

Essential reading

Read chapter 3 of Hopkin which looks at the timescale of risk impacts and then

explores hazard risks, control risks and opportunity risks further.

Activity 1.3

The box on page 36 of Hopkin gives an alternative typology of risk factors –

controllable and uncontrollable risks. Using heart disease as an example, give an

example of both controllable and uncontrollable risks.

1.4 Development of risk management

Understanding of the history of risk management can be useful: for several

reasons

The scope of risk management has changed to such a degree in recent

years that conventional views of risk have had to be altered – see for

example Bernstein (1996) in the further reading for unit 1.



Historically, risk management has focused on the mathematics of hazard-

based or financial risks. It tended to focus on specific risks and neglected

an enterprise-wide approach.

You need to understand the history to explain where we are now in risk

management and where this may lead in the future.

You will see that our changing world has produced new risks that do not

easily fit into historical frames of reference, and history tells us that new

risks come and old risks disappear – we can learn lessons on how people

reacted to new, emerging risks.

Risk management frameworks have developed only since 1995.

A historical timeline in risk management history might include the following:

1500: Religious belief, fate and superstition – evolutionary theory.

1500–1900: A decline of the above by educational enlightenment in risk.

1900–70: Development of specialist risk professions.

1970–95: Risk management specialism moves towards generalism.

1995–date: The maturing risk profession.

1995–date: The age of risk management standards.

But in the last few hundred years there was another significant trend towards:

More knowledge of causes and effects (as people experienced and better

understood their environment – initially from the passing down of stories

and then from first written records).

Turning mystery and superstition into unknown uncertainty and then into

known uncertainty (the time of the Enlightenment), which moved on into

people being able to measure risk for the first time through the

development of statistics.

There is great value in looking at the past. Not only can it provide insight into the

developmental dynamic of the field, it provides important guidance in

understanding why the modern world appears as it does, particularly with some

of the inherited superstitions and irrationalities.



‘A brief history of risk management’ (Kloman, 2010), gives a history of risk

management from 1914 until 2008 and it includes something on the development

of risk specialisms, such as insurance, actuarial science, and health and safety.

Though the material skims the surface of a very detailed subject, it serves a

useful role in orienting you towards key events in the history of the field. See the

further reading section at the end of unit 1

Essential reading

Read chapter 4 of Hopkin which looks at the origins of risk management and the

development of risk management specialisms.

Activity 1.4

1 As a modern risk manager, why is it useful to understand something of the

history of risk management?

2 By talking to some of the longer serving members of your organisation, try to

discover something of the history of risk management in your organisation.

Since 2009 we have experienced a number of major risk events such as the

Arab Spring, major natural disasters, the range of sovereign debt crises in many

Eurozone countries and the slow signs of recovery in Western economies. All

these things impact our role in the risk profession.

Indeed, most of the exciting and worthwhile achievements humanity would like to

make are complex and not without their potential pitfalls. Risk management can

help organisations achieve what otherwise might be too risky or uncertain. Good

risk management is about being able to take risk. Good risk management is

about ‘reaching for the stars’.



At the same time, risk management is also about safeguarding organisations and

making them more resilient. While being ambitious, it is also important to protect

the value of the organisation. Managing so-called ‘downside risk’ – events whose

potential outcome is negative or undesirable – can help the organisation apply

controls and achieve its objectives.

Increasingly organisations are required by law, regulation or stakeholder

expectations to build risk management competencies and provide reports that

show that those competencies are effective. In the future, these reports might

well be audited in ways similar to the way financial reports are audited today.

1.5 Principles and aims of risk management

This final section looks at the five principles of risk management and the main

benefits or objectives of risk management.

Essential reading

Read chapter 5 of Hopkin on the principles and aims of risk management. Pay

particular attention to the acronyms PACED and MADE2, as these will be

recurring themes throughout module 1. On page 53, Hopkin demonstrates the

failed strategy of a real grocery retail chain from several years ago while on 56

he uses a car’s brakes, clutch and accelerator as a synonym to explain the

benefits of these three levels or types of risk.

Activity 1.5

1 List five benefits of good risk management.

2 Outline the five principles of risk management.



RISK IN THE

REAL WORLD

PricewaterhouseCoopers (2010: 8) published a composite of a

range of research reports that took place prior to the global

financial crisis in 2009, which showed that strategic risk was by

far the greatest determinant of how shareholder value is

destroyed in business. PwC estimated that strategic risks

explained up to 60% of shareholder value decreases, followed

by 20% for operational risk losses, 15% for financial risk effects

and 5% for compliance risk effects. This study used the COSO

ERM classification of objectives/risks, which we will consider in

unit 3.

Self-assessment questions

These questions will help you to check your knowledge of Unit 1. They use a

multiple choice format similar to that you will meet in the exam. Choose the

option you think is right and then check with the answers at the end of this unit.

1 Which of these is best describes ‘residual’ (or net, or current) risks.

a) A risk before any actions have been taken to manage it

b) A risk associated with speculative opportunities

c) A risk after risk management actions have been taken

2 Which of these is best describes ‘hazard’ risks.

a) Risks associated with the benefits of speculative opportunities

b) Risks associated with ‘pure’ risks or perils

c) Risks associated with the management of uncertainty

3 What are core processes?

a) The means of delivery of strategy and continuity of operations

b) The key things that the organisation needs to be successful

c) Groups of individuals who have a stake in the business, or are affected

by what the organisation does



4 What of these best describes the term ‘mandatory’ in relation to risk

management objectives as set out in MADE2?

a) To ensure that risk management complies with the five principles of

PACED

b) To ensure that appropriate risk-management information is available

c) To ensure conformity with rules, regulations and obligations

Further reading

IRM’s Online Resource Centre (ORC) has a list of publications on the

introduction to risk and risk management in the section ‘Principles of risk’. Look

in particular at the subsections called ‘History of risk management’ and ‘Nature of

risk and uncertainty’.

Holton (2004) provides a good summary of how risk has been defined since

Frank Knight tried to distinguish risk from uncertainty and it discusses the

ensuing debate throughout the twentieth century.

Entsgo (undated) provides an easy to read two-page distinction between pure

and speculative risks.

Bernstein (1996) introduces the debate over the actual meaning of ‘risk’.

Historically, the risk management field has tended to define risk solely through its

statistical or mathematical nature, which is appropriate in many settings.

Kloman (2010) offers an introductory historical perspective on key developments

in the history of risk management, especially from 1914 to the start of the 2008

financial crisis.

In December 2013 a new organisation, the International Integrated Reporting

Council (IIRC) produced a major report, which has something to say on the

impact of risk in organisations as part of a much wider agenda to reform

corporate reporting to stakeholders. The IIRC measures value creation in the

form of six different types of capital owned by any organisation (IIRC, 2013: 11).



If you are interested in finding out how businesses around the world justify their

investment in risk management (or rather enterprise risk management) you could

briefly review Accenture (2011).

Feedback to activities

Activity 1.1

1 The simplest definition is the one you can get from ISO 31000. You can find

this and several others from Hopkin’s table 1.1 (page 14).

2 The source for your answer to this question can be found in Hopkin chapter 1

‘Types of Risk’ (page 15). As you work through the book look for other

characteristics and differences for these three levels of risks, which he

describes from time to time.

3 If your organisation has a formal definition of risk (perhaps from a policy

document or a risk manual), compare it to some of the more official

definitions.

Activity 1.2

1 Key dependencies are the key things that the organisation needs to be

successful; they might be internal or external things but in short, they are

what the business depends upon for its future success.

2 Core processes are fundamental to organisational success because they are

the means of delivery of strategy and continuity of operations. A core process

can be defined as ‘the collection of activities that deliver a specific

stakeholder expectation’.

3 Stakeholders are the groups of individuals who have a stake in the business,

or are affected by what the organisation does – such as investors, suppliers,

customers, the wider society and government.

Activity 1.3

Controllable risks for heart disease include high blood pressure or cholesterol.

Uncontrollable risks include age or gender.



Activity 1.4

1 The scope of risk management has changed to such a degree in recent years

that conventional views of risk have had to be altered. Historically, risk

management has focused on the mathematics of hazard-based risks or on

financial risks. It tended to focus on specific risks. You need to understand

the history of risk and risk management to explain where we are now and

where things may go in the future. You will see that our changing world has

produced new risks that do not easily fit into historical frames of reference. So

in summary, the history helps to explain where we are today and might give

us some guide of the directions to where risk management is going in the

years to come.

2 They may be able to talk about some of the major crises or major periods of

change that the business faced and how the organisation got through those

changes intact.

Activity 1.5

1 Your solution can be found in Hopkin chapter 5. The MADE2 acronym – see

Hopkin’s table 5.2 (page 51) can help you to remember. You can also help

yourself by remembering the definition of risk, which implies that good risk

management will help achieve your organisation’s objectives.

2 Again an acronym from Hopkin chapter 5 is the source of your answer. This

time the acronym is PACED – see table 5.1 (page 50).

Answers to self-assessment questions

1-c

2-b

3-b

4-c

Unit 2 Risk management standards



Compare and contrast the main risk management standards


2.1 General risk management standards…15

Describe the key stages in the risk management process, the main components of a risk management framework and the key features of the best known risk management standards and frameworks currently in use

2.2 Alternative risk management approaches…22

Compare and contrast a number of risk management standards

Resources

You should make sure you have access to the following resources before starting this unit:

Hopkin (2014), chapter 6


Airmic/Alarm/IRM (2010), part 1

RIMS (2011)

UNIT 2 | RISK MANAGEMENT STANDARDS


Introduction

This unit begins by looking at the main features of key general risk management

standards, including the most generally accepted ISO 31000 standard (ISO,

2009), as well as considering the importance of a range of risk related guidance.

It then looks briefly at some specialist risk management standards.

All risk management standards are recent; indeed, the first ever risk

management standard, the AS/NZS4360 was only released in 1995 (Standards

New Zealand, 2013). If anything, that fact demonstrates the still youthful state of

our profession and why even now risk managers still argue over such

fundamental issues such as the definition of risk.

Your organisation may use the characteristics of one of these standards to

implement a risk management process to manage its risks; it may combine them

and use elements from each; or it may even have its own bespoke standard.

As your career in risk management develops you will need to know well at least

one such risk management standard and how to apply it in your organisation.

2.1 General risk management standards

Risk management has developed over time and across many regions of the

world and many industry sectors, as well as within discrete professions, to meet

diverse needs. Risk management standards, within a clear framework, can

support a more consistent risk management process and this can help to ensure

that risk is managed effectively, efficiently and coherently across an organisation.

The following terminology is generally accepted and applies to ISO 31000:

Risk management

standard =

The risk management

framework +

The risk management

process



IRM states that a simple risk management process is all about being able to:

identify risks (and opportunities)

evaluate and prioritise the significant risks (and opportunities)

manage the significant risks

In order to provide an explanation for the content of the risk management

framework, the acronym RASP or ‘Risk Architecture, risk Strategy and risk

Protocols’ has been developed. RASP is a supportive structure of the risk

management process – it is what helps to determine how the process works.

RASP is in fact an introduction to a substantial area of study which you will

undertake in module 2.

This unit looks at some general risk management standards. You have already

looked at the 8Rs and 4Ts model in Chapter 4 of Hopkin on page 40. The 8Rs

and 4Ts of (hazard) risk management does not form part of any wider, present

day risk management standard or framework, However it is surprisingly well

known and you might well find such an approach suitable for your organisation.

We shall now look at three other general risk management standards in the order

in which Hopkin discusses them in Chapter 6:

IRM (2002) model (page 59).

COSO ERM (page 63).

ISO 31000 model (page 65).

The IRM (2002) model

IRM (2002) describes a slightly different framework of the structure,

responsibilities, administration, reporting and communication in relation to risk.

Although slightly different to RASP, it is another acceptable approach to

describing the risk management framework.



The risk management framework can be likened to the risk management context.

In other words, it is the context in which the risk management process must

operate. Later, we shall see that the next two standards (COSO ERM and the

ISO 31000) also have something to say on the subject of the risk management

context. Two additional elements of the risk management context are:

External context – typically the organisation’s industry, products, markets,

logistics, supply chain, competitors and countries of operation.

Internal context – typically the organisation’s internal workings – its

divisions, departments, structures, cultures, leadership, strengths and

weaknesses, and so on.

As well as having a primary role of providing the context of risk management, the

framework also has a secondary role of ensuring that the outputs of the process

are communicated, and that the benefits anticipated (MADE2) from the

investment in risk management are delivered.

Essential reading

Read the first part of chapter 6 in Hopkin, ‘Scope of risk management standards’

which introduces the IRM (2002) risk management process – figure 6.1 (page

59). Look briefly as well at the short sections on ‘Risk management [process’ and

‘Risk management framework’.

Activity 2.1

1 In the light of your reading, write a one-sentence definition of each of these key

terms:

a) Risk management standard b) Risk management framework c) Risk

management process

2 Draw a flowchart which describes your organisation’s risk management

process



The COSO ERM cube

The concept of enterprise risk management (ERM), which was first developed

around 2000, received a real boost in world-wide popularity during the autumn of

2004 when the Committee of Sponsoring Organisations of the Treadway

Commission (COSO) launched COSO ERM (COSO, 2004).

Essential reading

Look at the fourth part of Hopkin chapter 6 (page 62), ‘COSO ERM cube’, taking

note of figure 6.3 on page 63.

The COSO ERM framework is displayed as a cube, as in Hopkin Figure 6.3:

The front face is the risk management process, and you should be able to

summarise the content of each of the eight items.

The top face of the cube describes the four categories of organisational

objectives. Again you should be able to summarise the meaning of each

of these four items.

Finally, the side face of the cube shows the implementation process of the

standard. It indicates that ERM begins at entity level and then is cascaded

downwards and across the organisation. In that sense, the fully

implemented version of ERM has to be embedded in all roles, operations

and activities of the enterprise.

COSO ERM is an important standard and we will look at it in greater detail in Unit

3.

Activity 2.2

Write a one-sentence definition of each of these key terms:

a) risk architecture b) risk context c) risk protocols d) risk strategy



ISO 31000

The ISO 31000 standard, released in 2009, is probably the most straightforward

and certainly the most internationally accepted risk management standard. For

this reason, you should feel comfortable about its content and purpose and

especially be aware of its process.

Essential reading

Read the fifth part in Hopkin chapter 6 ‘Features of RM standards’, for an

introduction to ISO 31000. See in particular Figure 6.4 (page 65).

There are five clauses (or key elements) in ISO 31000, the most internationally

accepted risk management standard. We will briefly describe them here:

Clause 1

This clause defines the scope of the standard as being generic risk

management; in other words the standard is designed to be applicable to

organisations in a general sense and is not focused on any particular type or

form of organisation, nor for any international setting. Anyone can use this

standard irrespective of their particular risk context.

Clause 2

This clause provides definitions of 29 terms used in the standard; these are, in

fact, derived from another ISO document called ISO Guide 73:2009, which is a

glossary of risk management terms. The guide is available (at a cost) from ISO

(see references for a link to the ISO website). You do not need to learn the full

glossary contained in this guide because this study guide will provide you with all

the terms you need to know.

The next three key clauses cover:

the principles of risk management

the framework for risk management

the process of risk management



Clause 3

Clause 3 is based on the principles of risk management. In Unit 1, we referenced

PACED as a tool to evaluate the principles of risk management. Clause 3 sets

out eleven principles, which we summarise below:

1 Risk management creates and protects value – the risk management

process should contribute to the achievement of objectives and

improvements in performance.

2 Risk management is an integral part of organisational processes – it is not

a stand-alone process and risk management activities, roles and

responsibilities should be incorporated into normal planning and

operational processes.

3 Risk management is part of decision making – decision making should be

better informed by considering what is known about potential uncertain

outcomes.

4 Risk management explicitly addresses uncertainty – it reinforces the need

to recognise uncertainty around the achievement of objectives and

determine an appropriate course of action.

5 Risk management is systematic, structured and timely – systems and

structures give the risk management process rigour and make its

outcomes more reliable.

6 Risk management is based on the best available information – different

perspectives need to be considered as inputs to the risk management

process, looking both inside and outside the organisation for areas of risk,

and considering the reliability of different information sources.

7 Risk management is tailored – systems should be designed for the

particular organisation, taking account of their context, size and

complexity.

8 Risk management takes human and cultural factors into account – the

systems need to fit the culture(s) of the organisation. They should

recognise the human factors within processes, and recognise human

factors as risks themselves.



9 Risk management is transparent and inclusive – a good risk management

system helps stakeholders understand the organisation’s context and

risks, and considers their views on risks and controls.

10 Risk management is dynamic, iterative and responsive to change – to

allow organisations to respond effectively to the continually changing

business environment, the risk management system itself should be

dynamic and always reflect the latest risk environment.

11 Risk management facilitates continual improvement of the organisation –

at the same time as being able to respond to change, the risk

management system needs to continually develop to help organisations

improve their risk management maturity.

Clause 4

The next clause in the ISO 31000 standard is the risk management framework.

This clause includes the essential steps in the implementation and ongoing

support of the risk management process. The initial component of the ISO 31000

framework is ‘mandate and commitment’ by the board and this is followed by:

design of framework

implement risk management

monitor and review framework

improve framework

The Airmic, Alarm, IRM (2010) guide (page 7) states that:

‘ISO 31000 describes a framework for implementing risk management,

rather than a framework for supporting the risk management process.

Information on designing the framework that supports the risk

management process is not set out in detail in ISO 31000. An organisation

will describe its framework for supporting risk management by way of the

risk architecture, strategy and protocols for the organisation.’

Clause 5

The final clause in the ISO 31000 standard, is the risk management process.

Three components of this process are also briefly described in the Airmic, Alarm,



IRM (2010) guide on pages 8 and 9. For the moment, you should be able to

sufficiently understand the order so you can yourself draw the process diagram.

Essential reading

Read through part 1 of Airmic/Alarm/IRM (2010). This will provide you with

further information about the standard.

Activity 2.3

Briefly summarise the content of the five clauses of the ISO 31000 risk

management standard (one sentence for each clause)/.

2.2 Alternative risk management approaches

We conclude unit 2 with a brief review of some other approaches to risk

management.

Essential reading

Read the final part in Hopkin chapter 6 ‘Alternative approaches’.

RISK IN THE

REAL WORLD

Hopkin refers to one specialist standard called COBIT, which

provides guidance regarding information technology risk

management, in the box on page 68.

The CoCo framework can be seen as fitting around the internal environment of

COSO ERM. There is a relationship between governance, risk and compliance

(or GRC, which is a theme in module 2) – the board should focus on governance,

with separate risk functions overseeing the risk element, and a separate internal

audit function to monitor compliance.

Most countries of the world have their own corporate governance codes and

indeed there are some international codes. The rationale for a corporate



governance approach to risk management is that good risk management has to

start at the top of the organisation. The UK-based Cadbury Committee (1992), in

section 2.5 of its report on corporate governance, described this as the place

where ‘companies are directed and controlled’. In Module 2 you will study

corporate governance as a special topic.

In recent years there has been a trend to complement generic risk management

standards of the sort we have reviewed in this reading with industry-specific

ones. Before we complete this unit, we shall introduce one of them.

The Orange Book (HM Treasury, 2004) was designed in 2004 as a risk

management standard for the UK government sector and so is an example of a

sector-specific risk management standard. However, The Orange Book standard

is so succinct that it has generic value in its own right.

Essential reading

Read chapter 2 of The Orange Book which summarises The Orange Book’s risk

management model and gives a process diagram.

Note that the remaining chapters of The Orange Book describe each element of

the risk management model in detail.

Another sector-specific standard exists for the UK charity sector and we include

a reference to it as a further reading item at the end of the unit, if you are

interested to find out more.

As risk management systems develop in terms of maturity, advisory firms have

also designed their own risk management frameworks and toolkits. While each

promotes the unique selling points of that firm, the broad principles remain the

same: link to strategy objectives and core processes, risk identification,

assessment (or analysis), evaluation and action (treatment).

The article published by RIMS (2011) compares and contrasts a number of

different standards, including familiar ones, such as ISO 31000, COSO ERM,

IRM (2002) – which it calls the FERMA: 2002 standard – and some which are



less popular, such as the Open Compliance and Ethics Group standard: 2009

(OCEG), BS 31100: 2011 and Solvency II: 2012.

Essential reading

Turn to RIMS (2011). Briefly look at the first thirteen pages, which are all about

comparing these standards. Pay most attention to the three standards we

covered in this unit. There is a set of comparison tables for the remaining eleven

pages.

Activity 2.4

1 From your work on this unit, do you think opportunity (the flip side of risk) is

adequately addressed by the risk management processes outlined in this unit?

2 Which of the standards and models that we introduced in this unit best fits

the way your organisation manages risks?


These questions will help you to check your knowledge of Unit 2. You can check

with the answers at the end of this unit.

1 Which one of the following risk standards contains ‘control activities’ as a

feature in the risk process?

a) COSO ERM

b) ISO 31000

c) IRM (2002) standard

2 Which one of the following definitions is the same as the definition of the

risk management context?

a) The risk management strategy

b) The risk management process

c) The risk management framework



3 Which part of the risk framework focuses on answering the question ‘Who

does what?’ in the organisation in relation to risk management?

a) Risk architecture

b) Risk context

c) Risk protocols

Further reading

IRM’s ORC (2014) has a segment with a range of publications from many places

on the range of risk management standards. It even has the IRM standard of

2002 translated into many different languages.

