international certificate in enterprise risk management · pdf fileoverview of module 1:...
Post on 24-Mar-2018
245 Views
Preview:
TRANSCRIPT
ii | © 2016 Institute of Risk Management
Published by:
Institute of Risk Management
2nd Floor, Sackville House, 143–149 Fenchurch Street, London EC3M 6BN
Tel: +44 (0) 20 7709 9808
Fax: +44 (0) 20 7709 0716
Email: studentqueries@theirm.org
www.theirm.org
© 2016, 2015, 2014 Institute of Risk Management
First published 2014. This revised edition published September 2016.
All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise, without permission of the
copyright owner.
While every effort has been made to ensure that references to websites are
correct at time of going to press, the World Wide Web is a constantly changing
environment and Institute of Risk Management cannot accept any responsibility
for any changes to addresses.
Institute of Risk Management acknowledges product, service and company
names referred to in this publication, many of which are trade names, service
marks, trademarks or registered trademarks.
Instructional design, and editorial and production project management by
Wordhouse Ltd, Reading, UK.
© 2016 Institute of Risk Management | iii
Acknowledgements
Institute of Risk Management (IRM) wishes to thank and acknowledge the efforts
of Steve Shackleford, lead developer of this study guide, and reviewers Dorothy
Abade-Maseke, Niall Butler and Norman Sinclair.
IRM also thanks its global Education Advisory Board and current and past
examiners for their invaluable contribution and advice concerning the
redevelopment of the syllabus content.
Finally, we are grateful to Stephen Wellings and his team at Wordhouse Ltd for
their advisory and editorial services. Also to John Meed and Roger Merritt
Associates for their contributions to this revision.
iv | © 2016 Institute of Risk Management
Contents
Introduction ...................................................................................................... vii
Overview of Module 1: Principles of Risk and Risk Management.................. x
Unit 1 Concepts and definitions of risk and risk management ...................... 1
Introduction ....................................................................................................... 2
1.1 Approaches to defining risk ..................................................................... 2
1.2 Impact of risk on organisations ................................................................ 4
1.3 Types of risk ............................................................................................ 6
1.4 Development of risk management ........................................................... 6
1.5 Principles and aims of risk management ................................................. 9
Self-assessment questions ............................................................................. 10
Further reading ............................................................................................... 11
Feedback to activities ..................................................................................... 12
Answers to self-assessment questions ........................................................... 13
Unit 2 Risk management standards................................................................ 14
Introduction ..................................................................................................... 15
2.1 General risk management standards .................................................... 15
2.2 Alternative risk management approaches ............................................. 22
Self-assessment questions ............................................................................. 24
Further reading ............................................................................................... 25
Feedback to activities ..................................................................................... 26
Answers to self-assessment questions ........................................................... 27
Unit 3 Enterprise risk management ................................................................ 28
Introduction ..................................................................................................... 29
3.1 Defining Enterprise risk management ................................................... 29
3.2 Enterprise risk management overview .................................................. 31
© 2016 Institute of Risk Management | v
3.3 Implementing ERM ................................................................................ 33
3.4 Establishing the context for risk management ....................................... 34
3.5 Objective setting ................................................................................... 37
Self-assessment questions ............................................................................. 42
Further reading ............................................................................................... 42
Feedback to activities ..................................................................................... 44
Answers to self-assessment questions ........................................................... 47
Unit 4 Risk assessment 1: introduction and identification ........................... 48
Introduction ..................................................................................................... 48
4.1 Risk assessment considerations ........................................................... 49
4.2 Risk causes (sources) and consequences ............................................ 55
4.3 Risk classification systems .................................................................... 60
Self-assessment questions ............................................................................. 70
Further reading ............................................................................................... 70
Feedback to activities ..................................................................................... 71
Answers to self-assessment questions ........................................................... 73
Unit 5 Risk assessment 2: risk analysis and evaluation ............................... 74
Introduction ..................................................................................................... 75
5.1 Introduction to risk analysis ................................................................... 75
5.2 Risk likelihood and impact ..................................................................... 77
5.3 Risk evaluation and risk appetite ........................................................... 84
5.4 Loss control ........................................................................................... 89
5.5 Defining the upside of risk ..................................................................... 90
Self-assessment questions ............................................................................. 96
Further reading ............................................................................................... 96
Feedback to activities ..................................................................................... 97
Answers to self-assessment questions ........................................................... 98
vi | © 2016 Institute of Risk Management
Unit 6 Risk response and risk treatment ...................................................... 100
Introduction ................................................................................................... 101
6.1 Introduction to risk treatment and risk response.................................. 101
6.2 The 4Ts ............................................................................................... 104
6.3 Risk control techniques (PCDD) .......................................................... 107
6.4 Control of selected hazard risks .......................................................... 110
6.5 Introduction to monitoring and review ................................................. 110
6.6 Insurance and risk transfer .................................................................. 117
6.7 Business continuity planning ............................................................... 118
Self-assessment questions ........................................................................... 123
Further reading ............................................................................................. 124
Feedback to activities ................................................................................... 125
Answers to self-assessment questions ......................................................... 130
References ...................................................................................................... 131
© 2016 Institute of Risk Management | vii
Introduction
This module provides an introduction to the fundamental principles and concepts
relating to risk and risk management. It asks you to consider the following
questions:
What do we mean by risk?
How did risk management develop into the profession that it is today?
What is enterprise risk management?
Which standards and frameworks exist to guide us through the process of
managing risk?
Module 1 underpins the remaining five modules of the International Diploma in
Enterprise Risk Management. Successful completion of modules 1 and 2 leads
to the award of International Certificate in Enterprise Risk Management.
About this study guide
This study guide will lead you step by step through the module in a series of
carefully planned units, and provide you with learning activities and self-
assessment questions to help you master the subject matter. The guide should
help you organise and carry out your studies in a methodical, logical and
effective way, but if you have your own study preferences you will find it a flexible
resource too.
Before you begin using this study guide, make sure you are familiar with the
advice, guidance and rules provided by IRM on such things as study and revision
skills, support and formal assessments in the Student Handbook which can be
found in The Study section of the IRM website.
If you are on a taught course, your tutor will explain how to use the guide in
conjunction with a programme of face-to-face workshops and seminars – when
to read the units, when to tackle the activities and questions, and so on.
If you are studying independently, you can use the study guide in the following
way:
viii | © 2016 Institute of Risk Management
The overview that follows will give you a feel for the nature and content of
the subject matter.
Plan your overall study schedule so that you allow enough time to
complete all units well before your examinations – in other words, leaving
plenty of time for revision. You can use the study and revision plan
template provided in the Student Handbook..
For each unit, set aside enough time for reading the text and other
essential readings, tackling all the learning activities and self-assessment
questions and the suggested further reading. And don’t forget the
opportunities to network with other students provided in the student
support area of the IRM website.
The study guide breaks the module content down into six units, which vary from
approximately 20 to 30 hours’ duration each. However, we are not advising you
to study for this sort of time without a break! The units are simply a convenient
way of breaking the syllabus into manageable chunks. Most people would try to
study one unit every two or three weeks, taking plenty of breaks within each unit.
You will quickly find out what suits you best.
Now let’s take a look at the structure and content of the individual units.
Each unit begins with an introductory page which sets out the overall learning
outcome for the unit, the main sections into which it is divided and the subsidiary
learning outcomes for each of those sections. The outcomes are designed to
help you understand exactly what you should be able to do after you’ve studied
the unit. You might find it helpful to tick them off as you progress through the unit.
You will also find them useful during revision. Following this, the resources
section will let you know which books, articles and web sources you will need to
access as ‘essential readings’ during the unit.
Then the main part of the unit begins, with the first of the numbered main
sections. Each unit contains essential readings which refer you to the relevant
textbooks, articles, and so on. It is essential that you do this reading, since it is
not possible to put everything you need to know in a single study guide. At this
level of study, wider reading is the key to developing deeper subject learning
through a contemporary, contextual and critical perspective.
© 2016 Institute of Risk Management | ix
At regular intervals in each unit, we have provided you with activities, which are
designed to get you actively involved in the learning process. You should always
try to complete the activities before reading on. You will learn much more
effectively if you are actively involved in doing something as you study, rather
than just passively reading the text in front of you. You will find the feedback on
the activities at the end of the unit.
Also featuring throughout each unit are Risk in the real world items, which are
brief case studies and examples showing how the key points relate to real world
organisations or events.