IRM (2002) has a range of content which is very useful in several of the following

units of this module as well as module 2. It runs through the whole of the process

(relevant for module 1), as well as providing some information around risk

management framework roles, responsibilities, structures and administration

(relevant for module 2).

Praxiom (2013) is a very useful and easy to read article. It forms a plain English

guide to ISO 31000.

SA/SNZ HB 436:2013 Risk management guidelines - Companion to AS/NZS ISO

31000:2009 is a handbook which provides guidance on the implementation of

AS/NZS ISO 31000:2009 (this is ‘identical to and reproduced from ISO

31000:2009’). The handbook expands on and explains the elements within the

standard and provides advice about applying it, including using it to evaluate and

improve existing risk management practice. The guidelines can be obtained from

the web link given in the references section (Standards New Zealand, 2013), but

you should be aware that there is a cost to access the content.

In 2012 the Treasury Board of Canada Secretariat issued a substantial

guidebook similar to The Orange Book for the management of risk in the

Canadian government sector. If you are interested you can read it on Treasury

Board of Canada Secretariat (2012).



Finally, in 2010 the UK Charity Commission issued guidelines for risk

management specific to the charity sector (Charity Commission, 2010).


Activity 2.1

1 Your definitions should be along the following lines

a) Risk standard – A published guide for managing risk, usually

comprising a risk framework and (especially) a risk process.

b) Risk framework – Also known as the risk management context. This

comprises the risk strategy, risk architecture and risk protocols and

forms the risk context which helps to drive the risk process.

c) Risk process – The stages in the process of managing risk, which is

driven mainly by how you set up the framework (but also affected by the

internal and external environment).

2 You might actually find some documentation in your department that already

does this. If not, it is a most useful exercise because it could help you to

consider whether there are any gaps in what you do.

Activity 2.2

1 Your definitions should be along the following lines

a) Risk architecture – Part of the risk framework, which focuses on

answering the question ‘Who does what?’ in the organisation in relation

to risk management. This is displayed in Hopkin’s figure 6.2 (page 61).

b) Risk context – This covers three layers of organisation which together

drive the risk process; they are the external environment, the internal

environment and the risk management context (also known as the risk

framework).

c) Risk protocols – The set of tools, procedures and instructions that an

organisation has for managing risk.



d) Risk strategy – The agreed overriding purpose and aims of risk

management in the organisation, which involves the publication of a risk

policy document and the setting of the risk appetite.

Activity 2.3

Clause 1: Scope or purpose of ISO 31000.

Clause 2: A set of definitions used in the standard.

Clause 3: The principles and purposes of risk management.

Clause 4: The stages involved in setting up a risk management framework.

Clause 5: The risk management process

Activity 2.4

1 From the range of processes that we have looked at, we can see from the

underlying definitions of risk that most are meant for dealing with both

opportunities and risks (with perhaps the exception of the 8Rs and 4Ts

approach – you should see why when we reach unit 6). But perhaps they

could be criticised in assuming that the process for managing opportunities

does not appear to be distinguished in any way from managing downside risk.

Perhaps you could answer this question by considering your own

organisation: Does your organisation manage opportunities in the same way

that it manages downside risk? If the answer to the question is yes, why

make the distinction between opportunities and risk in the first place?

2 This activity should help you to compare and contrast your process of risk

management with the established standards to find out which of them it most

closely mirrors. Look at the terminology that people use to see which

standard you most closely resemble. In the last three units of the module we

will look at each of the stages of the process in much more detail.


1-a

2-c

3-a

Unit 3 Enterprise risk management



Apply the concepts of enterprise risk management (ERM)


3.1 Defining Enterprise risk management overview…29

Outline the key characteristics of the COSO ERM framework

3.2 Enterprise risk management overview…31 Explain the key features of an enterprise-wide approach to managing risk

3.3 Implementing ERM …33 Identify the four stages of the ERM implementation process

3.4 Establishing the context for risk management…35

Discuss the various approaches to establishing the context for ERM

3.5 Objective setting…37 Discuss approaches to setting objectives

Resources


Hopkin (2014), chapter 19


COSO (2004)

Airmic/Alarm/IRM (2010), part 2

COSO (2014)

UNIT 3 | ENTERPRISE RISK MANAGEMENT


Introduction

Enterprise risk management (ERM) is probably the most important development

of risk management since the year 2000 because it offers a holistic approach to

risk management. Most of the risk management standards we introduced in unit

2 provide holistic guidance to risk management and so are really enterprise risk

management standards.

From the point of view of the International Certificate and Diploma, risk

management and ERM are synonymous, so this module takes an ERM approach

to risk management. Shortreed (2010: 118) sees ERM as a fundamental part of

general management:

‘The integration of ERM is made possible since risk relates to uncertainty

of achieving objectives and the goal of the general management of an

organisation is to achieve objectives.’

In this unit we will define and provide an overview of ERM. We will describe how

it can be implemented, the context within which it is implemented and the role of

objective setting. We will focus much of our attention on the COSO ERM

framework, but we will also consider ERM’s relevance to ISO 31000.

RISK IN THE

REAL WORLD

To give you an early flavour of an ERM approach to risk

management, take a look at the hotel sector case study in

Hopkin (page 200), which explains the TSOGO SUN risk

management process.

3.1 Defining Enterprise risk management

James Lam (2003), chief risk officer at GE Capital, described ERM as ‘the

integrated management of business risk, financial risk, operational risk and risk

transfer to maximise a firm's shareholder value’. His meaning was that ERM

makes a company more successful by creating a single view of all risks and

managing those risks in a consistent way up, down and across the enterprise.



More recently, KPMG (2006) summarised the move away from traditional forms

of risk management to an ERM approach as shown in table 3.1 below.

Table 3.1: Comparing traditional risk management with ERM

Aspects of a traditional RM approach Aspects of an ERM approach

Focus on risk identification and analysis Risk in the context of business strategy

Risk as individual hazards Risk portfolio development with risk interconnectivities

Focus on all risks managed in separate areas

Focus on critical risks

Risk mitigation Risk is entity wide

Risk with no owners Identifying and defining risk responsibilities

Risk is insurance Monitoring and measuring risk

Risk is not my responsibility Risk is embedded into everyone’s responsibility

In contrast with the traditional approach, ERM recognises that risks in one part of

the organisation can relate to risks occurring elsewhere and these links and

relationships need to be managed just as much as individual risks in isolation.

Essential reading

Remind yourself what the COSO ERM framework looks like now, by taking a

quick look back to figure 6.3 in Hopkin (page 63), which we introduced in unit 2.

Chapter 19 is the only chapter in Hopkin specifically on the subject of ERM.

Read the first and second parts of this chapter (pages 205–8) on the enterprise-

wide approach and definitions of ERM.

Activity 3.1

1 Write a short definition of enterprise risk management.

2 How does ERM differ from traditional forms of risk management?



3.2 Enterprise risk management overview

ERM considers risks against the need to meet an organisation’s strategic,

operational, compliance and financial reporting objectives – the four elements of

the top face of the COSO ERM cube.

ERM ultimately implies that risk management should be ‘embedded’ from the top

of the organisation (entity level) downwards through the business. For ERM to

work effectively, it requires a high investment in risk management across the

enterprise, a high level of risk maturity and a strong framework for risk

assurance, because the board needs to know that the framework it has invested

in works effectively and consistently across the enterprise.

ERM stresses the need to consider the interdependency between risks. By

taking account of risk interrelationships and the interdependency of risks across

the enterprise, ERM will enable organisations to more accurately assess the

severity of their risks both individually and in total (this total assessment is

sometimes called the ‘risk exposure’).

RISK IN THE

REAL WORLD

For example, the outbreak of a major flu epidemic could

increase the likelihood of an IT risk event. If employees are

absent from work with flu, there are likely to be fewer people

around to monitor and enforce the organisation’s controls,

including IT controls. As a result, the controls are more likely to

fail. If the IT controls fail, we could then envisage the increased

likelihood of a financial risk arising, such as the inability to

place orders or invoice clients using the financial system.

Essential reading

Read the executive summary Enterprise Risk Management: Integrated

Framework, Executive Summary (COSO, 2004) which gives a good overview.

Page 1 summarises six characteristics of ERM, page 3 discusses the four

categories of organisational objectives and pages 3 and 4 describe the eight



Essential reading

elements of the risk management process.

Activity 3.2

1 Explain why the first element on the side face of the COSO ERM cube is

described as ‘entity-level’.

2 Consider how one risk from a single source might impact on many departments

within your organisation.

RISK IN THE

REAL WORLD

Take a brief look at the case study on page 201 in Hopkin on

BG Group, a large energy company with widely dispersed

operations, which operates a group approach to managing

their ERM activities.

The companion research paper Improving organizational governance and

performance: how the COSO frameworks can help (COSO, 2014) explains how

the ERM process from the COSO cube can be used in a four-stage strategy

setting process. It argues that the starting point both to risk management and

strategy setting is a concept called ‘corporate governance’.

Essential reading

Have a brief look now at the research paper (COSO, 2014).

In addition to COSO ERM, there is also an internal control version. The COSO

Internal Control – Integrated Framework (COSO 1992, revised 2013) places the

emphasis on achieving internal control over financial reporting within the

organisation and for that reason it was later used as the framework of choice for

a very important piece of US law, the Sarbanes Oxley Act of 2002 – which you

will review in Module 2.



Learning activity 3.3

What are the driving forces in the development of ERM in your sector or country?

What are the main restraining factors?

3.3 Implementing ERM

This section considers techniques for implementing ERM. Bear in mind that:

Firstly, organisations will often employ a risk manager or a risk

management function to oversee the implementation and running of the

ERM framework. In some business sectors, such as banking and finance,

and in some countries of the world, the employment of a chief risk officer

is becoming a regulatory requirement.

Secondly, the PACED principles of risk management are essential factors

to take into account as part of the implementation of the ERM framework

in order to achieve the maximum benefits.

Thirdly, an organisation can assess the benefits of a fully implemented

and effective ERM framework by way of a process called FIRM (financial,

infrastructural, reputational and marketplace benefits). You could also

assess ERM benefits by the use of the MADE2 model.

In many ways, ERM implementation in an organisation is not really a type of risk

management but is more about a measure of the maturity of risk management

within the organisation. All things being equal, if you have ERM you are more

mature in risk management than if you do not have it.

Essential reading

Read the third part of Hopkin chapter 19 (pages 208–9) on ERM in practice.

Then skim read the fourth and fifth parts of Hopkin chapter 19 (pages 209–12) on

ERM and business continuity, ERM in energy and finance, and future

developments of ERM as we will consider these ideas later.



The Airmic, Alarm, IRM guide (2010) identifies four stages to the implementation

process, using the acronym PIML:

planning and designing

implementing and benchmarking

measuring and monitoring

learning and reporting

Activity 3.4

Compare this process to the risk management ‘framework’ (or clause 4) of ISO

31000, which we looked at in reading 2. Can you see similarities between

clauses 4 and the Airmic, Alarm, IRM (2010) approach?

There are many guides and readings providing advice about the implementation

of ERM. In most cases, an overriding conclusion of these guides is that the

method of implementation will be contingent upon the risk characteristics of the

organisation concerned, along with its internal and external environment. In other

words, it is contingent on the ‘organisational context’ – a term we introduced in

unit 2 and will explore more next.

Essential reading

Skim read part 2 (pages 10–18) of the ‘Structured Approach to ERM’ guide

(Airmic/Alarm/IRM, 2010).

3.4 Establishing the context for risk management

Establishing the context for risk management is regarded in most risk

management standards – and notably ISO 31000 – as the starting point of the

risk management process. The University of Wollongong (2013) states:

‘To establish the context means to define the external and internal

parameters that organizations must consider when they manage risk.’



Essential reading

Figure 6.4 in Hopkin (page 65) shows how ISO 31000 portrays establishing the

context as the first stage in the risk management process. Go on to read the

material on ‘Establishing the context’ in Hopkin Chapter 7 (pages 81–83).

Hopkin argues that there are three components of context: the external

environment, the internal environment and the organisation’s risk management

context.

The external context includes:

the social and cultural, political, legal, regulatory, financial,

technological, economic, natural and competitive environment,

whether international, national, regional or local

the industry, products, markets, competitors, suppliers, customers,

logistics and the regions and countries of operation

key drivers and trends impacting on the objectives of the organisation

relationships with, and the perceptions and values of, external

stakeholders

The internal context relates to the organisation’s structure, objectives, policies,

strategies, processes, culture and the values of its people. It includes:

the organisation’s divisions, departments, structures, systems, processes

and accountability, cultures, leadership, strengths and weaknesses

internal stakeholders – staff, managers and the board

its approach to corporate governance, its resources, competencies and

capabilities, its culture, and the ways it conducts itself

factors that influence how the organisation will try to set and achieve its

objectives, which of course is the primary aim of risk management

The risk management context typically involves the context in which the risk

management process must operate, which can be described using the RASP

acronym. Included in this element of context is something called the ‘risk



appetite’; a very important idea around deciding upon an acceptable level of risk

for the organisation.

Figure 3.1 summarises these points and starts to link them to the next stage of

the risk management process, that of risk assessment.

Figure 3.1: Establishing the context

Activity 3.5

1 For your own organisation, which important factors in the wider world (external

context) influence how you do things?

2 And which important factors within the organisation (internal context) influence

the way your organisation works?



Essential reading

Read The Orange Book (HM Treasury, 2004: 39). Can you see how the

description of ‘context’ has been limited to external context only, which we

covered in Section 3.4 above? This difference in meaning can be a source of

confusion to people. It demonstrates how important it is to communicate clearly

to everyone the meanings of the elements of your organisation’s risk

management activities.

Activity 3.6

1 Suggest 2–3 benefits of establishing the context for risk management.

2 Identify one method you could use to assess the benefits of an investment in

ERM.

In the further reading section at the end of this unit, you will find some examples

of establishing the context for risk management

3.5 Objective setting

The setting of objectives is arguably one of the most important elements of the

context for risk management, especially since it goes to the heart of ISO 31000’s

definition of risk.

Indeed, the COSO ERM (2004: 3) states:

‘Objectives must exist before management can identify potential events

affecting their achievement. Enterprise risk management ensures that

management has in place a process to set objectives and that the chosen

objectives support and align with the entity’s mission and are consistent

with its risk appetite.’



That is why the IRM (2002) standard describes the context as being all about

setting the organisation’s strategic objectives.

Essential reading

Briefly go back to Hopkin (pages 23–4) to remind yourself what Hopkin says

about objective setting as part of his attachment of risks theory.

There are a number of reasons why setting business objectives can be hard.

Indeed, some people argue that the objective-setting process can itself be either

a source of risk (if done wrong) or a tool to treat risk (if done right).

First, even if the organisation can agree on its strategic mission, it can be

much harder to choose a range of suitable objectives that support the

mission. When setting objectives, organisations have to balance the

conflicting expectations of a range of stakeholders, and this might be very

hard to do. The result can be a range of compromises or potentially

conflicting objectives.

Second, the organisation’s strategies and objectives need to be

continuously questioned because the internal and external context of an

organisation is constantly changing. So what is a sensible mission today

could become obsolete tomorrow.

Third, if there is an inappropriate strategic mission, or if the mission is not

clear and understood at all levels of your organisation, and if that mission

is not effectively cascaded down through the organisation in supportive

tactical and operational objectives then, with the best of will, people are

likely to interpret the mission in different ways and the result is likely to be

anarchy and disorganisation.

Fourth, an organisation might issue a range of objectives to its staff, but if

these objectives are not fully accepted by those people charged to deliver

them, then you can already see risks arising even in the objective-setting

process – the formal objectives might be at variance with the informal

objectives.



Fifth, an organisation can reduce its risk exposures, at least in the short

term, if it sets easy-to-achieve objectives, but is likely to increase its

exposures if it sets its objectives as being over-ambitious.

Ultimately then, any risk management activity that supports wrong, unclear or

vague objectives might lead to excellent management of the wrong risks. A

poorly executed objective-setting process can, in itself, be a source of risk.

Figure 3.2 below suggests that objectives can be set at different levels within the

organisation:

In the first instance, organisations must set the overall, organisation-wide

strategic objectives. Ultimately, all objectives should be supportive of, and

be aligned with, the strategic mission and purpose of the business.

Through the process of delegation, organisations must then agree on

compatible tactical objectives, at the level of departments, divisions or

business units. These will focus on the implementation of strategy, and

these will typically cover timescales of around one to three years.

Finally, the tactical objectives will be further delegated into the operational

objectives of teams and even individual personnel, covering a much

shorter period of time ranging typically from days to months.

Figure 3.2: The three levels of objective setting



There is a relationship between this three-level objective-setting model and the

three broad categories of risk (opportunity or mainly strategic risks; control or

mainly tactical risks; and hazard or mainly operational risks) in Unit 1.


Gather information on your organisation’s strategic mission and its strategic

objectives (you might be able to gather this information from the annual report).

Try to identify possible inconsistencies between the set of strategic objectives

that you gather by identifying how the business could achieve one objective at

the expense of another.



RISK IN THE

REAL WORLD

The survey which we introduced in the further reading for unit 1

(Accenture, 2011), showed that most large organisations

around the developed world had already invested in, or were

actively developing, an ERM framework and process for their

business. It showed that this was primarily due to an increased

expectation, from both within and outside the organisation, that

risks are managed well in order to provide reasonable

assurance of the achievement of objectives.

Although the Accenture survey showed that there has been

improvement in all areas (page 5), the maturity levels were not

as high as hoped for (pages 28–9) and the benefits of the ERM

investment seemed rather elusive (pages 30–1). We should

not forget, however, that this report was presented not long

after the financial crisis, at a time when several commentators

considered that risk frameworks had failed to prevent the crisis

from occurring.


Think of some possible barriers to the implementation of an ERM approach. For

each barrier try to suggest a way in which the risk manager can overcome them.




1 Which of the following definitions best describes the term ‘control activities’

in the COSO ERM framework?

a) Identifying internal and external events affecting achievement of

objectives

b) Analysing risks, their likelihood and impact

c) Establishing policies and procedures

2 The full implementation of ERM in a large business is likely to be measured

in terms of which one of the following periods?

a) Up to one year

b) one year to three years

c) More than three years

3 Which of these is part of the risk management context, as opposed to the

external or internal contexts?

a) The regulatory framework

b) The risk appetite

c) The competitors, suppliers and customers

Further reading

Enterprise risk management

IRM’s ORC (2014) has a range of publications on the subject of ERM, including

tips, difficulties, surveys and new developments.

We mentioned that credit rating agencies are now doing assessments of the

ERM maturity of businesses as part of their input into how they score an

organisation’s credit worthiness. The example given of Standard and Poor’s

(2013) shows how Standard and Poor’s do their ERM assessment within the

insurance sector.



This Chartered Professional Accountants Canada paper (Caldwell, 2012)

provides a fairly extensive guide on the role of the board of directors in ERM.

It includes discussion about the board’s role in the implementation of ERM and

also some discussion on the context of risk management, which it limits to the

external context.

In 2011, COSO produced its own guide on implementing the COSO ERM called

Embracing Enterprise Risk Management: Practical Approaches for Getting

Started, which you may be interested in reviewing (COSO, 2011).

A Harvard Business Review document by Mikes and Kaplan (2014), is all about

a contingency theory of ERM. The lesson from the paper is that to implement

ERM you need to know much about two things: the technical aspects of risk

management and your organisation. The true skill of the ERM implementer is to

be able to blend technical knowledge with organisational knowledge.

ERM context

A useful further reading around the context of risk management, ‘Establish

Context’, is from RISK.COM.AU (undated). It provides a simple bullet point list for

each of the three context categories.

A third brief but thought-provoking article is ‘Really Different’ by Riskviews

(2010). It explores the idea that an organisation’s internal and external risk

context can be subject to violent change at very short notice and suggests the

transition to the financial crisis in 2007–8 is an example of such a violent

transition.




Activity 3.1

1 You can obtain a definition from a number of places in the main Hopkin text.

See for example Hopkin (pages 44 and 207). The latter has a full table with four

different definitions.

2 We saw in unit 1 how traditional approaches were around the development of

specialisms, such as insurance, health and safety and financial risk

management; in other words risk was managed in ‘silos’, often mapped to

individual departments of a business and there was little commonality of systems

and terminologies between them. ERM seeks to overcome this silo-based

approach by what we call a ‘holistic’ approach that is driven from the top (or

board level) of the organisation and embedded down and throughout the rest of

the enterprise. For further details see Hopkin (pages 44 and 201–3).

Activity 3.2

1 This goes to the heart of ERM in that risk management starts at the top of the

organisation, by the management of entity-wide risks and then the same

methodology spreads from there down and across the enterprise. These entity-

wide risks might well be the strategic types of risk that if they occur will impact

upon the whole of the organisation. Read more about this in the COSO ERM

reading and you will see how often the word entity is referred to.

2 To answer this question you might wish to track the potential consequences of

one department’s list of risks to see how that could translate to consequences in

other departments. This activity of mapping the consequences of a single risk is

the only way to determine its enterprise level severity. The mapping the

consequences of risk is something we will look at in detail in unit 4



Activity 3.3

Some of the major influences might be: (i) laws and regulations, (ii) cultures in

both the country and sector, (iii) competitor behaviour and (iv)the influences of

powerful stakeholders. Some of the restraining factors might include: (i)

knowledge and the lack of it, (ii) cultures in both the country and sector, (iii)

competitor behaviour and of course (iv costs

Activity 3.4

The first stage of the Airmic, Alarm, IRM (2010) ‘planning and designing’ clearly

relates to ‘design of framework’ in ISO 31000 clause 4, ‘scoping’ the

implementation project to cover all activities of the business and clarifying the

risk management framework. Both standards also require a board mandate in

the first stage in the process.

The second stage ‘implementing and benchmarking’ concerns itself with the

main stages of the risk management process. There are parallels with ISO

31000’s ‘implement risk management’. Key to this stage is recording the risk

assessments in the risk register and embedding risk management within the

organisation. We will discuss these ideas further in module 2.

The third stage ‘measuring and monitoring’ mirrors ISO 31000’s ‘monitor and

review framework’.

The fourth stage focuses on learning from the implementation and further

developing ERM. The risk professional should always be asking: ‘How can we

improve our risk management activities?’ They can develop methods for routine

and non-routine reporting and looking for deficiencies or inefficiencies from which

an organisation can learn to better manage risk. This stage reflects the ‘improve

framework’ in the final stage of ISO 31000’s clause 4.



Activity 3.5

You could possibly divide the organisation’s ‘world’ (or the external context) into

two dimensions. First, there is the inner world, which deals with the

organisation’s competitive environment and includes the organisation’s

competitors, suppliers and customers. Second, there is the outer world, which

deals with wider macro subjects such as the economic, technological, ethical and

legal trends in the wider society in which the organisation operates.

The internal context is likely to include your organisation’s structures, cultures,

the views and behaviours of the board of directors and the relative internal

strengths and weaknesses that your organisation has.

We will look at sources of risks from the external context and the internal

environment in the next unit.

Activity 3.6

Establishing the context of the risk management process should help to justify

the resources needed for risk management. The context of the risk management

process can help define the objectives, scope, responsibilities and resources for

risk management. It can also help to identify methodologies to be used and how

risk management performance will be evaluated.

You can find the advantages of an ERM approach by the use of the FIRM

scorecard in table 19.3 in Hopkin (page 209). But we must emphasise that the

organisation can only realise these advantages if the framework is working as it’s

intended to work. A tool to measure the good principles of a risk management

approach is the PACED acronym.

One method you could adopt is to take the benefits from table 19.3 in Hopkin

(page 209) and identify performance measures to mirror your expectations. For

example, on the reputational measure you could undertake a questionnaire of

stakeholders to get their views on their perceptions of the organisation, say one

year after implementing an ERM framework.



Activity 3.7

Try to identify possible inconsistencies between the set of strategic objectives

that you gather by identifying how the business could achieve one objective at

the expense of another. Where objectives conflict, there is the risk that the

overall strategic purpose of the business might be at peril. In that sense, it could

be described as the first stage of the risk identification activity, which we will

discuss in the next unit.

Bear in mind as well that an organisation’s mission statement is often too broad

or undefined to facilitate assessing risks to their achievement. The core strategic,

tactical and operational objectives and processes are established to deliver the

mission statement, but even these objectives may still be at a high level and risks

might not be easy to identify. When objectives have been defined, actions to

achieve them need to be set, and these should have specific targets against

which risks can be assessed.

Activity 3.8

Table 36.2 in Hopkin (page 389) provides a set of the barriers, but also

suggestions on how to overcome them. It is likely that when your organisation

developed its risk management approach it would have experienced all of these

problems to a lesser or greater extent.

You may also like to read the BBC News article ‘Rock risks ‘were not

foreseeable’’ (BBC News, 2007). Are there unforeseeable risks in your

organisation” How can you adapt your ERM framework to detect risks which are

very hard to foresee, but which could kill your business?


1-c

2-c (Shortreed (2010) mentions a period of three to five years)

3-b

Unit 4 Risk assessment 1:

introduction and identification



Examine the main approaches to risk identification


4.1 Risk assessment considerations…49

Describe the critical importance of risk assessment, outlining the range of techniques that are available and the advantages and disadvantages of each one

4.2 Risk causes (sources) and consequences…56

Explain the life cycle of risk, including causes, the risk event itself and the consequences, along with some of the tools for identifying and managing causes and consequences

4.3 Risk classification systems …60 Describe the importance of risk identification, including the key features of the best established risk classification systems

Resources


Hopkin (2014), chapters 13 and 14


‘StrategicRISK 2012 Risk Report’ (StrategicRISK, 2012)

‘Risk Management: It’s Not Rocket Science – It’s Much More Complicated’ (Adams, 2007)

Introduction

This unit is the first of two on risk assessment – a key element of the process of

enterprise wide risk management. In the unit we introduce the wide-ranging

UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION


subject of risk assessment before going on to deal with the first ISO 31000

element of risk assessment, risk identification. In unit 5, we will cover the other

two ISO 31000 elements of risk assessment: risk analysis and risk evaluation.

As in unit 3, we will be using the ISO 31000 standard as the basis of our work

and we will do this for the remainder of the module, although we will refer to

other standards too, especially the COSO ERM and The Orange Book.

4.1 Risk assessment considerations

ISO 31000 states that establishing the context, which includes setting objectives

and developing a risk appetite, is the first stage of the risk management process.

Risk assessment is the next stage and it is vitally important.

This ISO 31000 standard identifies three components of risk assessment –

identification, analysis and evaluation – which IRM neatly summarises

(Fundamentals of Risk Management (FoRM) 2013) as:

Risk identification:

o What might happen (the event)?

Risk analysis:

o How likely is it to happen?

o If it does, what might the impact be?

Risk evaluation:

o So what?

o Is it within our risk appetite and tolerance?

For the moment, do not worry about the meaning of any of these terms, as we

will cover each of them in detail during this unit and the next.

COSO ERM (2004) and chapter 2 in The Orange Book (HM Treasury, 2004)

tackle risk assessment in slightly different ways way – Table 4.1 below looks at

them side by side.

In Table 4.1 the elements in bold text are those which relate to risk assessment.

The third and fourth elements in the COSO process are ‘event identification’ and

‘risk assessment’ – the latter one is similar to ISO 31000’s ‘risk analysis’ and ‘risk



evaluation’. Similarly, on page 13 of The Orange Book the relevant elements are

similar to those of COSO ERM; namely ‘identifying risks’ and ‘analysing risks’.

Table 4.1: Reconciling risk assessment across three risk management processes

ISO 31000 COSO ERM The Orange Book

Setting the context Internal environment Identifying risks

Risk identification Objective setting Assessing risks

Risk analysis Event identification Addressing risks

Risk evaluation Risk assessment Reviewing risks

Risk treatment Risk response Communication and learning

Communication and consultation

Control activities

Monitoring and review Information and communication

Monitoring

Risk assessment is a relevant process for the three layers of risks that we

introduced in Unit 1: strategic, tactical and operational.

There are two approaches to risk assessment:

Top-down: the first approach is to start risk assessment with the board

and then work down the organisation – this method will tend to start with a

focus on strategic objectives and strategic risks, especially external risks.

It has the advantage of gaining top management commitment, but it has

the danger of superficiality, especially with deeper causes of risk.

Bottom-up: an alternative approach is to start from the bottom of the

organisation and work upwards – this method will tend to start with a focus

on operational objectives and risks, especially internal risks. But it could

have the disadvantage of individuals having a very local view of risk. Risk

professionals call this a ‘silo-based’ approach, which may not reveal the

interconnectedness of risks throughout the organisation. It might also be

distorted by a range of different perceptions of risk by the people involved.

Of course a possible third option to deal with the potential disadvantages of each

approach, as set out in tables 4.2 and 4.3 below, is to undertake a combined

approach; by combining the bottom-up with top-down approaches and maybe

meeting somewhere in the middle.



Table 4.2: Top-down risk assessment

Advantages Disadvantages

A top-down assessment is likely to result in an enterprise-wide approach – the risks at the top will have impacts throughout the business

Overly focused on external risks

The most significant strategic risks can be captured quickly

Little awareness of internal operational risks and in particular links and interdependencies of risks within the business

Shows risk management buy-in from the top of the enterprise, resulting in a cascaded acceptance of risk management activities at all levels

Danger that the approach becomes too superficial

Since it originates from a single point, it results in a high chance of methodological consistency here and in other parts of the enterprise

Danger that new risks emerging from the operational activities of the business might not be seen by senior management

Since it originates from a single point, it should result in a manageable number of risks and the process of assessment should be quick and less costly

Table 4.3: Bottom-up risk assessment

Advantages Disadvantages

Significant buy-in at all levels of the enterprise Little focus on external risks or strategic risks

Can be mirrored to an existing organisation chart

Very detailed and time consuming to assess risks. May demotivate as it will take longer to get overall enterprise results, resulting in a perceived low cost-benefit outcome

Operational staff have great awareness of their local risks, including the causes of those risks, which might elude higher levels of management

Danger that the approach becomes too detailed and blinkered, resulting in a silo approach to risk assessment

Methodology can be varied according to local norms and culture (useful for an international approach)

Danger that new risks emerging from the operational activities of the business might not be recognised or reported by operational staff

If led by a risk professional, risk impacts beyond the immediate impacts in the operational area can be mapped out

Who should assess the risks? The manager responsible for delivering an

objective should assess the risks that impact on his or her range of

responsibilities, but a range of general or specialist risk professionals can help

that manager. Module 2 deals with risk management responsibilities.



Essential reading

Read the first three parts of Hopkin chapter 13 (pages 141–5). ‘The importance

of risk assessment’ defines the subject and ‘Approaches to risk assessment’

begins a discussion of the practical applications of risk assessment. ‘Risk

assessment techniques’, is the most important part of the chapter because it

explains more practical techniques that organisations can use for risk

assessment.

Risk assessment techniques

There are four well-established techniques for risk assessment – for identifying

risks, for deciding on the severity of the risks (risk analysis) and deciding on

whether the risks need to be treated (risk evaluation). These are (1) checklists

and questionnaires; (2) workshops and brainstorming; (3) inspections and audits;

and (4) flowcharts and dependency analysis.

Depending on organisational cultures, structures, industries and locations of

operation, some methods will be more suitable than others.

This list of four techniques is by no means a complete list of risk assessment

techniques; for other examples of such techniques please see the further reading

listed in unit 4 of the study guide.

Some techniques are more suited to a quantitative analysis of risks, while others

are more suited to a qualitative analysis. We shall address the topic of risk

analysis in Unit 5, and so at present you do not need to understand the

differences.

The fourth part of Hopkin chapter 13 is titled ‘Nature of the risk matrix’.

It introduces the techniques for recording the severity of a risk, by way of risk

likelihood and risk impact measures, which we collectively call risk analysis.

Essential reading

For the moment we recommend just a skim read of this fourth part of Hopkin on



the risk matrix (pages 145–7). For the present, disregard tables 13.3 and 13.4

because we will cover this content in much more detail in unit 5, along with

describing terms such as ‘risk map’, ‘risk matrix’ and ‘test for significance’.

Activity 4.1

What risk assessment techniques does your organisation use to identify its

risks (Hopkin, 2014: chapter 13, starting on page 141)? How does that

compare with the way you identify risks in your specific team?

Risk perception

When we assess a risk it is tempting to assume that people have full information

about the risk, and can use that information rationally and optimally in order to do

their assessment correctly. However, each individual is unique and involved in

the risk management process will have different views or perceptions of risk.

Risk has both an objective reality (a likelihood that it will rain tomorrow or it will

not) and what might be called a subjective reality (the human perception of the

risk, shaped by psychological factors, cultural factors and other intangibles) that

may lead people to under- or over-state the severity of risk.

Different perceptions of risk might exist at different levels of seniority of the

organisation – the board may be less aware of operational risk at shop floor level

while shop floor workers may be less aware of strategic risks at the entity level.

Furthermore, individual risk perceptions are likely to change over time and

through experience.

Activity 4.2

Try to think of an unexpected event that affected you badly – for example a

street robbery, or a sudden unexpected major loss.

a How did it change your view of the world in terms of your own risk

identification, analysis and controls?



b Following the event, do you feel that the future likelihood of the event

changed, or was it just your perception of a repetition of the event that

had changed?

Differing risk perception is important because problems can occur in the

identification of risks, where some risks might be missed, while other irrelevant

risks might be captured. Some of the issues around different risk perceptions are

as follows:

People have different perceptions of what a risk is and how a risk can

manifest itself (risk identification).

People might hide risks or present false risks for their own self-interest

rather than for the benefit of the organisation’s risk management activities

(risk identification).

People have different views of the likelihood of a specific risk occurring

(risk analysis).

People have different knowledge of the way and the level in which a risk

can impact (risk analysis).

People may deliberately understate or overstate risk severity for their own

self-interest rather than for the benefit of the organisation’s risk

management activities (risk analysis).

People have different views of levels of an acceptable level of risk to

accept (risk evaluation).

Misperception of risk results in incorrect or inconsistent data being

collected in order to fully assess and correctly treat risks.

Some risks are true ‘unknown unknowns’ and cannot be directly perceived

or identified through scientific method.

The subject of differing risk perceptions implies that the way individuals assess

their risk world is likely to be very inconsistent. No two people will have exactly

the same view and no one will have a completely objective and accurate view of

risks because their perception will influence their judgement. There are two real

dangers that may result:



Organisations are likely to manage the same risks very inconsistently,

depending on the individual who must manage that risk, thus increasing

the overall organisational uncertainty.

Risk managers could seek to achieve greater kudos among their

stakeholders by focusing their efforts on helping to manage the

stakeholders’ fears over what they perceive to be the most significant risks

rather than what are actually the most significant risks.

Essential reading

Read the fifth part of Hopkin chapter 13 (pages 147–8) on ‘Risk perception’.

Hopkin states that, because it is people who undertake risk assessment, each

person will have different perceptions of the risks they face and that can result in

inconsistencies.

Skim read the sixth and final part of Hopkin chapter 13 (pages 149–51) called

‘Attitude to risk’. You need only do a skim read because in unit 5 we will review

Hopkin chapter 20, which describes the subject in detail.

There are further reading sources on the subject of risk perception at the end of

this unit. In particular, the ‘Alarmed and Dangerous’ article in StrategicRISK (April

2011) provides a short discussion of the top ten factors that affect risk perception

and how the quantitative aspects of risk assessment can actually lead to a

complete misperception of the real level of risk people face.

4.2 Risk causes (sources) and consequences

In this section we look into the causes and consequences of risk events, and

their relationships, along with a discussion of the associated difficulties for good

risk management.

We begin, in Tables 4.4 and 4.5 below, by comparing good and poor descriptions

of risk, and how poor descriptions of risk can lead to difficulties for risk

management.



Table 4.4: Examples of good risk descriptions

Risk description Increased staff turnover in IT services department

Causes Job dissatisfaction

Lack of training or development opportunities

Autocratic management style

Uncompetitive salaries

Consequences Loss of valuable IT knowledge

Poorer response to IT queries

Lack of technological development in IT

Delay in delivery of business objectives

Risk description Failure to comply with a key section of the Sarbanes Oxley Act 2002

Causes Lack of awareness of the specific provisions

Lack of a compliance checklist or register

Lack of funds to develop an acceptable framework of financial controls

Consequences

Adverse publicity

Specific criminal and financial penalties for senior staff

Large fines on the business

Loss of shareholder value

Table 4.5: Examples of poor risk descriptions

Risk description Lack of IT training in the HR department

Causes Lack of funds

Lack of interest

Consequences Errors in data processing

Losses of important or confidential data

Why it is a poor risk description: A lack of IT training is a cause of risk (even though it might have an underlying cause itself); the provision of training can be regarded as a control to mitigate the risks of data errors and losses.

Risk description Fines

Causes A failure to comply with laws and regulations

Consequences Financial losses

Losses to reputation, especially if it is due to a moral failure

Maybe loss of access to certain markets

Why it is a poor risk description: Fines are the impact of a risk on the organisation – the risk is one of a failure to comply, because of lack of knowledge or a control failing. Also, this description is very wide, making any specific control hard to specify.

Risk description A failure to hit our 5% net profit to sales target

Causes Too many to mention

Consequences Redundancies

Poor share price performance

Losses to reputation

Downsizing, market or product withdrawals

Why it is a poor risk description: We have described a consequence rather than a risk. Risk is the effect of uncertainty on objectives. Here we describe the consequence



of possibly many uncertainties on an objective.

Identifying risks can help to investigate what can go wrong. However an

investigation into the cause of risk will also help to explain why things can go

wrong, how they can go wrong and when they can go wrong. If you can identify

why, how and when, in addition to what, you can decide whether:

your existing risk treatment can manage those risk causes

you need to change your existing treatment

you need new or additional treatment controls

you can or cannot control the risk at all.

Essential reading

Look again at the bottom of page 15 of The Orange Book (HM Treasury, 2004:

15). Using a train journey by way of example, it shows right and wrong ways to

identify risks to a set objective. Can you see how some of the so called ‘risks’

were in fact consequences of events rather than risk events themselves?

Risk consequences

Investigating the consequences of a risk helps us to understand the impact on

specific aspects of our organisation such as objectives, core processes, key

dependencies and stakeholders; it helps us see where things can go wrong as

the result of a negative risk event.

By identifying where risks could occur we can discover the most vulnerable areas

of impact and then take actions to protect them. For example, where we have

just one supplier for a critical component, we might wish to obtain a second

supplier, or where we have one specialist member of staff to cover a key

process, we might wish to train another. This is a core element of business

continuity planning (BCP), which we shall look at in detail in Section 6.7 of this

study guide.

The causes and consequences of risk can also be illustrated using a ‘bow-tie

diagram’ (see figure 4.1 below). The centre of the bow-tie is the major event or



uncertainty. To the left are the immediate and underlying threats or causes. To

the right are the immediate and ultimate consequences.

Figure 4.1: The bow-tie tool

Assembling the diagram helps to focus on the precise nature of each risk and

provides a logical basis for analysing the context, causes and consequences.

Control measures acting on specific causes or consequences can then also be

clearly identified and evaluated.

The bow-tie tool also allows us to:

Take risk causes and consequences not just to one level but (in the case

of figure 4.1 above) to two levels.

Plot several contributory causes for one risk and show one risk as having

several consequences.

This second point is a sound argument for an ERM approach, because it

requires us to look at the causes of the risks from all aspects of the enterprise

and similarly to map enterprise-wide consequences.



Essential reading

Look at what Hopkin says about the ‘Bow tie representation of risk management’

in Chapter 4 (pages 47–48).

Activity 4.3

Using the diagram on page 48 in Hopkin, try to identify a second level cause of

each of the two risk sources on the diagram. And what might be a second level

consequence for each of the three consequences on the diagram?

There are other tools, such as flowcharting and fishbone analysis, that we can

adopt for helping us understand causes and consequences of risk and we

include some references for further reading at the end of the unit. Flowcharting,

for example, is especially useful for project risk management in that it can help

identify critical project paths, or process bottlenecks, where the organisation is

especially vulnerable.

Activity 4.4

You are studying for IRM’s International Diploma in Enterprise Risk

Management.

a Identify three risks which could impact on your objective to gain that

qualification.

b Identify two causes for each of the three risks that you identify.

Undertaking a full cause and consequence analysis of risks can take a very long

time, as you could probably identify hundreds and maybe thousands of risks

facing your organisation, all of different severities. It is therefore often advisable

to start this investigative work by first focusing on what you think are the most

important (severe) risks and afterwards extending your investigations to the

many less important risks. An advanced risk management information system

can also help us to map causes and consequences for the whole enterprise.



Activity 4.5

Try to map out the consequences of a risk, in your area of responsibility, in

which the consequences of your risk goes beyond your area of responsibility,

impacting say on another department.

How might you manage the consequences of this risk?

4.3 Risk classification systems

In this section, we look at identifying and classifying risks. We start by defining

‘risk identification’ and explaining its purpose. We then review several risk

classification systems, including the FIRM risk scorecard and COSO categories.

Identifying risks

The COSO ERM (2004: 4) describes the ‘event identification’ activity as follows:

‘Internal and external events affecting achievement of an entity’s

objectives must be identified, distinguishing between risks and

opportunities. Opportunities are channelled back to management’s

strategy or objective-setting processes.’

Meanwhile IRM (2002: 5) says:

‘Risk identification should be approached in a methodical way to ensure

that all significant activities within the organisation have been identified

and all the risks flowing from these activities defined. All associated

volatility related to these activities should be identified and categorised.’

We could also utilise a definition of risk identification from the Chartered Institute

of Internal Auditors (CIIA, 2005: 25) as follows:

‘The process of determining what events might occur to affect the

objectives of the organisation and their root causes’.



In one way, the CIIA viewpoint is too simple, because we should also consider

events that might impact on key dependencies, core processes, and

stakeholders as well as ‘objectives’.

Risk identification is a really important part of risk management. Some might say

it’s the most important part, since if you fail to identify your risks, then your risk

management process will stop there. You cannot treat risks if you do not first

know your risks. In fact, even if you can get staff to identify their risks and do no

more than that, it means they will subconsciously be starting to prepare for those

risks, which will automatically reduce their severity.

The aim of risk identification, within a risk management process, is to generate a

comprehensive list of risks from the events/uncertainties that might negatively

impact or enhance the achievement of objectives. If a risk is not identified, then

there is no opportunity of doing anything to prevent or mitigate it.

We often identify risks consciously, for example through some of the risk

assessment techniques discussed above. But we can also identify risks

subconsciously. For example, when we drive a car we are constantly looking out

of the window to identify and respond to risks, without even realising it. Adams

(2007), calls this a ‘directly perceived’ risk.