The further reading section at the end of each unit will enable you to find more
detailed information, or suggest where you might explore a particular topic in
more depth. A full list of all sources referred to, both here and in the essential
readings, is given in a separate references section at the end of the study guide.
We provide a number of self-assessment questions at the end of each unit.
These are to help you to decide for yourself whether you have achieved the
learning outcomes set out at the beginning of the unit. Once again, there are
answers at the end of the unit. If you still do not understand a topic, having
attempted the self-assessment question, always try to reread the relevant
passages in the unit itself and the essential readings, or follow the advice on
further reading.
Good luck in your studies!
x | © 2016 Institute of Risk Management
Overview of Module 1: Principles of
Risk and Risk Management
Module aims
This module introduces the principles and concepts of risk and risk management.
The history of risk management is explored as a means of understanding the
current drivers of enterprise risk management, and the development and impact
of international standards. This leads to an examination of the ways in which
risks are classified and the models or frameworks that are utilised to identify,
assess and treat them.
Module learning outcomes
By the end of the module you should be able to:
Recognise the origins and key concepts relating to risk management.
Compare and contrast the main risk management standards.
Apply the concepts of enterprise risk management.
Examine the main approaches to risk identification.
Use the main approaches to the analysis and evaluation of risk.
Distinguish the main features of risk control techniques.
Main learning units and topics
Unit 1: Concepts and definitions of risk and risk management
Definitions of risk, impact of risk on organisations, introduction to types of risk,
definitions and development of risk management, principles and aims of risk
management.
Unit 2: Risk management standards
General risk management standards, alternative risk management approaches.
© 2016 Institute of Risk Management | xi
Unit 3: Enterprise risk management
COSO 2004, enterprise risk management, implementing ERM, establishing the
context for risk management.
Unit 4: Risk assessment 1: introduction and identification
Risk assessment considerations, risk classification systems (risk identification),
risk causes (sources) and consequences.
Unit 5: Risk assessment 2: risk analysis and evaluation
Introduction to risk analysis, risk likelihood and impact, loss control, defining the
upside of risk, the importance of risk appetite (risk evaluation).
Unit 6: Risk response and risk treatment
Introduction to risk treatment and risk response, the 4Ts, risk control techniques
(PCDD), control of selected hazard risks, introduction to monitoring and review,
insurance and risk transfer, business continuity planning (BCP).
Essential reading list
These are the texts we refer to in the essential reading sections. Hopkin (2014) is
the core text; you should be able to download the others on-line from the links
below.
Adams, J (2007) ‘Risk Management: It’s Not Rocket Science – It’s Much More
Complicated’, Public Risk Forum, May 2007. Valby, Denmark: European
Institute for Risk Management in collaboration with PRIMO (Public Risk
Management Organisation) Europe. Available at:
http://www.eirm.dk/en/Who%20We%20Are/~/media/Business%20Card/Articles
%20-%20EIRM/Publications%20by%20EIRM/PRF%20May%202007.ashx
Airmic/Alarm/IRM (2010) A structured approach to Enterprise Risk Management
(ERM) and the requirements of ISO 31000. London: Association of Risk
Managers/Public Risk Management Association/Institute of Risk
Management. Available at:
http://www.theirm.org/media/886062/ISO3100_doc.pdf
xii | © 2016 Institute of Risk Management
COSO (2004) Enterprise Risk Management: Integrated Framework, Executive
Summary. Committee of Sponsoring Organizations of the Treadway
Commission. Available at:
http://www.coso.org/documents/coso_erm_executivesummary.pdf
COSO (2014) Improving organizational governance and performance: How the
COSO frameworks can help. Committee of Sponsoring Organizations of
the Treadway Commission. Available at:
http://www.coso.org/documents/2014-2-10-COSO%20Thought%20Paper.pdf
HM Treasury (2004) The Orange Book: Management of Risk – Principles and
Concepts. London: HM Treasury. Available at:
http://hm-treasury.gov.uk/orange_book.htm
Hopkin, P (2014) Fundamentals of Risk Management, London: Kogan Page
RIMS (2011) An overview of widely used risk management standards and
guidelines. Risk and Insurance Management Society, Inc. Available at:
http://www.rims.org/resources/ERM/Documents/RIMS%20Executive%20Report
%20on%20Widely%20Used%20Standards%20and%20Guidelines%20March%2
02010.pdf
StrategicRISK (2012) ‘StrategicRISK 2012 Risk Report: The top concerns of
European risk managers’. Sponsored by Marsh Risk Consulting. London:
Newsquest Specialist Media. Available at:
http://www.strategic-risk-global.com/risk-report-2012-update/1397747.article
Unit 1 Concepts and definitions of
risk and risk management
Unit learning outcome
After studying this unit, you should be able to:
Recognise the origins and key concepts relating to risk management
Unit contents Section learning outcomes
1.1 Approaches to defining risk…2 Provide a range of definitions of risk and risk management
1.2 Impact of risk on organisations…4 Analyse how risks impact on organisations, for example by way of the attachment of risks theory
1.3 Types of risk…6 Describe options for classifying risks according to the nature, source and timescale of impact
1.4 Development of risk management…6 Outline the history of risk management, including the various specialist areas and approaches
1.5 Principles and aims of risk management…9
Consider the principles and aims of risk management and risk management’s importance to operations, projects and strategy
Resources
You will also need to consult the following resources:
Hopkin (2014), chapters 1–5
The Orange Book (HM Treasury, 2004), chapter 1
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
2 | © 2016 Institute of Risk Management
Introduction
This unit provides a general introduction to some basic risk management
concepts. It will take you through some common definitions of risk and will look at
the positive and negative impact that risk has on organisations. It will introduce
key features of risk and risk management and introduce methods of classifying
risks. It moves on to discuss the history of risk management, and the principles
and benefits to organisations of good risk management.
1.1 Approaches to defining risk
There have been many attempts over the years to define risk. Frank Knight
(Knight, 1921), one of the fathers of modern risk management, said:
Risk can be applied to a situation where there are several possible
outcomes and, on the basis of past relevant experience, probabilities can
be assigned to the various outcomes that could prevail.
Uncertainty can be applied to a situation where there are several possible
outcomes but there is little past relevant experience to enable the
probability of the possible outcomes to be predicted.
This suggests that risk management covers the management of both quantifiable
risk and unquantifiable uncertainty.
As most if not all of the decisions made by an organisation will be ones with an
uncertainty of outcome (in other words, risky decisions), Douglas Barlow, another
very early writer on risk aptly stated in 1962, ‘all management is risk
management’ (Sedgwick Law, 2006).
A widely used definition of risk comes from the International Organization for
Standardization (ISO, 2009) which states that risk is
‘The effect of uncertainty on objectives’.
So the overriding purpose of risk management is to help organisations to identify,
understand and manage their risks and opportunities, and thereby increase the
likelihood of achieving their objectives by reducing uncertainty.
UNIT 1 | CONCEPTS AND DEFINITIONS OF RISK AND RISK MANAGEMENT
© 2016 Institute of Risk Management | 3
For examination purposes, it is vital to have in your mind one general definition
each of risk and risk management, such as the ISO one. IRM has stated that:
‘Organisations of all types face a variety of factors and influences that
make it uncertain whether and when they will achieve their objectives. The
effect of this uncertainty is termed ‘risk’. Effective risk management helps
organisations to identify, understand and manage the risks, thereby
maximising the likelihood of achieving their objectives. And this is the first
and overriding purpose of risk management.
‘Risk management is a core management discipline. Like general
management or project/change management, risk management is a
discipline that supports all organisational activities. The risks that
organisations face change all the time, so the art of good risk
management is to combine planning for what we already know has
happened and might occur, with preparation for unknown situations.
‘With the general public, however, risk management often has a poor
perception. Stories in the media of risk management getting in the way of
common sense are not infrequent. The failure of some health and safety
practitioners to properly communicate the immense benefits of their work
and the perceived failure of risk management in the world’s banks have all
added to these perceptions.’
Every organisation that wants to practise risk management should produce its
own clear, shared definition of what it means by the terms ‘risk’ and ‘risk
management’. There are specific tools we can use to describe risks, the most
common being the risk register. In module 2, we shall see the range of means of
storing such information from manual records, to spreadsheets, to fully blown
dedicated risk information management systems (RIMS).
Organisations have to first quantify (analyse) the relative severity of the risk
before any actions have been taken to manage it. This is called the inherent (or
gross) risk. We then again measure the same risk after risk management actions
have been taken. This we call the residual (or net, or current) risk.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
4 | © 2016 Institute of Risk Management
Essential reading
Read the first three sections of chapter 1 of Hopkin, which cover ‘definitions of
risk’, ‘types of risk’ and ‘risk description’.