Here are some of the reasons why organisations choose to classify risks. Risk

classification:

Provides structure to the process of risk identification, which can facilitate

the identification of more risks – for example, by delegates in a risk

management workshop – than would be the case if a risk classification

does not exist.

Helps with the development of consistent risk terminologies across the

organisation, which is essential for ERM to work.

Enables the organisation to collect together similar risk types throughout

the organisation, which can:

o enhance organisation knowledge

o assign responsibilities for specific types of risk



o estimate total exposure to risk by type of risk using the expertise of

relevant professionals for each risk type

o help to determine the level of risk by type that can be accepted by

the organisation

o enable a bundling together of risks for similar treatment – such as

single insurance policies for one type of risk – which can increase

the efficiency of risk management

Most of Hopkin chapter 14 focuses on a range of models for classifying risks and

we will look at these in turn.

Short-, medium- and long-term risks

Risks can be classified as short-, medium- and long-term:

Short-term risks – in other words, those risks with an immediate impact,

primarily with operational activities.

Medium-term risks with tactics – in other words, those risks whose impact

becomes apparent between a few months and a year.

Long-term risks with strategy – in other words impacting between one and

five years after the event.

Essential reading

Read the first two parts of Hopkin chapter 14 (pages 152–4) called ‘Short,

medium and long-term risks’ and ‘Nature of risk classification systems’.

RISK IN THE

REAL WORLD

The box in Hopkin on page 151 shows how we can identify a

small selection of risks for the three levels of impact timescale

when buying a car.

As Hopkin suggests, several different classification systems are well established,

including the COSO ERM top face, the FIRM risk scorecard and PESTLE.



The FIRM risk scorecard

The FIRM scorecard classifies risks as Financial, Infrastructure, Reputational

and Marketplace. This model can also be used as a tool to determine the

organisation’s objectives, consequences of risks and sources of risk. We have

already referred to the FIRM acronym in Section 3.3 of this study guide, and we

will continue to apply it from time to time in later units.

A second dimension within FIRM is to classify risks that are derived:

Internally, from within the business (for example, staff fraud), which can be

seen as the financial and infrastructural risks. The source of internal risk is

the internal context.

Externally, from outside the business (for example, exchange rate

variability), which can be seen as reputational and marketplace risks. The

source of this risk is the external context.

Identification should include risks where the source may or may not be under the

control of the organisation. External risks are more frequently overlooked than

internal risks – generally people know the internal workings of their organisations

well, so there are fewer surprises from them.

Meanwhile IRM (2002: section 2.1) outlines the types of risk as financial,

strategic, operational and hazard, and then superimposes a second dimension

according to whether risks are internally or externally driven.

Another way to look at FIRM and the IRM Risk Management Standard

classification is to regard them as very high-level classifications of risk, which

could then be disaggregated into subcategories. For example, the financial class

of risk could be disaggregated into the following subclasses:

treasury risks

sales management risks

purchase management risks

payroll risks

financial reporting risks

financial forecasting risks



These could then be broken down further into sub-subcategories. So for

example, purchase risks could include supplier risks, payment risks, delivery

risks, authorisation risks and so on.

PESTLE

PESTLE is a risk classification system for classifying risks from the

organisation’s external context. The PESTLE risk classification system varies

between authors, but typically is used to represent political, economic, social,

technological, legal and environmental (or sometimes ethical) risks.

Essential reading

Read the third, fourth and fifth parts of Hopkin chapter 14 (pages 154–9),

‘Examples of risk classification systems’, ‘FIRM risk scorecard’ and ‘PESTLE risk

classification systems’. Then look further ahead to Hopkin’s table 17.2 (pages

183–5) which presents a full range of risks for each of the four FIRM categories.

RISK IN THE

REAL WORLD

Have a look at the case study on page 137 of Hopkin, which

shows how Australian Mines Limited identify and classify risks.

Hazard, control and opportunity risks

Essential reading

Read the last part of Hopkin’s chapter 14 (pages 159–61), on ‘Hazard, control

and opportunity risks’.

It is in practice possible to build a three-dimensional classification model, where:

The first dimension is type – in terms of hazard–control–opportunity (or

operational–tactical–strategic).

The second dimension is the timescale of the impact.

The third dimension is the external/internal dimension.



Figure 4.2 below shows how such a classification model can look.

Although it has not been suggested by research, ultimately we could envisage a

multi-dimensional model to classify risks, making it very complicated indeed.

Implicitly, such an approach might well exist in some organisations, although one

thing we can conclude is that each organisation will have its own best way of

classifying its risks.

Figure 4.2: Risk identification: applying different lenses

Risk identification can also be:

Forward looking: To try and identify what could happen. This typically

involves brainstorming workshops to develop a list of risks. Such a

workshop should consider possible causes and scenarios that show

what consequences could occur. All significant causes and



consequences for each risk should be considered. To ensure, as far as

possible, that risks are not missed, it is important that people involved

in the process have the necessary mix of knowledge and experience.

Historic: Looking at what has happened as a means of identifying what

could happen and how likely it is. Analysis of accidents over time is a

good example of this. The danger of historic analysis, however, comes

from confining it to too short a time period. Volcanoes, for instance,

may only erupt once every 100 or 200 years so an analysis focused

solely on the recent past would ignore this.

Other risk classification systems

There are many other risk classification systems, which Hopkin does not include.

We will not discuss these in any great depth, but if you are interested, or if

maybe you are considering running a risk management workshop for your

organisation, you could explore them further by accessing the references. We

will begin with The Orange Book.

Essential reading

Read chapter 3 of The Orange Book (HM Treasury, 2004: 15–17) which presents

a set of three risk classification systems for strategic level objectives, for tactics

and for operations. Note the similarities to Hopkin.

You will see that The Orange Book describes a two-stage approach to risk

identification: an initial and a continuous stage. The book cautions us that the

precise definition of a risk, in a practical sense, can actually be quite confusing; it

is something that organisations must overcome by suitable staff training, in order

to get a consistent approach across the enterprise.

It concludes that it is important not only to identify present day risks that can

impact on objectives, but also to consider future scenarios of risks that might

impact a long time into the future.

A second example is the StrategicRISK (2012) report which is an interesting,

brief and easy to read report that categorises externally derived risks on the



basis of the World Economic Forum – namely economic, geopolitical,

environmental, societal and technological risks. It therefore has some similarities

with the PESTLE system. Its focus is on future (or emerging rather than existing)

risks and so there is a high degree of uncertainty that these risks will occur at all;

that if they do occur their future severity is very uncertain; and that their

timescale for any impact is also uncertain.

Thirdly, Adams (2007) explains that we can categorise risks three ways: into

virtual risks, risks perceived by science and risks perceived directly. It could be

argued that we have seen a process of moving from virtual risk to risk perceived

through science as a result of the expansion of knowledge of our environment,

but that would be mistaken. As we move old risks from the ‘virtual’ form to the

‘perceived through science’ form, new risks are always emerging to fill the pot of

virtual risks. One could go further and argue that there is a fourth category of

risks: those risks which are yet to be discovered, that one day will enter the pot of

virtual risks.

Here are a few more examples of risk classification systems:

Airmic, Alarm, IRM (2010) confirms that ISO 31000 does not classify risks.

But the reading itself does suggest that risk classification systems are

usually based on the division of risks into those related to financial control,

operational efficiency, reputational exposure and commercial activities. It

then provides a range of information (in table 1 on page 5) that an

organisation should collect on each risk identified, which includes

information relating to all aspects of the risk assessment process.

In 2002, Jacqueline Jeynes made an early contribution to classifying risks.

She classified risks into a set of ten, which she called the 10Ps (Jeynes,

2002: 14–49 – you can download a summary). Jeynes then undertook

some research by applying the 10Ps to different organisations and found

that, in different sectors, certain types of risks were much more important

than in others (an idea which is taken up in the first unit of Module 2,

referring to the subject of ‘risk emphasis’).

Another means of classifying risks is the 4Ps approach, categorising

events by people, premises, processes and products. This is a model that



can be used to identify risks to the key dependencies of key people, key

premises, key processes and key products.

There are also some especially comprehensive risk classification systems. One

of the most popular of these is the risk wheel which, as you can see from figure

4.3 below, categorises risks into eighteen categories and which, when taking the

lead from the BASEL II approach, could be further divided into subcategories.

The risk wheel demonstrates that there is no theoretical limit to the level of detail

in which you can categorise or subcategorise your risks, right down ultimately to

the specific individual risks themselves.

Figure 4.3: The IRM risk wheel

The finance sector classifies risk into market, credit and operational risks; this

system has been partly influenced by the regulatory bodies, such as BASEL II,

which further disaggregates operational risk into several subcategories. You

might well find that your organisation has its own specific classification system

that is based on specific needs (such as regulatory guidance) or sector.



We can conclude this section on risk identification with a cautionary quote from

BBC radio in 2010 that it is sometimes best to operate your business in a state of

blissful ignorance:

‘The more we know that risks are out there, the more we worry they will

occur. This leads to total paralysis for fear that these risks will indeed

occur and there’s too much work and not enough money to manage all of

them.’ (BBC Radio 4, Today programme, 28 July 2010)

Essential reading

Skim read StrategicRISK (2012) now to get a flavour of the classification

system it uses. This is an interesting, brief and easy to read report

Read the Adams (2007) article. It is just three pages long and it explains how

we can categorise risks three ways according to the level of knowledge we

have of a risk.

Further optional readings at the end of this unit show how you can use two

generic risk classifications to categorise risks (a) specific to your sector and (b)

along the value chain of your organisation’s core processes.


1 Identify three reasons why organisations find it useful to classify risks.

2 List the six risk categories for each of the PESTLE acronym and identify

three advantages and disadvantages of the PESTLE risk classification system.

3 Try to think of three reasons why sometimes we will treat risks without

knowing the underlying causes of that risk.




1 Which of these is an advantage of using questionnaires and checklists for

risk assessment?

a) A consistent structure can guarantee consistency

b) Greater interaction produces more ideas

c) Physical evidence forms the basis of opinion

2 Which of these is an advantage of using flowcharts for risk assessment?

a) A consistent structure can guarantee consistency

b) Greater interaction produces more ideas

c) Analysis produces better understanding of the process

3 A top-down approach to risk assessment is likely to:

a) Provide a good picture of internal risks

b) Gain senior management commitment

c) Gain high levels of staff commitment.

Further reading

Risk assessment techniques

Airmic/Alarm/IRM (2010: 13) illustrates six risk assessment techniques. Hopkin

(table 13.1) lists four but does go on to discuss additional methods that might be

employed and their associated advantages and disadvantages.

Meanwhile IRM (2002), in sections 4.1 and 4.2, identifies a separate set of

techniques for risk identification and risk analysis. The risk analysis techniques

are further divided into techniques for opportunity, control and hazard risks.



Risk identification

IRM’s ORC (IRM 2014) has a range of publications on the subject of risk

identification, if you are interested in gaining a deeper insight.

Risk perception

In the general section on risk assessment, we mentioned how people can

perceive risk in all sorts of different ways. An early research paper by Slovic,

Fischhoff and Lichtenstein (1980) showed how people’s general perception and

fear of risk can be extremely inconsistent. Their initial discussion of earlier

research also shows that perception can be affected both by prior risk

crystallisations and the way the risk events are communicated through the media

and other channels.

Risk causes

Holmquist (2014) is a simple and easy-to-read introduction to risk causes and in

particular on how to distinguish between a risk and a cause of risk.

A general reading on root cause analysis, which is a more complex approach to

Hopkin’s bow-tie analysis of a kitchen fire on page 48, can be found in Rooney

and Vanden Heuvel (2004).


Activity 4.1

To help you with this question refer to table 13.1 in Hopkin, and select the

methods that seem to be closest to those you use in your organisation. Are there

any other methods that you could use and would there be any value in

considering those methods? If there is a difference between the way your team

and your organisation, try to find out why such differences occur.



Activity 4.2

a) You might find that following the event you re- appraise the likelihood of a

repeat event, perceiving that as it’s happened once it could occur again, and

because of the unpleasant outcome, you really would not want it to happen.

b) The questions you can ask yourself are: Is your reappraisal of the risk rational

or logical? Is the risk any more likely just because it’s happened once before?

Taking this idea forward to your professional work, do you think that

organisations adopt a similar attitude when a risk event hits them? Often the

answer is “yes’’, and cynics often describe the post-event response as a “knee-

jerk reaction’’.

Activity 4.3

A possible cause of faulty electrical equipment is a lack of routine checking and

maintenance. A possible cause of unattended cooking might be a lack of staff at

necessary times of activities, such as at lunch and dinner time. A possible

consequence of asset destruction is a financial loss to the business caused by

having to replace the assets and from business interruption. Smoke inhalation

could result in the consequence of long-term staff absences and thus affect the

ability of the business to trade. The consequences of accident or injury to staff

might be financial penalties (fines) resulting from a breach of health and safety

regulations and a loss of reputation to the business.

Activity 4.4

Here, we hope you can think of a full set of risks – such as illness, family events

and a lack of time to study – to the less likely events – such as getting lost on the

way to the exam centre or forgetting your pen! You could complete the cause →

risk → consequences analysis by asking yourself what, if you do fail to achieve

the qualifications, could be the consequences for your future career.



Activity 4.5

You can use the bow-tie analysis as a tool to help you map out the

consequences. You will see, in unit 6, that we have specific types of responses

that focus on managing consequences; but since this risk goes beyond your area

of responsibility, it might if possible be best to prevent the risk from occurring as

you can then control all of the consequences.

Activity 4.6

1 Check off your reasons for classifying risks against our list earlier in this

unit.

2 The six categories of the PESTLE risk classification system are political,

economic, social, technological, legal and environmental (or sometimes

ethical) risks. Its big advantage is in identifying external risks; it is less

appropriate for identifying internal risks. Hopkin also provides a list of the

advantages and disadvantages of PESTLE in chapter 14 (pages 158–9).

3 If the cost of investigation is very high then it might simply be too expensive.

If the timescale between the risk event and its impact is very short there

might not be time to investigate the causes. If the severity of the risk is so

great (for example, in the form of a crisis), we cannot delay in trying to

contain the symptoms (we will later define this idea of cost containment)

while we discover the causes


1-a

2-c

3-b

Unit 5 Risk assessment 2: risk

analysis and evaluation



Use the main approaches to the analysis and evaluation of risk


5.1 Introduction to risk analysis…75

Describe the concept and purpose of risk analysis within the risk management process

5.2 Risk likelihood and impact…77

Consider the two dimensions of likelihood and impact, using a quantitative and qualitative approach to analysing risks

5.3 Risk evaluation and risk appetite …84

Explain the importance of risk appetite as a planning tool in the implementation of a risk management initiative and its interface with operations, projects and strategy

5.4 Loss control…89 Describe the main components of loss control as loss prevention, damage limitation and cost containment, providing practical examples

5.5 Defining the upside of risk…90

Outline the alternative approaches to defining the upside of risk and the application of these approaches to strategy, projects and operations

Resources


Hopkin (2014), chapters 15–17 and 20

The Orange Book (HM Treasury, 2004), chapters 4 and 5

UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION


Introduction

This unit continues our work on risk assessment. While Unit 4 dealt with the first

ISO 31000 element of risk assessment, risk identification, this unit focuses on the

other two elements: risk analysis and risk evaluation. Figure 6.4 in Hopkin (page

65) shows the ISO 31000 risk management process.

We begin by introducing risk analysis before going on to explore two key aspects

of risk analysis: likelihood and impact. We then go on to discuss risk appetite.

The final sections of the unit examine loss control and the upside of risk. We will

continue to use the ISO 31000 standard as the basis of our work, although we

will refer to other standards too, especially COSO ERM, IRM (2002) and The

Orange Book.

5.1 Introduction to risk analysis

Risk analysis helps us to determine the severity of the risks our organisation

faces by analysing the likelihood of the risk materialising together with the

severity of the impact on the organisation.

The ISO define risk analysis as:

‘… (The) process to comprehend the nature of risk and to determine the

level of risk’.

They follow this up with a note to the effect that ‘…risk analysis provides the

basis for risk evaluation and decisions about risk treatment’. (ISO 31000, 2009).

There are, of course, a number of other definitions and here is one from the

Chartered Institute of Internal Auditors (CIIA, 2005: 26):

‘The systematic use of available information to determine the likelihood of

specified events occurring and the magnitude of their consequences,

i.e. their impact.’



Airmic, Alarm, IRM (2010) describe the purpose of risk analysis as:

‘The result of the risk analysis can be used to produce a risk profile that

gives a rating of significance to each risk and provides a tool for

prioritising risk treatment efforts. This ranks the relative importance of

each identified risk.’

Meanwhile The Orange Book and the COSO ERM place risk analysis within the

broader subject of risk assessment.

Risks are analysed in order to:

prioritise risks for treatment in terms of their significance

achieve consistent perceptions of significance across the organisation

inform decisions on how scarce resources are allocated

inform decisions about whether to proceed with a new strategy, project, or

investment, and so on.

Risk analysis is not easy: not only do we have to gather the information from

many sources, and use many different methods to gather it, but also we must

process it in a way that generates reliable likelihoods and impacts in order to

determine the severity of a risk and prioritise it for subsequent treatment.

Essential reading

Turn to Chapter 4 of The Orange Book (HM Treasury, 2004). This provides a

useful two-page introduction to the key themes of risk analysis.

RISK IN THE

REAL WORLD

In practice there is some evidence that organisations favour

the qualitative approach to analyse risks. A 2009 study, by the

Institute of Internal Auditing, of 321 chief audit executives in

large US listed companies showed that round 70% of the

companies used a non-quantified approach to analyse risks.

(IIA, 2009: 16)



Activity 5.1

How do you measure risk in your organisation? To what extent do you adopt a

quantitative approach to risk analysis?

5.2 Risk likelihood and impact

Risk analysis focuses in particular on the two dimensions of risk analysis, which

are risk likelihood and risk impact. In this section we will look at these in turn,

before going on to discuss the application of a risk matrix, a key risk analysis

tool.

Likelihood, probability and frequency

Likelihood is a term which tries to measure the chances of a specific event

occurring. It captures the expected probability and frequency of an event:

Probability – Likelihood can be expressed numerically as value between

0 and 1 (or 0% and 100%) used as a probability measurement, such as:

‘There is a 2% chance of rain in the city of Jeddah on any one day during

the next month.’

Frequency – Likelihood can also be expressed numerically as a frequency

measurement, such as: ‘In just one day in 2005 Hurricane Katrina resulted

in a one-in-a-hundred-year flood to New Orleans.’ This frequency

measure could be converted to a probability measure as follows: the

chances tomorrow of another Hurricane Katrina severity flood hitting New

Orleans is 1 day × 365 days in a year × 100 years, or a 0.003% chance.

Impact, magnitude and consequence

We can either measure impact in a quantitative way (by describing impact in

terms of e.g. financial loss, gain in market share, or number of customers

affected) or in a non-quantitative way (by describing the impact of an event as

e.g. high, medium, low and maybe zero).



Many organisations attempt a composite form – so for example, the high

financial impact might be greater than $1m while a low financial impact might be

less than $1,000.

Some risks such as financial risks (e.g. financial losses and gains) and

marketplace risks (e.g. income or market shares) on the FIRM scorecard are

easier to quantify than infrastructural and reputational risks. We will look further

at the range of criteria used to measure impact in the section below on the

application of a risk matrix.

Module 3 looks in more detail at quantitative approaches to risk analysis.

However it is useful to be aware of some of the misconceptions and half-truths

that can arise from poor quantitative analysis of risk. For example, if likelihood is

quoted as one in two million, does that mean two million years or two million

events? It is essential to specify exactly what the numbers mean.

Activity 5.2

Write a short definition of the term ‘risk analysis’.

Application of a risk matrix

We can use a risk matrix to analyse the likelihood and the impact of a risk. Note

the important point that the design of the matrix, as well as the most suitable risk

scoring system, will depend upon the specific features and needs of the

organisation.

A simple 2 x 2 risk matrix compares two measures for the severity of impact or

magnitude and two measures for the severity of likelihood. This will give us four

risk scores: HH for high impact and high likelihood, HL for high impact and low

likelihood, LH for low impact and high likelihood and finally LL for low impact and

low likelihood.



Essential reading

Figure 1.1 in Hopkin on page 20 shows a 2 x 2 risk matrix.

Then look again at the part of Hopkin chapter 13 on risk matrix (pages 145–7).

His Tables 13.3 and 13.4 give example definitions of likelihood and impact.

Figure 5.1 below shows a 3 × 3 matrix, which uses red, amber, yellow and green

colours to highlight the relative severity of risks. Colour coding a common way to

present a risk matrix; for this reason, risk matrices are sometimes called ‘risk

heat maps’, with red denoting the hot zone, as an indication of danger.

Sometimes people also refer to them as a ‘risk map’ or a ‘RAG diagram’, where

RAG stands for red, amber and green.

Figure 5.1: Risk matrix with multiplied risk scores

Imp

act

High {3}

3

6

9

Medium {2}

2

4

6

Low {1}

1

2

3

Low {1} Medium {2} High {3}

Likelihood

You populate the risk matrix with your department’s risks as in figure 5.2. As you

can see, the big advantage of a risk matrix is that it is a tool that can visually alert

us to which risks need most attention and that is why it is so popular.



Figure 5.2: Risk matrix with risks plotted

Imp

act

High {3}

3

6

Risk 4

9

Risks 9 & 1

Medium {2}

2

Risk 3

4

Risks 8 & 2

6

Risk 6

Low {1}

1

Risk 7

2

3

Risk 5

Low {1} Medium {2} High {3}

Likelihood

Risks 1 and 9 are the most serious risks on this 3 × 3 matrix because not only is

the impact of these risks high, but also the likelihood of the risks occurring is

high. Meanwhile, risk 7 is the least serious risk because this risk is unlikely to

occur and, even if it does, its impact is expected to be low.

Many people use a 4×4 qualitative classification of likelihood and impact, with 16

potential risk scores, though some organisations may use a 5×5 or 6×6 basis

(with 25 or 36 potential risk scores) – however it rarely goes beyond that

because of the time that would be needed to analyse risks in such great detail.

RISK IN THE

REAL WORLD

The colours on the matrix above often relate to the extent that

risks are tolerated. So in some industries, such as in nuclear

energy, where there is less tolerance of risk, anything up to

30% of the matrix could be red. The colours also provide a

guide to expectations over the monitoring and management of

the risks. So, for example, red areas require immediate

responses and constant reporting; yellow or amber might

require slower responses and less frequent reports; while

greens require no responses and reports only if their severity

becomes more serious over time.



It is possible to use alternative criteria for analysing the impact of risk where

there are different types of risk as in tables 5.1 and 5.2 below.

Table 5.1: Estimating impact – criteria

Reputation Finance Service delivery

Compliance Safety

Extreme Loss of credibility with key stakeholders; extensive adverse media; external intervention

Financial loss exceeding £X

Total sustained disruption to critical services

Intervention by regulator; serious breach of legal or contractual obligation

Fatality

(multiple)

High Significant loss of trust; significant adverse media


Significant sustained disruption to critical services

Censure by regulator; breach of legal or contractual obligation

Serious injury or ill-health (disabling)

Medium Significant complaints


Some short-term disruption to services

Failure to meet recommended best practice

Injury or ill-health resulting in lost time

Low Isolated complaints Low-level or no financial loss

Minor disruption to services

Failure to meet internal standards or SLA

Minor injury (no lost time)

Table 5.2: Estimating impact – criteria

Environmental Staff Infrastructure ICT Business disruption

Extreme Major long-term irreversible environmental damage

Sudden or unexpected loss of a number of key personnel

Long term and permanent loss of critical assets / buildings

Non recoverable loss of critical data or records.

Cessation of major business critical services for up to 3 weeks

High Major environmental damage, reversible with long-term remediation

Low retention rates of key personnel

Sustained damage to assets. Repair or replacements lasting more than 2 months

Large loss or theft of data.

Severe inability to access critical files, data or records.

Major service delivery targets not met for two weeks. Business critical service not back in agreed time



Medium Environmental damage reversible with medium-term remediation

Inability to attract and retain key personnel in identified high demand roles or hard to fill locations

Significant but temporary damage to assets or property / facilities

Recoverable loss of critical files, data or records

Business critical service services lost for up to one week

Low Superficial impact on environment with cosmetic remediation

Difficulty in recruiting or replacing officers in critical or key departmental positions within reasonable timeframes

Minor property damage

Loss of non-critical files, data or records

Minor effect on services and/or programmes for one day.

Chesshire (2009: 160) lists some of the sources of information for your risk

analysis. To determine your impact and likelihood, you could:

look at past records

look at personal relevant experience (and intuition)

look at industry-relevant experience of the risk

look at published literature on the risk

do some testing or experiments (for example, market research)

use economic or statistical models to make forecasts

use experts in the area of that risk to make judgements.

And you might do some of these things through the risk assessment techniques

that we presented in Unit 4.

You can use the risk matrix to show inherent or gross risks – the risk before any

control measures are taken – or the current, residual or net level of risk – the risk

taking account of existing control measures. You could even plot both inherent

and current risk on a single matrix and draw a line between them in order to

show the effect of any risk treatment.

Essential reading

Read the first two parts of Hopkin chapter 15 (pages 163–6), on ‘Application of a

risk matrix’ and ‘Inherent and current level of risk’. You will see that figure 15.1



(page 164) shows another simple 2 × 2 risk matrix, while Figure 5.3 shows how

inherent, current and even target risks can be mapped.

Activity 5.3

1 In your reading you will have seen the debate about analysing risks at the

inherent and current levels. Which do you think makes most sense?

2 For your organisation, if you score risks, do you use a 3 × 3 dimension to

measure likelihood and impact or something else? Do you know why your risk

scoring method was chosen?

Essential reading

Take a quick look at section 4.7 of The Orange Book (HM Treasury, 2004: 20).

Like Hopkin, in the first part of chapter 15, it also discusses whether to plot risks

at the inherent or at the residual level of risk.

Risk significance

In doing our risk analysis, we need to ask the question: What makes our impact

significant? How do we decide when our risk analysis has revealed a significant

risk exposure to the organisation?

Essential reading

Read fifth part of Hopkin chapter 15 (pages 168–9), titled ‘risk significance’.

There is no need now to read the third, fourth and sixth parts of Hopkin chapter

15, titled ‘Control confidence’, ‘4Ts of risk response’ and ‘Risk capacity’. We will

return to these parts later in this unit and in unit 6.

Hopkin refers to scoring mechanisms and to an important term, used in risk

analysis, ‘benchmark tests for risk significance’. A risk is significant if it could

have an impact in excess of this benchmark test. Benchmark tests can reduce



the number of identified risks from many hundreds or thousands to those few

which are most the significant and which we must treat first.

5.3 Risk evaluation and risk appetite

We now move on to the final element of risk assessment, risk evaluation. The

central idea behind risk evaluation is that after analysing a risk analysis to

estimate its severity, we then have to decide whether to:

respond to the risk in some form in order to reduce our exposure (hazard

risk), reduce the level uncertainty (control risk), or modify the investment

(opportunity risk); or

simply tolerate the level of risk that we have estimated without any further

action.

So risk evaluation is, in effect, a decision point in which we decide whether to

respond or not to respond to the risk.

Activity 5.4

Look back at figure 6.4 in Hopkin (page 65) on ISO 31000, the IRM (2002) risk

process, presented in figure 6.1 (page 59) and the COSO ERM cube (Hopkin,

page 63). Where does risk evaluation fit into the risk management process in

each of these standards?

Essential reading

The Orange Book (HM Treasury, 2004: 20) has useful, brief discussion of the

process of risk evaluation, in sections 4.4 and 4.5.



Importance of risk appetite

Absolutely central to the process of risk evaluation is the idea of risk appetite.

The Chartered Institute of Internal Auditors (CIIA, 2005: 26) provides a working

definition of risk appetite which we can use, as follows:

‘…the process used to determine risk management priorities by

comparing the level of risk against predetermined standards, target risk

levels or other criteria.’

Essential reading

In unit 4 we saw how Hopkin’s chapter 13 on risk assessment introduced risk

perception (pages 147–9) and risk attitude (pages 149–51). Remind yourself of

these ideas now.

If an organisation is to achieve a consistent approach to risk management across

the enterprise (ERM), those who manage risk clearly need to know the trigger

point, in terms of risk severity, above which they should respond. If staff do not

know when to respond and when to tolerate a risk, then the result is that the

overall risk exposure of the business will increase because of the inconsistencies

that would arise. Staff will respond to risks of equal severity based on their

unique personal attitude to risk rather than the consistent attitude to risk that the

organisation wishes.

The most common criterion that organisations use to help staff make a

consistent decision on whether to respond or not to the risks that they face is

called the ‘risk appetite’ and not surprisingly it is the board which has the

responsibility to decide on that risk appetite. For this term there are a range of

definitions, as shown in table 5.3.



Table 5.3: Definitions of risk appetite

Hopkin (2014: 213)

IRM (2011: 7, 8 & 10)

ISO Guide 73 The Orange Book (2004: 49)

CIIA (2005: 26)

The immediate or short-term willingness of an organisation to undertake an activity that involves risk

The amount of risk that an organisation is willing to seek or accept in the pursuit of long-term objectives

Those risks that they actively wish to engage with

The amount and type of risk that an organisation is willing to pursue or retain

The amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point of time

The level of risk that is acceptable to the board or management. This may be set in relation to the organisation as a whole, for different groups of risks or at an individual risk level

Risk appetite varies from organisation to organisation – some are generally more

risk taking (or risk aggressive) and others are more risk averse. Even within the

same organisation, the appetite for risk taking will vary between different

functions. For example, a finance department is likely to be highly risk averse,

while the research and development section may be more risk taking.

An ERM approach requires organisations to understand their overall appetite for

risk and then apply a consistent approach across the organisation. The

organisation can then make consistent decisions about how to respond to a

particular risk. We will discuss risk responses in unit 6.

Essential reading

Look briefly at Chapter 5 in The Orange Book (HM Treasury, 2004: 23–5) is

about the risk appetite. Section 5.1 describes risk appetite for opportunities as

well as for hazards or threats. Sections 5.2 and 5.3 describe the nature of

corporate level risk appetite, risk appetite for projects and delegated risk

appetite, which is cascaded down the organisation in order to gain a consistent

management of risk. Section 5.5 explains how you can use risk appetite for

decision making in areas such as resource allocation and project approval.

Read also the first parts of Chapter 20 in Hopkin on the importance of risk

appetite (pages 212–220)



Risk appetite has to be identified within the context of the organisation’s overall

business strategy, tactics, operations and its need to comply with relevant

legislation and regulation. However, boards are primarily concerned with

business drivers and strategic imperatives, leading to the possibility of decisions

being taken that don’t fully take into account the actual levels of risk exposure, or

the organisation’s willingness to tolerate such levels of risk.

One charity attempted to use The Orange Book approach to undertake an

assessment of risk appetite. It first looked at risk appetite for different

classifications of risks and then derived an organisational-level risk appetite from

the average of the risk appetites of each of the classifications of the risks. This is

shown in table 5.4.

Table 5.4: A simple risk appetite estimate

Risk type Risk

appetite

Legend

Customer health and safety

0 Ratings Risk appetite

Meaning

Staff health and safety

0 0 Extremely low

Almost no residual risk is acceptable

Financial risk

2 1 Very low Residual risk only acceptable in extreme situations (e.g. where the risk has a very low impact and likelihood)

IT risk

3 2 Fairly low Residual risk is managed down low on a cost-benefit basis. However, on balance, control is weighted higher than acceptance

Reputational risk

2 3 Moderate Residual risk is accepted to moderate levels. Moderate implies a pure cost-benefit approach

Crisis management

3 4 High Residual risk is accepted to quite high levels

Environmental risk

3 5 Very high Acceptance of very high levels of residual risk

Fraud and corruption risk

1

Overall risk appetite

1.75



As you can see, the charity had a fairly conservative approach to determining the

level of risk it was prepared to accept, but it was prepared to accept some higher

levels of risks for some categories of risk. It did not take the final step advocated

in The Orange Book to undertake risk evaluation down to individual risks.

RISK IN THE

REAL WORLD

Go back to Hopkin chapter 15 (page 171). There you will see a

discussion about the risk capacity of a bank and how this

relates to risk exposure and risk appetite.

You will have seen that Hopkin considers the need to

undertake a more complex form of risk analysis. In this,

organisations consider not just the most likely impact level of a

risk but the full possible range of impacts that might result from

the risk.

RISK IN THE

REAL WORLD

In looking at a relationship between risk capacity and risk

appetite, a trading business unit within a utility company might

have a very large possible capacity for risk, but external

influences, such as public perceptions or political constraints,

might limit its capacity to increase its risk appetite, since to

exceed it might damage the business’s reputation.

Essential reading

Now read what Hopkin says about risk appetite statements (pages 220-223), and

risk appetite and lifestyle decisions (pages 224 and 225).

The further reading section at the end of this unit provides further interpretations

on risk evaluation. However, you will encounter several other readings on this

area in later modules and especially in modules 2 and 3.

Now that we have decided on the criteria by which we decide to tolerate or

respond to the risk our organisation has, we can move on to discuss the more

specific subject of loss control.



5.4 Loss control

This section unit discusses loss control. It explains the need to identify

appropriate control measures to prevent a risk materialising, limit the damage

and contain the costs when a risk does materialise. The focus of this section is

the treatment of risks and it describes how we can minimise the potential losses

after having done our risk analysis. In fact, much of the section is as relevant to

the subject of risk treatment in unit 6 as it is to risk analysis here in unit 5.

The section focuses on the treatment of hazard-type risks. Before you begin your

readings, ensure you can recall the meaning of hazard-type risks and be able to

distinguish them from uncertainties and opportunities, which we covered in

unit 1.

Hazard risks and loss control

There are many examples of hazard risks and dependencies that could cause

hazard risks. Loss control relates to the mitigation of hazard risks and the

components of loss control that are identified as loss prevention, damage

limitation and cost containment. This gives rise to a useful formula to remember:

Loss control = loss prevention + damage limitation + cost containment

The most important of these three components is the loss prevention response,

which is to identify treatments that help to prevent hazards and which we also

call (not surprisingly) ‘preventive controls’.. The order of the three components of

loss control are as follows:

Loss prevention: focuses on reducing likelihood.

Damage limitation: focuses on reducing magnitude.

Cost containment: focuses on reducing impact and consequence.

Loss prevention is based on preventive responses that organisations could use

for different types of risks, including health and safety, fire, fraud and theft.



The purpose of damage limitation is to limit the damage as soon as the

organisation can detect the risk event unfolding. Good examples include fire

sprinkler systems and first aid facilities located near to dangerous places of work.

There is a clear distinction between damage limitation and cost containment. The

latter is about salvage and post-incident management, to ensure an efficient and

effective recovery. These ideas are all closely connected with business continuity

management and the PCDD control types, subjects we will look at in detail in

Unit 6.

Chapter 16 of Hopkin has six parts:

Risk likelihood – reviewing the first dimension of risk analysis and how we

can reduce likelihood by managing hazard risks.

Risk magnitude – reviewing the second dimension of risk analysis and

how we can reduce impact by managing hazard risks.

Hazard risks – providing some examples of hazard risk and how these can

be managed through three loss control techniques.

Loss prevention – discussion of the first of the loss control techniques.

Damage limitation – discussion of the second of the loss control

techniques.

Cost containment – discussion of the third of the loss control techniques.

Essential reading

Read the whole of Hopkin chapter 16 (pages 172–8).

5.5 Defining the upside of risk

Risk is not just about threats and negative consequences. Managing risk can

lead to positive outcomes and realisation of opportunities. Entrepreneurs are

generally considered to be people who are prepared to take bigger risks,

because they see the potential for significant benefits/gains. But, of course, there

is uncertainty about whether the benefits will be achieved. Managing risks to



enhance the likelihood of positive outcomes can be just as important as

managing risks to reduce the likelihood or magnitude of negative outcomes.

There are various definitions of an upside risk. A common definition of upside

risk is ‘opportunities that can be seized with a desirable outcome’. A high upside

risk represents a high likelihood of a desirable outcome.

The upside of risk, covered in chapter 17 of Hopkin, is a challenging concept

because it argues that organisations should address the upside of risk along with

the much more obvious and traditional downside aspects. We will cover the

upside of risk as it relates to strategy, tactics and operations – which, if you recall

from unit 1, is the primary way in which Hopkin divides risks. We will look at the

role of opportunity assessments and an approach to assessing the overall

riskiness of an organisation.

As the risk management profession increasingly has to justify its added value in

organisations, a discussion of the upside of risk management is very relevant for

risk managers.

People often use a double-sided risk matrix (a simple example is shown in figure

5.3) to compare opportunities as well as downside risks. This type of matrix can

be presented in a variety of ways. In some cases, upside risk is presented on the

right of the matrix with downside risk on the left. With upside risks, the aim is to

move the risk to the top left hand-corner of the above upside risk matrix, by

increasing the likelihood and/or desirable consequence.

Figure 5.3: Risk Matrix for opportunities and hazards



The black arrowed lines indicate the objectives of risk treatment (see Unit 6), to maximise the

upside risk and reduce the downside risk.

The idea of using the likelihood dimension to score upside risk is less universally

applied than it is for hazard risks. For example, one industry scores opportunity

using the term ‘ease to implement’ when estimating the likelihood of the

opportunity emerging. However we could use exactly the same techniques that

we discussed for risk identification – such as the risk wheel, the bow-tie,

workshops and questionnaires – to identify opportunities.

There is a range of ways in which upside risk can be manifested. We could

possibly fit these into two forms: upside through good management (managed

positive outcomes) and upside through good fortune (random positive

outcomes).

Taking the managed positive outcomes in a little more detail, there is a link

between the upside of risk to the MADE2 acronym, which simply describes the

upside of risk as being the benefits of good risk management. In that sense, we

could argue that the upside of risk is simply the managed achievement of

objectives. Good hazard-risk management, however, in itself provides

opportunities to take on more risky ventures through knowing that the

organisation can manage its hazard risks well. Thus good hazard risk

management is a source of strategic competitive advantage.

From a practical point of view, the upside of risk is something risk managers

often spend little time thinking about because the organisation expects them to

Two-sided Risk Matrix

1:100



manage hazards, not exploit opportunities; it is someone else’s job to do the

exploiting.

We now move on to discuss the upside of risk from the perspectives of strategy,

tactics and operations.

The upside of risk can be categorised into three – strategy, projects (tactics) and

operations – the same categories as can be used for downside risk. There are

three separate parts in this reading which discuss these three categories further.

Essential reading

Read the first part of chapter 17 in Hopkin (pages 179–81), titled ‘Upside of risk’.

Achieving the upside of risk

Essential reading

The second part of chapter 17 in Hopkin (page 182), ‘Opportunity assessment’,

focuses on upside in the strategic context and how consultancy firms and a

theatre can assess opportunities in terms of choices over new products and/or

markets.

In fact product/market analysis is a core concept of strategic management and it

provides evidence of how many organisational disciplines overlap (in this case,

risk and strategic management). Note also, from Unit 3, how we described ERM

as a ‘process…applied in strategy-setting and across the enterprise’, because

this definition underlines that the link between these two disciplines is a

deliberate one.

The upside of risk in relation to strategy relates implicitly to the two Es (effective

and efficient) in the MADE2 acronym. The upside in strategy is all about

increasing the likelihood and positive impact of the particular strategic decision.

The selection of an inappropriate strategy can be the most catastrophic risk that

an organisation can experience.



Risk management can help us choose an effective strategy and it is important to

note that:

implementation of the chosen strategy involves a range of tactical

decisions in the form of effectively delivered change projects and

programmes

delivery of the chosen strategy involves efficient core operational

processes.

The upside of risk management in terms of tactics, or change management to

implement strategy is an important consideration. It is necessary to distinguish

the difference between efficient and effective. The objective of the change is to

improve both the efficiency and effectiveness of the core processes.

So the upside of risk here is around selecting the best change activities to

implement strategy, and ensuring the selected change activities are effectively

delivered. In that sense we can argue that tactics are merely a response to help

manage strategic risk.

Efficient processes represent the upside of risk in operations. Carefully consider

what this means. The upside of risk management is that it can place the

organisation at a competitive advantage over its competitors, thus identifying

further strategic opportunities.

So all in all, there is a cycle in the upside of risk management moving from

strategy to tactics, tactics to operations and operations back to strategy.

Essential reading

Read the rest of chapter 17 in Hopkin (pages 182–189). ‘Riskiness index’

describes an alternative model to analyse risks. ‘Upside in strategy’, ‘Upside in

projects’ and ‘Upside in operations’ provide a detailed discussion of upside of risk

in strategic level activities, tactical level activities and operational level activities.



RISK IN THE

REAL WORLD

Take a look at the box in Hopkin on page 188, which explains

how changed economic circumstances have provided

opportunities to a restaurant chain and an electrical generating

company.

Activity 5.5

Upside risk: Think of some examples in your organisation where a risk event can

result in positive or beneficial outcomes.

We summarise the whole activity of risk analysis, by describing a feedback

activity in the ISO 31000 process next.

ISO 31000 and the upside of risk

As we identify and analyse the risks that can affect our objectives, we will

monitor and review the information that we obtain from these two processes.

In doing this, you can appreciate that if the severity of the risks identified and

analysed is too great (or too little) to be acceptable, this is likely to result in either

treating the risks (the next stage in the process) or going back to review and

possibly change our objectives (or alternatively change our criteria for

acceptability).

After such a review, if we do change our objectives, we then have to repeat the

risk identification and risk analysis processes based on those revised objectives.

This iterative process may occur several times before we have a satisfactory

risk-aware set of objectives that enable us to deliver an efficient and effective

strategy.

Monitoring and review (like all aspects in the risk management process) must

therefore be a continuing activity.




1 Which one of the following formulae is the best way to calculate the severity

of a risk?

a) Risk inherent impact × risk residual likelihood

b) Risk frequency × risk probability

c) Risk outcome × risk probability

2 Which of these terms is defined by Hopkin as ‘the amount and type of risk

that an organisation is willing to pursue or retain’:

a) Risk appetite

b) Risk magnitude

c) Risk impact.

3 Which of these is an expression of probability:

a) ‘In just one day in 2005 Hurricane Katrina resulted in a one-in-a-

hundred-year flood to New Orleans.’

b) ‘There is a 2% chance of rain in the city of Jeddah on any one day

during the next month.’

c) ‘Rainfall in June 2015 was higher than usual.’

Further reading

Risk analysis

IRM’s ORC (2014) has a section called ‘Risk management tools and techniques’,

with a subsection on ‘risk assessments’, which has a range of publications and

guidance covering all aspects of risk assessment.

Some people argue that, when analysing risks, impact is a more important

measure of severity than likelihood. For an illustration of this approach, see the

UK Charity Commission publication (Charity Commission, 2010: 16).



A useful reference related to how a quantitative approach to risk analysis could

be abused, by taking advantage of people’s natural illiteracy in statistical

analysis, is Gigerenzer (2011: 39), which is an IRM publication.

Risk appetite

If you are interested in the area of your personal risk appetite, you should look at

the subject of risk compensation first put forward by John Adams.

Page 11 of RIMS (2011) is a small section of the reading and shows how COSO

presents four elements of the risk appetite:

The existing risk profile, defined as ‘the existing level of distribution of risks

across risk categories (for example, financial risk, market risk, operational

risk, reputation risk, and so on)’.

The risk capacity, defined as ‘the maximum risk a firm may bear and

remain solvent’.

The risk tolerance, defined as ‘acceptable levels of variation an entity is

willing to accept around specific objectives’.

The desired level of risk, defined as ‘the desired risk/return level’.


Activity 5.1

You might find that some of your risks are measured in a quantitative manner

while others are measured qualitatively. Financial risks for example might be

very measurable quantitatively or semi quantitatively. Where you measure a

quantitative impact, such as a financial loss, you may also use a qualitative

measure of likelihood, such as a high, medium or low measure.

Activity 5.2

Here is a possible definition: ‘Risk analysis helps us to determine the severity of

the risks our organisation faces by analysing the likelihood of the risk

materialising together with the severity of the impact on the organisation.’



Activity 5.3

1 The debate on whether, as a profession, we should focus our risk

assessment (or more precisely risk analysis) at the inherent or residual level

of risk has never been fully resolved. Again, this discussion is more relevant

after discussing risk treatment in unit 6 and we will return to it then; at this

stage however, we focus on analysing inherent risk.

2 Organisations will choose their risk matrix according to their own needs and

circumstances. However, it is important to check continually whether the

matrix is appropriate.

Activity 5.4

Both ISO 31000 and the IRM (2002) risk process include risk evaluation as a

separate element within the wider subject of risk assessment. The COSO ERM

cube (and The Orange Book) subsume risk evaluation (as they did risk analysis)

within the broader subject of risk assessment.

Activity 5.5

We can tackle this question from the three core levels of risk: strategy, tactics

and operations. From tactics, the emphasis is on the nature of the uncertainty

aspect of risk in the area of project management. Here we can see that a risk

event could be both positive and negative. Thus, a positive risk is that the project

might be completed early, under budget and with more beneficial outcomes than

anticipated. In terms of strategy, the dominant emphasis is on choosing the most

beneficial opportunities based on the organisation’s strengths, weaknesses,

opportunities and threats. In the area of financial operations, it might just be that

random processes result in a favourable return on the business’s investment of

their free cash reserves rather than an unfavourable one.


1-c (outcome is however a less common term to define the result of a risk event; we usually use the terms impact, magnitude or consequences instead)

2-a



3-b

Unit 6 Risk response and risk

treatment



Distinguish the main features of risk control techniques


6.1 Introduction to risk treatment and risk response…101

Explain the meanings and purposes of risk response

6.2 The 4Ts…104 Describe the risk response options in terms of tolerate, treat, transfer and terminate

6.3 Risk control techniques (PCDD)…107

Describe the types of controls that are available, in terms of preventive, corrective, directive and detective (PCDD) controls

6.4 Control of selected hazard risks…110

Explain how to determine whether controls are cost-effective, looking at selected hazard risks, including risks to finances, infrastructure, reputation and marketplace

6.5 Introduction to monitoring and review…111

Apply the activity of monitoring and reviewing the risk management process, learning from controls

6.6 Insurance and risk transfer…117 Describe the importance of insurance and the circumstances in which insurance is purchased, including the involvement of a captive insurance company

6.7 Business continuity planning…119

Build a simple business continuity plan using the latest techniques

Resources

Make sure you have access to the following resources before starting this unit:

Hopkin (2014), chapters 18, 21, 22, 23 and 24

UNIT 6 | RISK RESPONSE AND RISK TREATMENT


The Orange Book (HM Treasury, 2004), chapters 6, 7 and 8, and appendix A

Introduction

This unit concludes the module. It completes the process of enterprise risk

management (ERM) by considering the risk treatment stage. As before, we will

be using the ISO 31000 standard as the basis of our work, although again we will

refer to other standards from time to time.

6.1 Introduction to risk treatment and risk response

We start the unit by looking at how risk treatment and risk response fit into a

range of risk management standards and processes.

Essential reading

To start this unit, return to figure 6.4 in Hopkin (page 65) and see how ISO 31000

shows the activity of risk treatment.

Activity 6.1

By looking in Hopkin and The Orange Book (HM Treasury, 2004), see if you can

find where the IRM (2002), COSO ERM (2004), the 8Rs and 4Ts process and

The Orange Book show the activity of risk treatment. (Clue: Look at pages 59, 63

and 41 respectively in Hopkin and page 13 in The Orange Book.)

Now that you can see where risk treatment lies in the risk management process,

we can go on to discuss the purpose of risk treatment and its relationship to

inherent (gross) risk, residual (net or current) risk and target risk.



Purpose of risk treatment

Having set our objectives (at strategic, tactical and operational levels), and then

identified and analysed our risks to determine their severity, the next stage

logically is to respond to, treat or control the identified risks. Figure 6.1 shows a

model of how risk appetite can inform this.

Figure 6.1: Objectives, risks and controls

Following initial risk identification and analysis, the risk exposure of an

organisation may be made up of many high-, medium- and low-severity risks.

If risk analysis takes place purely on inherent risks (which implies that the

organisation has not responded to any of its risks), then most risks would have

the maximum possible impact on the organisation.

Even without reference to any risk appetite statement, we can imagine the

organisation will wish first to reduce its highest level (red) risks so that they at



least become medium-level (yellow) risks and the risk matrix in figure 6.2 (below)

shows this. It also shows that the organisation will probably tolerate the low-

severity, low likelihood (green) risks, especially since all of its initial effort must

be to tackle the red risks.

Figure 6.2: Simplified risk matrix

Imp

act

High

?

Respond

Low

Tolerate

?

Low

High

Likelihood

We may then find that our risk appetite requires us to consider the more severe

of the residual risks within the yellow, medium-severity level. This should move

some of the yellow, medium-level risk into the green, low-severity risk area.

Ideally, while our organisation would like to eliminate all of the high-severity and

many of the medium-severity risks, this may not be possible for reasons of

practicality or cost-effectiveness. And of course, flaws in the risk analysis

process could result in an understating of the true levels of inherent risk severity,

such that a risk we perceive as a medium-severity risk could in fact be high.

For the risk management process to work correctly we must build a feedback

loop into the risk management process as follows:

We treat a risk by comparing the inherent risk with the risk appetite. If the

inherent risk severity exceeds the risk appetite, we will treat it.

Then we re-analyse the residual risk after treatment. If the residual

severity still exceeds the risk appetite, we will treat it again to reduce the

risk further.



Then we re-analyse the residual risk again. Only when the residual

severity is less than or equal to the risk appetite should we cease treating

the risk. If we cannot reduce the risk sufficiently or economically then we

might have to consider avoiding the risk completely by revising our

objectives and thus beginning the whole risk management process again.

In practice this is more likely to be a constant feedback loop, because both the

severity of our risks and our risk appetite are likely to be constantly changing.

The feedback activity is part of the monitoring and review stage of the full ISO

31000 risk management process.

This approach can however be a source of risk in itself, because only with an

indication of the inherent risk can an organisation fully determine what might

happen if the present-day controls fail. You might wish to consider what your

organisation does and why your organisation has chosen to estimate its risks in

the way that it does.

Essential reading

Turn to Hopkin chapter 15 and read the second part of that chapter, called

‘Inherent and current levels of risk’ (pages 165–6) which introduces risk

treatment. Note particularly the content of figure 15.3 on page 166 because this

shows risk treatment in relation to inherent, residual and target levels of risk.

Activity 6.2

Can you recall what aspect of risk evaluation helps us to identify our ‘target risk’?

6.2 The 4Ts

The 4Ts process is made up of four different responses to hazard risks: tolerate,

treat, transfer and terminate. The 4Ts is a very important set of approaches. You

should be able to describe the meaning of each T and also be able to provide

one or two examples for each T. The 4Ts also links the previous stage in the risk

management process (risk evaluation) to the next stage (monitoring and review).



To look at the 4Ts in turn:

An organisation will normally tolerate a hazard risk if the risk’s perceived

severity is less than the risk appetite. Clearly, an organisation will tend to

tolerate low severity risks. However, it may tolerate some high-severity

risks – for example, where it has failed to identify risks or has under-

estimated the severity of the risk. Toleration of high-severity risk makes

the organisation especially vulnerable and some people argue that it is not

the known risks that destroy an organisation, but those risks that are

unknown and implicitly tolerated.

We treat a risk by retaining it in the organisation and taking action to

modify its severity, likelihood or impact. You will also see that the most

common approach to respond to risks is through the ‘treat’ option

An organisation may try to transfer risk exposure to a third party, such as

an insurance company. In practice though it is very unlikely an

organisation can fully transfer a risk and for that reason the term ‘risk

sharing’ is often used. Other examples of risk transfer include joint

ventures, outsourcing and risk financing. These are areas that you will

study in later modules.

To terminate a risk an organisation will often need to terminate the activity

which is associated with the risk. Termination is something that

organisations usually undertake reluctantly and because the residual

severity of the risk is simply too high after the organisation has considered

all other possible cost-effective responses (from transfer or treat).

There are circumstances where an organisation cannot terminate even its

highest-severity risks, especially in the public services (where there is an

obligation to deliver a service even if the risks are very high) or where the

consequential loss of reputation would be deemed an even greater risk. In these

situations, the only option left is to tolerate the residual risk that remains, even

though it exceeds risk appetite.

It is possible to distinguish the term ‘impact’ from the term ‘magnitude’. We can

say that impact is a risk analysis measure at the residual risk level, whereas

magnitude is a risk analysis measure at the inherent risk level.



If we then adopt a risk management approach based on residual risk rather than

inherent risk we can say that:

Where residual impact and likelihood are high: If the severity cannot be

reduced further by more treatment then the only remaining option might

be to terminate the activity that gives rise to the risk.

Where residual impact is high and likelihood is low: We might have treated

the risk to reduce its likelihood, but we are still highly exposed if the risk

occurs, although that is now not very likely. Therefore, it might be most

cost-effective to transfer the risk to another party who can manage the risk

either more expertly or more cost-effectively than we can.

Where residual impact is low and likelihood is low: We have treated this

risk as far as we need, so no further treatment is required. We can

therefore tolerate it.

Where residual impact is low and likelihood is high: We have helped to

reduce the impact, but with the likelihood quite high, there is room to take

further steps to reduce its likelihood and/or its impact further.

This approach can be criticised as being rather blunt. It falls down where risks

are analysed on the boundaries between high and low of the two axes, and in

particular around the cross-over point in the dead centre of the matrix.

Essential reading

Read The Orange Book (HM Treasury, 2004: 27), section 6.1 for a very simple

summary of the 4Ts. Note that it also describes a fifth T – the need to take an

opportunity or a positive project variation as it arises.

Then read the first parts of chapter 21 in Hopkin (pages 226–233) on ‘The 4Ts of

hazard response’, ‘Tolerate risk’, ‘Treat risk’, ‘Transfer risk’ and ‘Terminate risk’.

Activity 6.3

Provide one practical example in your organisation of each of the 4T responses.

Try to identify if the focus of the response is to try to reduce the risk’s impact or



the likelihood, or both, or neither!

Essential reading

Read the final part of Hopkin chapter 21 (pages 233–7) ‘Project and strategic risk

response’ which introduces the 4A and 4E approaches.

Activity 6.4

Consider your organisation’s responses to project and strategic risks

(as opposed to hazard risks). Do you have an alternative way to the 4As and 4Es

of classifying these types of responses?

RISK IN THE

REAL WORLD

Appendix A of The Orange Book (HM Treasury, 2004: 41)

shows how organisations can typically bring their risk

identifications, analyses and responses together using a risk

register. It presents the results of managing three risks that

could impact on a single objective. Look at the register

carefully and see if you can identify how the person displays

inherent, residual (current) and target risk.

6.3 Risk control techniques (PCDD)

We now go on to discuss an alternative classification of responses to hazard-

type risks: control theory. Control theory describes a hierarchy of risk responses

as preventive, corrective, directive and detective (abbreviated as ‘PCDD’) and it

provides some indication of when the different types of controls might be

appropriate. In general, this section refers to Hopkin chapter 22.

It is possible (although not universally accepted) to link PCDD to the 4Ts as a

dominant form of response to risk, dependent on the risk’s residual severity. This

will give rise to the following links, with risk severity scores for likelihood then

impact measured (H = high, L = low):



HH = Preventive and terminate.

HL = Corrective and treat.

LH = Directive and transfer.

LL = Detective and tolerate.

However, the approach of slotting a specific T into a quadrant of the risk matrix is

not suggested by all standards, and many other contributors to discussions on

risk treatment, such as The Orange Book (HM Treasury, 2004: sections 6.2 and

6.3) do not compartmentalise each PCDD into a specific quadrant.

Preventive controls are the most important, though prevention may not

always be cost-effective, especially if the likelihood of a risk occurring is

low. For risks that we have no control over, such as some external risks, it

might be impossible to prevent them anyway, in which case we are left

with considering only the other three options. In that sense, a cost-benefit

analysis of any preventive control is vital.

Corrective controls are in place where preventive controls are not feasible,

desirable or cost-effective (although they could be used also as a

secondary defence, should the preventive controls fail). Again, alongside

their adequacy and effectiveness, the corrective controls’ value for money

also needs to be tested.

Directive controls are the most common type of control and are based on

giving directions to another person or party as to how they should behave

in certain circumstances. This type of control is based on the behaviour of

individuals and, therefore, may not be very reliable. Contracts are directive

controls because a contract instructs the parties to the contract what they

should do in specified circumstances.

A fire alarm which detects a fire moments after the first puff of smoke is

likely to be a much quicker detection of a fire risk than the detection of a

project off-track through an audit review taking place six months into a

project. Nevertheless, they are both examples of detective controls.



Remember that there is a relationship between detective and corrective controls

and the extent of deviation from the expected standard that is required before the

detection triggers the need to apply a corrective control. For example, where we

detect a potential overspend of a financial budget, we must consider what the

acceptable tolerances are before we take corrective action.

Some control theorists have referred to the idea of ‘anticipatory controls’. These

controls are forward looking, similar to directive controls, but they tend to be

more long term and strategic in nature; they are controls set in advance of

possible future scenarios and their aim is to help the organisation to adapt itself

effectively and in good time to those future scenarios, should they occur.

In essence then, the difference between anticipatory and directive controls is that

the latter are based on the broad organisation’s present day internal and external

environment, while anticipatory controls anticipate changes to those

environments and prepares an organisation for such changes.

Essential reading

Read the first part of Hopkin chapter 22 (pages 238–9), called ‘Hazard risk

zones’.

Then read The Orange Book (HM Treasury, 2004: 28), sections 6.2 and 6.3, for

a very simple summary of the PCDD.

After that, read the remaining five parts of Hopkin chapter 22 (239–46). As you

read these parts, note in particular Hopkin’s hierarchy (or order) for the

application of these controls.

RISK IN THE

REAL WORLD

Hopkin provides examples from the real world for the use of

this hierarchy of controls:

in table 22.2 (page 241), for fraud and health and safety

risks

in the case study of a road transport company on

page 243.



Activity 6.5

Provide one practical example in your organisation of each of the PCDD

responses for a single risk of your choice. Then consider whether your

organisation has any anticipatory controls in place – try to find out how important

people think anticipatory controls are.

From our discussion of the 4Ts and the PCDD we can conclude that not only can

we classify risks into various types of risk, but we can also classify controls!

6.4 Control of selected hazard risks

We now go on to see how we can apply some of the more general theories of

control that we have looked at to a range of selected hazard risks. Hopkin gives

more detail on the control of particular types of risk, with examples of financial,

infrastructure, reputational and marketplace risks from the FIRM scorecard.

In general, this section refers to most of Hopkin chapter 23, but we leave out the

first part and last part which we will review in the next section.

Essential reading

You may first wish to remind yourself of the FIRM scorecard by reviewing table

17.2 in Hopkin (pages 183–5) and table 21.2 (page 229), which both describe a

range of risks using the FIRM scorecard.

Then read the second to fifth parts of Hopkin chapter 23 (pages 250–9).

6.5 Introduction to monitoring and review

We shall now introduce the stage of the risk management process called

‘monitoring and review’, which you will study in much more detail during module

2 and later, in module 4. Along with other sources, this section refers to the

remaining parts of Hopkin chapter 23 that were not covered in the previous

section.



Activity 6.6

Firstly, where is ‘monitoring and review’ shown in the various risk management

standards? Look at the IRM (2002) risk management standard in figure 6.1 in

Hopkin (page 59), COSO ERM figure 6.3 (Hopkin page 63) and most importantly,

ISO 31000 in figure 6.4 (Hopkin page 65).

Under the title ‘feedback mechanisms’ within the risk management process,

Airmic, Alarm, IRM (2010: 9) states that:

‘ISO 31000 recognises the importance of feedback by way of two

mechanisms. These are ‘monitoring and review’ of performance and

‘communication and consultation’. Monitoring and review ensures that the

organisation monitors risk performance and learns from experience.

Communication and consultation is presented in ISO 31000 as part of the

risk management process, but it may also be considered to be part of the

supporting framework.’

Similarly, The Orange Book (HM Treasury, 2004: 31–3), in chapter 7, describes

an activity called ‘reviewing and reporting risks’, in which it encourages staff to

review their risk management activities and undertake self-assurance, while also

investing in independent reviews and assurance by internal audit, and then

reporting all these activities through to audit and risk committees. This

demonstrates full accountability of risk management throughout the enterprise.

Chapter 8 of The Orange Book (HM Treasury, 2004: 35–6) then describes an

activity called ‘communication and learning’ in which learning specifically takes

place, and good practice is disseminated around the organisation, so that full

enterprise-wide benefits of risk management can be achieved. To some extent

these two process activities combine to provide a simplified summary of ISO

31000’s ‘monitor and review’ and ‘communication and consultation’ activities.

This section focuses on three things that can only be uncovered by monitoring

and reviewing our risk management activities:

costs of risk controls (against their benefits)



learning from controls

learning from risk events.

All the activities provide an organisation with the source of valuable knowledge

from which it can improve its overall risk management activities.

The cost of risk controls

Although there is a cost to the organisation if a hazard risk materialises, there is

also a cost associated with responding to and/or treating the risk. In fact, there is

a cost in performing the activities of identifying, analysing and evaluating the risk

(risk assessment). The lower the risk appetite becomes, the more risk averse an

organisation is, and by implication the lower the acceptable target risk is, so the

cost of the response will become greater and greater. However, this will be offset

by a reduced exposure (or expected loss) from the risk itself.

So at the inherent level of risk, the total risk exposure of the organisation will be

very high, while the cost of response will be zero. As we invest in controls, the

total cost of expected risk exposure will decline (it will probably decline quickly at

first, since we’ll focus our responses on the most serious risks), but at the same

time the total cost of all our risk responses will increase.

At some point the total cost of responses will increase to the point at which it

becomes no longer sensible to invest further in risk response because the

increased cost of control will not be sufficient to offset the reduction in risk

exposure.

The theory of a diminishing level of return from investing in hazard-risk

responses is a compelling one, simply because of its logic and that some degree

of judgement has to be made on the appropriate point to stop investing in risk

responses and start tolerating risk exposure.

The reality however is that an accurate cost-benefit analysis of risk management

is only likely to be effective some time into an implemented risk management



initiative and that is why monitoring and review becomes an increasingly

important activity in our risk management process over time.

If a risk manifests itself in its expected way, the control might be fully effective,

but if a risk manifests itself in ways other than the most expected way, the effect

of the control might be much less certain and indeed it might not help to mitigate

the risk at all; it might even exacerbate it.

Writers on the laws of unintended consequences argue that all risk responses

will produce side-effects on organisations in a similar way that medical drugs

have side-effects on patients. Thus a response to reduce one risk’s exposure

might result in an increase on exposure from another risk. Exactly how bad (or

good) the side effect will be is often not immediately obvious.

This subject leads us into the area of risk assurance and the work undertaken by

internal audit in independently reviewing the efficiency and effectiveness of

controls. This is an important area and you should be comfortable that you

understand the contribution made by internal audit activities to the successful

management of risk. The internal audit activities will be considered in more detail

in module 2.

Essential reading

Read the first part of chapter 23 in Hopkin (pages 247–50), on ‘Cost of risk

controls’, which defines monitoring and review and considers the cost of risk

management in relation to its benefits. Hopkin then moves on to consider the

cost-benefit analysis of controls.

Activity 6.7

Consider how you determine the value for money of risk management in your

organisation. Is there a consistent evaluation and when does the evaluation of

cost-benefit take place? Who makes the final decision?



Learning from critical controls

When we first plan and implement a control, we do not know how effective it will

be in managing the risk. The range of possible residual risk outcomes could be

quite wide and unpredictable. Monitoring and reviewing our controls can help us

better understand their effectiveness, thus enabling us to redesign them in a

more effective manner to ensure more predictable residual risk outcomes.

When we review a control we need to answer two questions:

Is the control we chose to implement really the best control for the risk?

Is that control effective in practice?

We could add a third question:

Does the control provide good value for money?

Monitoring and review enables learning and improvement in our risk

management activities and that is the primary purpose for it.

As with the cost of developing and implementing responses, we must also note

that there are additional costs that we must pay for monitoring, reviewing,

learning and improving our responses. With finite resources, we cannot

constantly monitor and review all our controls.

So, which of our controls is it most important to learn from? Critical controls are

those that reduce the organisation’s most critical risks. If these controls are not

effective there could be major consequences and impacts for the business, so it

is important to monitor, review, learn and improve these critical controls more

frequently than is the case for other, less critical controls.

Monitoring and review should not just be limited to learning from controls. Indeed

most of the risk management standards indicate that we can (and should) apply

learning to the whole process and framework of risk management. Some of the

learning benefits of undertaking reviews of the whole risk management process

include:



To ensure our responses are effective and efficient, including the

identifying and closing of any holes or gaps in our control defences.

To identify and manage potential adverse side effects and unintended

consequences of our responses.

To build up knowledge to improve risk identification and analysis.

To better link risks to objectives, key dependencies, core processes and

stakeholder expectations.

To detect and prepare for changes in our internal or external context.

To detect and prepare for changes and trends in our risks.

To identify and prepare for new and emerging risks.

To identify good risk management practice, build on it and disseminate it

to other parts of the organisation.

Learning from risk events

Our final discussion on learning relates to the monitoring and review of actual

events that can take place in any organisation; risk incidents and near misses.

You will study more about learning from risk events in the final unit of module 2.

If a risk incident actually takes place, there is much we can learn from the event

itself. Similarly, if a particular risk has been managed especially well, the lessons

we learn can be applied as good practice exemplars to be transferred to other,

less risk-mature parts of the organisation.

We can also learn lessons from a review of near-miss incidents. A near miss

could be described as a crystallisation of a risk that does not result in significant

impact, but could have done (the impact could have been positive or negative).

Examples of negative near-miss incidents include:

A small fire that was detected early enough to prevent any damage.

A small fraud that was detected before money was lost.

A plane that makes an emergency landing.



A disaster that affects a competitor but which could, just as easily, have

affected us (think of the lessons to be learned by other oil and gas

companies following the BP Deepwater Horizon event in 2010).

By reviewing the near-miss event we can understand better:

Why it occurred.

Whether we had previously identified it as a possible risk.

Why it did not have a big impact.

Whether we had correctly analysed its likelihood and impact.

In summary then, risk incidents provide the greatest opportunity for learning and

improving our risk management framework and since the range of risks and

controls within an organisation are so vast, there is constant opportunity for

learning and improvement.

Essential reading

Read the final part of chapter 23 in Hopkin (pages 259–62) on ‘Learning from

controls’, which explains in more depth how to learn from the controls we

employ.

Activity 6.8

A hospital finds that a cause of higher patient deaths is due to ambulances

failing to reach emergency patients in sufficient time. The hospital manager’s

response to this risk is to issue an instruction that ambulance drivers must

reach emergency patients in less than eight minutes if they are to have a

reasonable chance of survival. Identify some of the possible unintended

consequences of this risk response.

Try to identify a near miss event in your organisation’s history. What were the

reasons for the impact of that risk being much less severe than it could have

been? Was it good risk management or good luck? What lessons did your

management learn for the future?



RISK IN THE

REAL WORLD

As we near the end of our travels through the risk management

process, take a look at the case study in Hopkin (ages 272–3)

to see how the Nationwide Building Society undertakes its risk

management and control activity. As you read the case study,

look for evidence of risk identification, analysis, treatment and

monitoring and review.

6.6 Insurance and risk transfer

We now move on to consider aspects of insurance, risk financing and other

mechanisms of the risk transfer element of the 4Ts, covering the main classes of

insurance. In general, this section refers to Hopkin chapter 24. We give an

introduction here – you will cover the subject in much more detail in module 4.

The importance of insurance

The fundamental principle of insurance is indemnity. The insured organisation

makes a contract with the insurer for an insurance policy that provides indemnity

for insured events that will put the insured back in the position (at least

financially) as if the loss had never occurred.

There are advantages and disadvantages of insurance, which enable an

organisation to make a decision on whether the insurance option is a suitable

one for a particular risk. Sometimes a company will self-insure by establishing its

own insurance company subsidiary, referred to as a captive insurance company.

As you might expect, there are both advantages and disadvantages with the

captive form of insurance.

The following are examples of different types of insurance, in three main

categories:

legal and contractual obligations

balance sheet/profit and loss protection

employee benefit/protection of employee assets.



Many insurance policies will be compulsory, mostly those which are liability

classes, though these will vary from country to country.

Essential reading

Read the whole of chapter 24 in Hopkin (pages 263–72). As you read, make sure

you understand the principle of how insurance works, the difference between first

party and third party insurance, and advantages and disadvantages of captive

insurance.

RISK IN THE

REAL WORLD

Hopkin’s table 24.2 (page 265) provides a checklist that you

can follow for the types of insurance cover you might wish to

buy, depending on the specific characteristics of your

organisation. Earlier, Hopkin (page 262) explains how the

development of insurance grew rapidly, following the effects of

the great Chicago fire in 1871.


Talk to the people responsible for insurance in your organisation and ask them

how they determine the value for money for the insurance service your

organisation receives.

6.7 Business continuity planning

We will end this unit with by looking at another specialist area of risk

management: business continuity planning (BCP), within the broader concept of

business impact analysis, disaster recovery planning and civil emergencies.

No matter how sound our controls are, no matter how many layers of control we

have to protect a core process, there is always the possibility that our preventive

controls will fail because of gaps or deficiencies. Should that occur, we must be

able to recover quickly and efficiently from any incident and this is what business

continuity planning is all about. As was the case for the subject of insurance, we



only give an introduction to BCP here – you will cover the subject in much more

detail in module 4.

BCP is all about planning in advance of a disaster; an organisation must be

prepared for a crisis. When a disaster is about to strike, it will be too late to think

about preventing it and while the crisis is running its course the situation is likely

to be too chaotic to effectively mitigate the consequences. So BCP should be

considered as a specific type of risk treatment, because it has the purpose of

allowing an organisation to continue operating with minimal disruption.

Some examples of events that can threaten business continuity include:

major fires/explosions

IT failures

power/water outages

fuel shortages

severe weather or other natural disaster

loss or absence of key staff

terrorist incident

loss of key supplier or raw material

breakdown or loss of key equipment.

These events tend to have a low likelihood of occurring but an extremely high

impact on the organisation if they do. So, although some IT failures are quite

common and rarely result in any major impact, very rarely a major IT disaster

could result in a significant loss of data or operating capability severe enough to

interrupt normal business operations for a considerable time. Similarly, while bad

weather is usually an inconvenience, sometimes it can be devastating.

The particular circumstances of an organisation might make it more susceptible

to one continuity risk than another (in other words, the likelihood, although low,

will be slightly higher).

For example, an IT consultancy organisation located near the San Andreas Fault

in California might be more at risk from earthquakes than an oil and gas business

located in Texas. However, the oil and gas business might be more at risk from



fire or explosions or, due to its location, hurricanes. Meanwhile, an organisation

manufacturing a complex product using materials from a complex web of

suppliers and subcontractors might find itself more vulnerable than average to

the loss of a key supplier, while the Californian consultancy is more vulnerable

than average to the loss of key people.

A special component of BCP may focus on IT continuity planning, which is called

‘disaster recovery’ as an example of a disaster recovery plan.

The three components to BCP can be listed as:

To prepare for a crisis.

To manage a crisis as soon as possible after it happens and minimise the

immediate damage.

To recover from the crisis efficiently and effectively.

You should consider and understand how the three components of BCP enable

an organisation to consider resilience to disaster using a PCDD approach: first,

do all you can to prevent a crisis; then detect it early; and then correct it

effectively through a range of directed activities.

As Hopkin explains on page 193, the new business continuity standard, ISO

22301 has now replaced BS 25999 and you should become familiar with the

main requirements of this new ISO standard. Consider the example of the flu

pandemic of 2009 to illustrate the importance of business continuity planning.

What arrangements do you think should be put in place by an engineering firm

on a large industrial estate?

Essential reading

Read the first part of chapter 18 in Hopkin (pages190–2) titled ‘Business

continuity management’. When you reach figure 18.1 on page 192 go forward

briefly and look at pages 196–7, in which the diagram is applied to a

broadcasting organisation.



RISK IN THE

REAL WORLD

Hopkin describes, on page 196, the possible continuity

responses that organisations could plan for, should the world

be affected by a pandemic.

Business impact analysis

You should become familiar with what business impact analysis (BIA) means and

why it is important. In effect, it is an analysis stage in the BCP cycle, where we

analyse the effect of an interruption to our key dependencies and core

processes.

The major benefit of a BIA approach is that our focus becomes less on the

events that could cause a major disruption to our organisation, and more on

identifying the critical parts of our organisation and then prioritising our BCM

towards striving to protect these critical parts from any event that could disrupt or

destroy them.

There are certain compliance issues associated with BCP, which are becoming

increasingly a concern for the public and government sectors which have

increasing legal and regulatory obligations for sound continuity planning.

BCP can be considered to be a very important component of loss control.

Business continuity planning is related to the area of cost containment and BCP

can also be linked to damage limitation, although BCP is generally not

considered to be linked to loss prevention.

The example of BP’s Deepwater Horizon oil spill disaster of 2010 provides a

case study of where the business appeared to be unprepared, from the point of

BCP, especially in terms of damage limitation.

There is also a link between BCP and insurance and a wider relationship

between insurance, cost containment and BCP. Insurance companies have

increasingly offered cost containment policies that focus on providing the

necessary finance to an organisation to allow it to recover quickly following some

form of crisis, disaster or other critical impact.



Indeed, if an organisation has adequate BCPs in place, it is likely that insurance

premiums will be lower and so will any claims that arise. Because of the

settlement delays that inevitably occur following a claim, every business should

ensure its BCP offers sufficient assurance to guarantee minimum disruption

following an event.

Essential reading

Read the parts of chapter 18 in Hopkin (pages 193–8), titled ‘Business continuity

standards’, ‘Successful business continuity’ and ‘Business impact analysis’.


Think about this in the context of your organisation. What are your organisation’s

core activities that you could not afford to lose? What type of event could

seriously disrupt the continuity of your organisation?

Think of BCM not just for the organisation as a whole, but specifically for your

risk management activities. Where are your risk team’s (or your risk

department’s) highest likelihood continuity risks, and what are you doing about

them in order to ensure that the service of the risk team can be maintained in a

crisis?

Essential reading

Read the final two parts of chapter 18 in Hopkin (pages 198–9), titled ‘Business

continuity and ERM’ and ‘Civil emergencies’, which discuss the same themes,

but in more detail.

RISK IN THE

REAL WORLD

At the beginning of his text (page 44), Hopkin demonstrates

just how integrated ERM and BCP are with reference to a

pharmaceutical group. This looks at potentially catastrophic

events as the first level of risk identification.




1 Which one of the following best describes a risk prior to any risk treatment?

a) Residual risk

b) Target risk

c) Current risk

d) Gross risk.

2 Which one of the following options from the 4Ts of hazard risk management

would not result in a reduction in risk severity?

a) Terminating the source of the risk

b) Treating the risk

c) Transferring the risk

d) Tolerating the risk.

3 Which one of the following types of control is a fire insurance policy a good

example of?

a) preventive

b) Corrective

c) Directive

d) Detective.

4 Which one of the following outcomes does a fire alarm produce as a risk

treatment in the case of a fire?

a) Reduce likelihood but not impact

b) Reduce impact but not likelihood

c) Reduce both impact and likelihood

d) Reduce neither impact nor likelihood.

5 Which of the following scenarios is an anticipatory response relevant to?

a) Emerging future situations

b) Providing clear guidelines for risk treatment

c) A type of preventive control



d) The activity of learning and improving the risk management process.

6 Which one of the following types of risk is ‘accept’ a suitable response to?

a) Operational risk

b) Tactical risk

c) Business continuity risk

d) Opportunity risk.

7 Which one of the following types of risk can a ‘fifth T’ be used as a

response to?

a) Hazard risk

b) Operational risk

c) Business continuity risk

d) Opportunity risk.

8 Which one of the following outcomes is the initial treatment of risk in an

organisation not likely to result in?

a) Reduce the inherent risk

b) Reduce the high-level severity risks

c) Reduce the medium-level severity risks

d) Reduce the overall risk exposure.

Further reading

IRM’s ORC (2014) has a section called ‘Specialist risk areas’, with subsections

on insurance and business continuity.

No system of control guarantees the elimination of risk and the achievement of

objectives. Reason (2000) describes the ‘Swiss cheese’ model, which shows

that, no matter how many layers of control and risk response we employ, there is

always the possibility that disaster might strike.

If you are interested in the subject of insurance, including its background, history,

types of policies, you could search Wikipedia for its article on ‘Insurance’. Further



information on captives is also available on Wikipedia under ‘Captive insurance’.

(See references section under ‘Wikipedia’ for direct links.)

You may also wish, if you are interested, to look briefly at Business Continuity

Institute (2013). It provides a six-stage business continuity management plan,

which is compatible with ISO 22301.

For those who would like to see another business continuity standard based

around ISO 31000, there is the AS/NZS 5050:2010, a summary of which can be

found in CompliSpace (2011).


Activity 6.1

The Orange Book (HM Treasury, 2004) describes risk treatment as ‘addressing

risks’ in its chapter 6. The Orange Book is referred several times in this unit, as it

goes through the subject of the 4Ts and PCDD.

The IRM (2002) process (Hopkin, 2014: 59), includes a special section on risk

treatment, which it defines, on page 7 of the standard, as “the process of

selecting and implementing measures to modify the risk”.

Referring to the COSO ERM (2004) model (Hopkin, 2014: 63), we can see that

“risk treatment” can be accommodated in the following two stages of the process,

which are taken from the original executive summary (COSO, 2004: 4):

‘Risk response: Management selects risk responses – avoiding, accepting,

reducing, or sharing risk; developing a set of actions to align risks with the

entity’s risk tolerances and risk appetite.

Control activities: Policies and procedures are established and implemented to

help ensure the risk responses are effectively carried out.’

Finally, the 8Rs and 4Ts process (Hopkin, 2014: 41), describes risk treatment as

“responding to risks” using the 4T approach.



Activity 6.2

It is of course the risk appetite. It tells us not only whether to treat a risk, but also

when to stop treating it. Referring to scenario presented on figure 15.3 in Hopkin

(page 166), do you think this is likely to be risk aggressive or risk averse in

relation to the risk presented?

Activity 6.3

This is a useful exercise to reinforce your learning of the differences between

each of the 4Ts. You should find it quite easy to identify a “treat” since, as Hopkin

says, this is the most common form of response. But you might find it harder to

detect a “terminate” since by implication this is something that is likely to have

happened in the past; moreover, people might regard it not as a defensive

withdrawal as a result of high risk, but a positive decision to take advantage of an

opportunity.

Activity 6.4

You might find that you have a specific set of procedures in dealing with project

activities, including their management of risks, that is distinct from operational

activities; you might also well find that the project procedures focus more on

project hazards than project opportunities.

However, it is highly likely that strategic level risk management will be a separate

activity and possibly an informal one, led by the board of directors. Perhaps your

best way of answering this question is to see if you have any procedures which

cover strategic level risks.

Activity 6.5

In the case of fraud risk, a detective control could be a review of new suppliers

set up by staff on the organisation’s accounting system, to try to detect any false

or ghost suppliers to which money could be channelled. Another example would

be the encouragement of confidential whistleblowing arrangements and fraud

hotlines.



A preventative control could be applied by suitable vetting of candidates’

backgrounds at job interview stages, or a range of penalties that could be

invoked on any members of staff who are found to be defrauding the company,

thus reducing the incentive to be fraudulent.

A corrective control might be in areas of media handling activities, designed to

mitigate any damage that might arise through reputation and bringing in the

police to take charge of the fraudsters in order to remove the cause of the fraud

from the business.

A directive control could be a document with a set of procedures to adopt to

either discourage fraud or to invoke if fraud is suspected.

Look at the fraud risk responses in your organisation; it is highly likely that a full

range of responses exist, since fraud is a ubiquitous risk, which no organisation

will be immune from. Speak to your internal auditor, because fraud risk is one of

the major areas that internal audit looks at, or look at your organisation’s fraud

policies (a directive control) to get an idea of the full set of fraud responses.

You could of course try to apply PCDD to any major areas of risk in your

organisation, such as health and safety risk, or consider PCDD for a major

project in your business, such as a new computer system.

As for an anticipatory control, have a look to see if there are any procedures in

place for anticipating a complete change in the business model for the future.

Going back to the section of the study guide, you will know that anticipatory

controls relate to preparing for a changing future rather than managing the

present.

Activity 6.6

Most risk management standards have something to say on monitoring and

review as a tool to enable learning and improvement in risk management

activities. Monitoring and review is the last stage of the risk management process

that we shall discuss in this module.



Activity 6.7

Many businesses will find it much easier to estimate the cost of risk management

rather than the benefits that come from managing risks.

The costs are here and now. We can estimate much of them by the amounts we

spend on staff who spend time managing risks, administering the ERM

framework, providing assurance and the payments for running controls or paying

for insurance. So while the total cost of risk might be not too difficult to calculate,

calculating the costs of managing individual risks will be much harder to compute

because of the need to allocate those total costs to the management of individual

risks. (Think, for example, how you would allocate your time to all of the

individual risks that the organisation faces.)

Assessing the risk management benefits are more elusive than the costs

because risks are future events: they may never actually occur (in which case

the value of the control is zero). Moreover, it may be impossible to calculate how

much any individual control helped to reduce the likelihood or impact of a risk,

since you never know what would have happened if the risk had occurred and

you had no controls in place. Nor can you isolate the individual contribution of

one control if one risk is managed by several controls.

Even if the risks do or do not occur, the sense of assurance that people feel that

things are under control is very valuable, but it is also very hard to calculate.

It is therefore most likely that the weighing of the risk cost-benefit scales is an

intuitive one, like so much in risk management.

Speak to your organisation’s internal auditor (if you have one) and try to find out

if a value for money review has ever been undertaken.

Activity 6.8

This real example from the healthcare sector of a western country led to many

unintended consequences. First, it encouraged ambulance drivers to drive

dangerously if they were in danger of failing to hit the time deadline.



Second, ambulance drivers might give up trying to reach a patient once they

knew they were unlikely to hit the eight-minute target – arriving after one hour

was no worse a performance than arriving at 8 minutes and one second.

Third, it encouraged the falsification of records. For example: (i) those patients

living close to the ambulance station were more likely to be regarded as

emergencies; or (ii) a deliberate delay in logging the calls would give ambulance

drivers an early start before the clock began.

Fourth, it failed to take account of driving conditions: heavy snow in the rush hour

would undoubtedly result in poorer performances compared with clear

conditions, early in the morning on a quiet national holiday.

Activity 6.9

The cynic might say that your organisation’s insurance function needs a good

portfolio of insurance products in order to maintain its purpose in the organisation

so treat what they say with some degree of caution.

So you could go one stage further and ask them about the situations where the

organisation has made claims to the insurers in the past and what might have

happened to the business had those claims not been met.

Do you see any evidence of overkill in risk treatment; in other words, do you feel

there are some risks where insurance seems less cost effective because you

believe the organisation already adequately manages those risks in-house?

Another thing you could do is to check to see if there has ever been an internal

audit review of the insurance function and try to get a copy of the report and any

recommendations that followed.

Activity 6.10

In focusing on your organisation, you should ask the additional question: Which

of these set of risks is likely to be most common? If your business handles

inflammable chemicals in a dry region of the world, then a catastrophic fire risk is

probably more likely than a catastrophic flood risk.



In focusing on the risk function itself, the catastrophic fire risk might be less likely

than the catastrophic risk of disruption resulting from multiple staff absences all

occurring at the same time due to a flu outbreak. Another continuity risk could

result from a catastrophic failure in your risk management software.


1-d (Gross risk – which is also known as inherent risk)

2-d (Tolerating a risk does not result in any reduction in severity as we are

tolerating the risk at its present level)

3-b (Corrective control – because it helps to correct a problem)

4-d (It reduces neither impact nor likelihood – because without any further

response (normally a corrective control) the alarm will just ring but nothing else

will automatically happen to reduce the impact of the fire (for example, the use of

an extinguisher or the evacuation of staff, which are corrective controls))

5-a (Emerging future situations – because it is about being able to anticipate

change and provide a route map to successfully respond to it)

6-b (Tactical risk – because it is one of the 4A responses described in Hopkin,

page 234)

7-d (Opportunity – which comes from The Orange Book and is all about taking

the opportunity (HM Treasury, 2004: 28))

8-c (The initial treatment will not focus on reducing medium severity risks

because the initial treatment will focus first on reducing those highest level risks,

which pose the greatest business danger. Only once those have been dealt with

will we turn our attention to medium level risks).

References

Accenture (2011) Report on the Accenture 2011 Global Risk Management Study.

Accenture Risk Management. Available at:

https://www.rims.org/resources/ERM/Documents/Accenture_Global_Repo

rt%202011.pdf

Adams, J (2003) in R Ericson and A Doyle (eds) Risk and Morality. University of

Toronto

Adams, J (2007) ‘Risk Management: It’s Not Rocket Science – It’s Much More

Complicated’, Public Risk Forum, May 2007. Valby, Denmark: European

Institute for Risk Management in collaboration with PRIMO (Public Risk

Management Organisation) Europe. Available at:

http://www.eirm.com/en/Who%20We%20Are/~/media/Business%20Card/

Articles%20%20EIRM/Publications%20by%20EIRM/PRF%20May%20200

7.ashx

Adams, J (2011) ‘Not 100% sure? The ‘public’ understanding of risk’ in DJ

Bennett and RC Jennings, Successful Science Communication.

Cambridge: Cambridge University Press. Available in unpublished proof

form at: http://www.john-adams.co.uk/wp-content/uploads/2006/08/risk-

communication.pdf

Airmic/Alarm/IRM (2010) A structured approach to Enterprise Risk Management

(ERM) and the requirements of ISO 31000. London: Association of Risk

Managers/ Public Risk Management Association/Institute of Risk



BBC News (2007) ‘Rock risks ‘were not foreseeable’’, 16 October 2007. London:

BBC News. Available at: http://news.bbc.co.uk/1/hi/business/7046959.stm

Bernstein, PL (1996) ‘The New Religion of Risk Management’, Harvard Business Review, March 1996. Boston, Massachusetts: Harvard Business Publishing. Available at: https://hbr.org/1996/03/the-new-religion-of-risk-management

Business Continuity Institute (2013) Good Practice Guidelines 2013 Global

Edition Edited Highlights: A Guide to Global Good Practice in Business

Continuity. Reading, Berkshire: Business Continuity Institute. Available at:

http://www.bcifiles.com/GPGLite.pdf

https://www.rims.org/resources/ERM/Documents/Accenture_Global_Report%202011.pdf

https://www.rims.org/resources/ERM/Documents/Accenture_Global_Report%202011.pdf

http://www.eirm.com/en/Who%20We%20Are/~/media/Business%20Card/Articles%20%20EIRM/Publications%20by%20EIRM/PRF%20May%202007.ashx



http://www.john-adams.co.uk/wp-content/uploads/2006/08/risk-communication.pdf

http://www.john-adams.co.uk/wp-content/uploads/2006/08/risk-communication.pdf


http://news.bbc.co.uk/1/hi/business/7046959.stm

https://hbr.org/1996/03/the-new-religion-of-risk-management

http://www.bcifiles.com/GPGLite.pdf



Cadbury Committee (1992) Report of the Committee on the Financial Aspects of

Corporate Governance Corporate governance (1992), London:

Gee/Professional Publishing Ltd. Available at:

http://www.ecgi.org/codes/documents/cadbury.pdf

Caldwell, JE (2012) A framework for board oversight of enterprise risk. Toronto:

Chartered Professional Accountants Canada. Available at:

file:///C:/Users/User/Downloads/A-Framework-for-Board-Oversight-of-

Enterprise-Risk-July-2015.pdf

CGMA (2014) ‘Porter’s Five Forces of Competitive Position Analysis’. Chartered

Global Management Accountant. Available at:

http://www.cgma.org/Resources/Tools/essential-tools/Pages/porters-five-

forces.aspx

Charity Commission (2010) Charities and Risk Management. London: Charity


http://www.charitycommission.gov.uk/media/94007/cc26text.pdf

Chesshire J (2009) Corporate Governance and Risk Management. London:

Chartered Institute of Internal Auditors.

CIIA (2005) An approach to implementing risk based internal auditing. London:

Chartered Institute of Internal Auditors. This guide sets out an approach that

may be used to implement risk based internal auditing (RBIA). Access to this

document is for IIA members only.

CII (2012) Future Risk: Learning from History. London: Chartered Insurance

Institute. Available at:

http://www.cii.co.uk/media/1756409/cii_future_risk_learning_from_history_

final_web.pdf

CompliSpace (2011) ‘Australian Business Continuity Management Standard

AS/NZS 5050:2010 – A Risk Perspective’. CompliSpace. Available at:

http://complispace.wordpress.com/2011/03/24/australian-business-

continuity-management-standard-asnzs-50502010-a-risk-perspective/

COSO (2004) Enterprise Risk Management: Integrated Framework, Executive Summary. Committee of Sponsoring Organizations of the Treadway Commission: Available at: http://www.coso.org/documents/coso_erm_executivesummary.pdf

COSO (2010) COSO’s 2010 Report on ERM: Current State of Enterprise Risk

Oversight and Market Perceptions of COSO’s ERM Framework.

Committee of Sponsoring Organizations of the Treadway Commission.

Available at: http://www.coso.org/documents/COSOSurveyReportFULL-

Web-R6FINALforWEBPOSTING111710.pdf

http://www.ecgi.org/codes/documents/cadbury.pdf

http://www.cgma.org/Resources/Tools/essential-tools/Pages/porters-five-forces.aspx

http://www.cgma.org/Resources/Tools/essential-tools/Pages/porters-five-forces.aspx

http://www.charitycommission.gov.uk/media/94007/cc26text.pdf

http://www.cii.co.uk/media/1756409/cii_future_risk_learning_from_history_final_web.pdf

http://www.cii.co.uk/media/1756409/cii_future_risk_learning_from_history_final_web.pdf

http://complispace.wordpress.com/2011/03/24/australian-business-continuity-management-standard-asnzs-50502010-a-risk-perspective/

http://complispace.wordpress.com/2011/03/24/australian-business-continuity-management-standard-asnzs-50502010-a-risk-perspective/


http://www.coso.org/documents/COSOSurveyReportFULL-Web-R6FINALforWEBPOSTING111710.pdf

http://www.coso.org/documents/COSOSurveyReportFULL-Web-R6FINALforWEBPOSTING111710.pdf

REFERENCES


COSO (2011) Embracing Enterprise Risk Management: Practical Approaches for

Getting Started. Committee of Sponsoring Organizations of the Treadway


http://www.coso.org/documents/EmbracingERM-

GettingStartedforWebPostingDec110_000.pdf

COSO (2013) Internal Control – Integrated Framework, Executive Summary.

Committee of Sponsoring Organizations of the Treadway Commission.

Available at:

http://www.coso.org/documents/990025P_Executive_Summary_final_may

20_e.pdf

COSO (2014) Improving organizational governance and performance: How the

COSO frameworks can help. Committee of Sponsoring Organizations of

the Treadway Commission. Available at:

http://www.coso.org/documents/2014-2-10-

COSO%20Thought%20Paper.pdf

Entsgo (undated) Risk Management – Pure Risk and Speculative Risk

Explained. Austin, Texas: Entsgo. Available at:

http://www.entsgo.com/Content/Technology/RiskManagement2.pdf

Gigerenzer, G (2011) ‘Statistical Illiteracy Endemic in Healthcare’, in Risk Management Professional, March 2011. London: Institute of Risk Management. Available at: http://dev4.vm1-host0592.cammail.net/content/features/statistical-illiteracy-endemic-healthcare

HM Treasury (2004) The Orange Book: Management of Risk – Principles and

Concepts. London: HM Treasury. Available at: http://hm-

treasury.gov.uk/orange_book.htm

Holmquist, E (2014) ‘Don’t confuse risks with risk sources: Sources are causes,

risks are effects’. ABA Banking Journal. Available at:

http://www.bankingexchange.com/news-feed/item/4348-don-t-confuse-

risks-with-risk-sources

Holton, GA (2004) ‘Defining Risk’, Financial Analysts Journal, vol. 60, no.6.

Charlottesville, Virginia: CFA Institute. Available at:

http://glynholton.com/wp-content/uploads/2006/10/risk.pdf

Hopkin, P (2014) Fundamentals of Risk Management, London: Kogan Page

http://www.coso.org/documents/EmbracingERM-GettingStartedforWebPostingDec110_000.pdf

http://www.coso.org/documents/EmbracingERM-GettingStartedforWebPostingDec110_000.pdf

http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf

http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf



http://www.entsgo.com/Content/Technology/RiskManagement2.pdf

http://dev4.vm1-host0592.cammail.net/content/features/statistical-illiteracy-endemic-healthcare

http://dev4.vm1-host0592.cammail.net/content/features/statistical-illiteracy-endemic-healthcare



http://glynholton.com/wp-content/uploads/2006/10/risk.pdf



IIA (2009) Knowledge Alert: Internal Auditing and Risk Management. October

2009. Altamonte Springs, Florida: Global Audit Information Network

(GAIN), Institute of Internal Auditors:

http://www.acl.com/images/blog/Recent_Impacts_on_the_Staffing_and_S

ourcing_of_North_American_Internal.pdf

IIRC (2013) The International <IR> Framework, December 2013. International

Integrated Reporting Council. Available at: http://www.theiirc.org/wp-

content/uploads/2013/12/13-12-08-THE-INTERNATIONAL-IR-

FRAMEWORK-2-1.pdf

IRM (2010) Fundamentals of Risk Management: A Practical Introduction to

Enterprise Risk Management and ISO 31000. London: Institute of Risk

Management: https://www.theirm.org/media/886062/ISO3100_doc.pdf

IRM (2002) A Risk Management Standard. London: Institute of Risk


https://www.theirm.org/media/886059/ARMS_2002_IRM.pdfIRM (2011)

Risk Appetite and Tolerance: Executive Summary. London: Institute of

Risk Management. Available at:

http://www.theirm.org/publications/documents/IRMRiskAppetiteExecSum

maryweb.pdf

ISO (2009) ISO 31000 Risk Management – Principles and Guidelines. Geneva:

International Organization for Standardization. Available (at a cost) at:

http://www.iso.org/iso/home/standards/iso31000.htm

ISO (2009) ISO Guide 73: 2009; Risk management – Vocabulary. Geneva:

International Organization for Standardization. Available (at a cost) at:

http://www.iso.org/iso/catalogue_detail?csnumber=44651

Jeynes, J (2002) Risk management: 10 principles. Oxford: Butterworth-

Heinemann. Available at:

http://ghalenoy.persiangig.com/BOOK/Risk_Management_-

_10_Principles.pdf/download

Knight, F (1921) Risk, Uncertainty, and Profit, Boston, MA: Hart, Schaffner &

Marx; Houghton Mifflin Co. Part III.VII The Meaning of Risk and

Uncertainty. Available at: http://www.econlib.org/library/Knight/knRUP.html

Kloman, HF (2010) ‘A brief history of risk management’, in J Fraser and BJ

Simkins (eds) Enterprise Risk Management. Hoboken, New Jersey: John

Wiley & Sons, Inc.

http://www.acl.com/images/blog/Recent_Impacts_on_the_Staffing_and_Sourcing_of_North_American_Internal.pdf

http://www.acl.com/images/blog/Recent_Impacts_on_the_Staffing_and_Sourcing_of_North_American_Internal.pdf

http://www.theiirc.org/wp-content/uploads/2013/12/13-12-08-THE-INTERNATIONAL-IR-FRAMEWORK-2-1.pdf



https://www.theirm.org/media/886062/ISO3100_doc.pdf

http://www.theirm.org/publications/documents/IRMRiskAppetiteExecSummaryweb.pdf

http://www.theirm.org/publications/documents/IRMRiskAppetiteExecSummaryweb.pdf

http://www.iso.org/iso/home/standards/iso31000.htm

http://www.iso.org/iso/catalogue_detail?csnumber=44651

http://ghalenoy.persiangig.com/BOOK/Risk_Management_-_10_Principles.pdf/download

http://ghalenoy.persiangig.com/BOOK/Risk_Management_-_10_Principles.pdf/download

http://www.econlib.org/library/Knight/knRUP.html

REFERENCES


KPMG (2006) ERM: Enterprise Risk Management: Complacency Is No Longer an Option, but a Practical Start Is. Available at: http://www.kpmg.com/lu/en/services/advisory/regulatory-consulting/regulatoryriskandcompliance/governanceandriskmanagement/documents/erm-complacency-no-longer-an-option.pdf

Lam, J (2003) Enterprise Risk Management: From Incentives to Controls. Wiley

and Son, ISBN: 978-0-471-43000-1.

Mikes, A, and Kaplan, RS (2014) Towards a Contingency Theory of Enterprise

Risk Management (Working Paper 13–063, 13 January 2014). Harvard

Business School. Available at:

http://www.hbs.edu/faculty/Publication%20Files/13-063_5e67dffe-aa5e-

4fac-a746-7b3c07902520.pdf

Mind Tools (undated) ‘Cause and Effect Analysis: Identifying the Likely Causes

of Problems’. London: Mind Tools Ltd. Available at:

http://www.mindtools.com/pages/article/newTMC_03.htm

ORC (2014) ‘Online Resource Centre’. London: Institute of Risk Management. Available at: https://www.theirm.org/knowledge-and-resources/online-resource-centre.aspx

ourcommunity.com.au (undated) ‘Establishing a context for risk management in your organisation’. Melbourne, Victoria: Our Community Pty Ltd. Available at: https://www.ourcommunity.com.au/insurance/view_help_sheet.do?articleid=339

Praxiom (2013) ‘ISO 31000 2009: Plain English Introduction’. Edmonton, Alberta:

Praxiom Research Group Ltd. Available at: http://www.praxiom.com/iso-

31000-intro.htm

PricewaterhouseCoopers (2009 Maximizing internal audit: A 10-step imperative

for thriving in a challenging economy. Available at:

http://www.pwc.com/us/en/internal-audit/assets/maximizing-internal-

audit.pdf

Reason, J (2000) ‘Human error: models and management’, British Medical

Journal. London: BMJ Publishing Group Ltd. Available at:

https://mbchb.dundee.ac.uk/dundeerisk/files/2010/09/human-errors-

models-and-management.pdf

Recklies, D (undated) ‘The Value Chain’. Recklies Management Project GmbH.

Available at:

http://www.fao.org/fileadmin/user_upload/fisheries/docs/ValueChain.pdf

http://www.kpmg.com/lu/en/services/advisory/regulatory-consulting/regulatoryriskandcompliance/governanceandriskmanagement/documents/erm-complacency-no-longer-an-option.pdf



http://www.hbs.edu/faculty/Publication%20Files/13-063_5e67dffe-aa5e-4fac-a746-7b3c07902520.pdf

http://www.hbs.edu/faculty/Publication%20Files/13-063_5e67dffe-aa5e-4fac-a746-7b3c07902520.pdf

http://www.mindtools.com/pages/article/newTMC_03.htm

https://www.theirm.org/knowledge-and-resources/online-resource-centre.aspx

https://www.theirm.org/knowledge-and-resources/online-resource-centre.aspx

https://www.ourcommunity.com.au/insurance/view_help_sheet.do?articleid=339

https://www.ourcommunity.com.au/insurance/view_help_sheet.do?articleid=339

http://www.praxiom.com/iso-31000-intro.htm

http://www.praxiom.com/iso-31000-intro.htm

http://www.pwc.com/us/en/internal-audit/assets/maximizing-internal-audit.pdf

http://www.pwc.com/us/en/internal-audit/assets/maximizing-internal-audit.pdf

https://mbchb.dundee.ac.uk/dundeerisk/files/2010/09/human-errors-models-and-management.pdf

https://mbchb.dundee.ac.uk/dundeerisk/files/2010/09/human-errors-models-and-management.pdf

http://www.fao.org/fileadmin/user_upload/fisheries/docs/ValueChain.pdf



RIMS (2011) An overview of widely used risk management standards and

guidelines. Risk and Insurance Management Society, Inc. Available at:

http://www.rims.org/resources/ERM/Documents/RIMS%20Executive%20R

eport%20on%20Widely%20Used%20Standards%20and%20Guidelines%

20March%202010.pdf

RISK.COM.AU (undated) ‘Establish Context’. Available at:

http://www.risk.com.au/establish_context

Riskviews (2010) ‘Really Different’. Riskviews. Available at:

http://riskviews.wordpress.com/2010/10/01/really-different/

Rooney, JJ, and LN Vanden Heuvel (2004) ‘Root Cause Analysis for Beginners’,

Quality Progress, July 2004. American Society for Quality. Available at:

https://servicelink.pinnacol.com/pinnacol_docs/lp/cdrom_web/safety/mana

gement/accident_investigation/Root_Cause.pdf

SA/SNZ HB 436:2013 Risk management guidelines - Companion to AS/NZS ISO

31000:2009. Available at:

http://www.preventionweb.net/publications/view/41427

Sedgwick Law (2006) Risky Business: Risk Assessment and Planning for GCs.

GC California Magazine, September 2006 by Bruce Celebrezze. Available

at: http://www.sdma.com/Publications/detail.aspx?pub=4558

Shortreed, J (2010) ‘ERM Frameworks’, in J Fraser and BJ Simkins (eds)

Enterprise Risk Management. Hoboken, New Jersey: John Wiley & Sons,

Inc.

Slovic, P, B Fischhoff and S Lichtenstein (1980) ‘Facts vs. fears: understanding

perceived risk’, in RC Schwing and WA Albers in Societal Risk

Assessment: How Safe is Safe Enough? Springer

Sondalini, M A (undated): Understanding How to Use The 5-Whys for Root

Cause Analysis. Rossmoyne, Western Australia: Lifetime Reliability

http://www.lifetime-reliability.com/tutorials/lean-management-

methods/How_to_Use_the_5-Whys_for_Root_Cause_Analysis.pdf

Standard and Poor’s (2013) Enterprise Risk Management, 7 May 2013. New

York, NY: Standard and Poor’s Financial Services LLC. Available at:

http://www.maalot.co.il/publications/MT20151123154908.pdf

Standards New Zealand (2013) SA/SNZ HB 436:2013 Risk management

guidelines - Companion to AS/NZS ISO 31000:2009. Wellington, New

Zealand: Standards New Zealand. Available to purchase

at: http://shop.standards.co.nz/catalog/436%3A2013(SA%7CSNZ+HB)/vie

w




http://www.risk.com.au/establish_context

http://riskviews.wordpress.com/2010/10/01/really-different/

https://servicelink.pinnacol.com/pinnacol_docs/lp/cdrom_web/safety/management/accident_investigation/Root_Cause.pdf

https://servicelink.pinnacol.com/pinnacol_docs/lp/cdrom_web/safety/management/accident_investigation/Root_Cause.pdf

http://www.preventionweb.net/publications/view/41427

http://www.sdma.com/Publications/detail.aspx?pub=4558

http://www.lifetime-reliability.com/tutorials/lean-management-methods/How_to_Use_the_5-Whys_for_Root_Cause_Analysis.pdf

http://www.lifetime-reliability.com/tutorials/lean-management-methods/How_to_Use_the_5-Whys_for_Root_Cause_Analysis.pdf

http://www.maalot.co.il/publications/MT20151123154908.pdf

http://shop.standards.co.nz/catalog/436:2013%28SA%7cSNZ+HB%29/view

http://shop.standards.co.nz/catalog/436:2013%28SA%7cSNZ+HB%29/view

REFERENCES


StrategicRISK (2011) ‘Alarmed and Dangerous’, April 2011. London: Newsquest

Specialist Media. Available at: http://www.strategic-risk-

global.com/alarmed-and-dangerous/1389574.article (Subscription

required)

StrategicRISK (2012) ‘StrategicRISK 2012 Risk Report: The top concerns of European risk managers’, April or May 2012? Sponsored by Marsh Risk Consulting. London: Newsquest Specialist Media. Available at: http://www.strategic-risk-global.com/risk-report-2012-update/1397747.article

Treasury Board of Canada Secretariat (2012) Guide to Integrated Risk

Management. Ottawa: Treasury Board of Canada Secretariat. Available

at: http://www.tbs-sct.gc.ca/tbs-sct/rm-gr/guides/girm-ggir01-

eng.asp#toc1_1

Tversky, A, and D Kahneman (1974) ‘Judgment under Uncertainty: Heuristics

and Biases’, Science, New Series, vol. 185, no. 4157, pp. 1124–31.

Washington, DC: American Association for the Advancement of Science.

Available at:

http://psiexp.ss.uci.edu/research/teaching/Tversky_Kahneman_1974.pdf

University of Wollongong (2016) WHS Risk Management Guidelines. University

of Wollongong. Available at:

http://staff.uow.edu.au/content/groups/public/@web/@ohs/documents/doc

/uow016948.pdf

WCO (undated) WCO Customs Risk Management Compendium, Volume 1.

Brussels: World Customs Organization. Available at:

http://www.wcoomd.org/en/topics/enforcement-and-

compliance/instruments-and-

tools/~/media/45BE65FFE12748FDA6D41BA7F3451C75.ashx

Wikipedia (undated). Article on ‘Insurance’ available at:

http://en.wikipedia.org/wiki/Insurance. Article on ‘Captive insurance’.

Available at: http://en.wikipedia.org/wiki/Captive_insurance

http://www.strategic-risk-global.com/alarmed-and-dangerous/1389574.article

http://www.strategic-risk-global.com/alarmed-and-dangerous/1389574.article



http://www.tbs-sct.gc.ca/tbs-sct/rm-gr/guides/girm-ggir01-eng.asp#toc1_1

http://www.tbs-sct.gc.ca/tbs-sct/rm-gr/guides/girm-ggir01-eng.asp#toc1_1

http://psiexp.ss.uci.edu/research/teaching/Tversky_Kahneman_1974.pdf

http://staff.uow.edu.au/content/groups/public/@web/@ohs/documents/doc/uow016948.pdf

http://staff.uow.edu.au/content/groups/public/@web/@ohs/documents/doc/uow016948.pdf

http://www.wcoomd.org/en/topics/enforcement-and-compliance/instruments-and-tools/~/media/45BE65FFE12748FDA6D41BA7F3451C75.ashx



http://en.wikipedia.org/wiki/Insurance

http://en.wikipedia.org/wiki/Captive_insurance