Have a quick look over the rest of the chapter – however, we will discuss these
issues in much more detail in later units of this module.
Activity 1.1
1 From your reading of this unit so far, and Chapter 1 of Hopkin, which definition
of risk seems most appropriate to you?
2 What is the difference between ‘hazard’, ‘control’ and ‘opportunity’ risks?
3 Does your organisation have a formal definition of risk? If so, how many people
are aware of it? If not, what do you think are the reasons for its absence?
Check your answers with those at the end of this unit.
Essential reading
Read The Orange Book, chapter 1. This provides a succinct, two-page
introduction to risk and risk management. Note carefully section 1.6, which also
uses Hopkin’s three dimensions, but adds that different skills and competencies
are required to manage risks at each of these levels.
1.2 Impact of risk on organisations
We have seen how one of the most well used definitions of risk relates to the
effect of uncertainty on objectives. Risks do indeed impact on corporate
objectives, but, as your next reading will show, they can also impact on key
dependencies, core processes and stakeholder expectations. We call this the
‘attachment of risk’ and organisations should map out how risks are attached to
each of these elements in order to fully analyse their impact.
UNIT 1 | CONCEPTS AND DEFINITIONS OF RISK AND RISK MANAGEMENT
© 2016 Institute of Risk Management | 5
Let’s consider the meaning of these three additional points of impact now,:
Key dependencies are the key things that the organisation needs to be
successful; they might be internal or external things but in short, they are
what the business depends upon for its future success.
Core processes are fundamental to organisational success because they
are the means of delivery of strategy and continuity of operations. A core
process can be defined as “the collection of activities that deliver a specific
stakeholder expectation”.
Stakeholders are the groups of individuals who have a stake in the
business, or are affected by what the organisation does – such as
investors, suppliers, customers, the wider society and government.
The rationale for the attachment of risk is that organisations should map out the
consequences of risk in order to fully analyse their impact.
Essential reading
Read Chapter 2 of Hopkin – pay particular attention to the third subject on the
attachment of risks, because this is a recurring theme throughout the module.
See also the boxes on page 26, which examines the difficulties in balancing risk
and reward in Formula 1 racing, and page 28, which looks at propensity for
taking risks.
Activity 1.2
1 Note down what Hopkin means by key dependencies, core processes and
stakeholder expectations.
2 With your colleagues, try to identify a key dependency and a core process
within your organisation. Then try to identify what types of risk your
dependency and your process might be vulnerable to.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
6 | © 2016 Institute of Risk Management
A report issued by the International Integrated Reporting Council in December
2013 (IIRC, 2013) shows how risk can impact on an organisation’s capital value
– see the further reading section at the end of unit 1.
RISK IN THE
REAL WORLD
Hopkin (on page 24) provides an example of an external key
dependency when talking about Northern Rock. Look also at
further context to the Northern Rock events in the table on
page 30.
1.3 Types of risk
You will now look more closely at classifying risks as hazard risks, control risks
and opportunity risks.
Essential reading
Read chapter 3 of Hopkin which looks at the timescale of risk impacts and then
explores hazard risks, control risks and opportunity risks further.
Activity 1.3
The box on page 36 of Hopkin gives an alternative typology of risk factors –
controllable and uncontrollable risks. Using heart disease as an example, give an
example of both controllable and uncontrollable risks.
1.4 Development of risk management
Understanding of the history of risk management can be useful: for several
reasons
The scope of risk management has changed to such a degree in recent
years that conventional views of risk have had to be altered – see for
example Bernstein (1996) in the further reading for unit 1.
UNIT 1 | CONCEPTS AND DEFINITIONS OF RISK AND RISK MANAGEMENT
© 2016 Institute of Risk Management | 7
Historically, risk management has focused on the mathematics of hazard-
based or financial risks. It tended to focus on specific risks and neglected
an enterprise-wide approach.
You need to understand the history to explain where we are now in risk
management and where this may lead in the future.
You will see that our changing world has produced new risks that do not
easily fit into historical frames of reference, and history tells us that new
risks come and old risks disappear – we can learn lessons on how people
reacted to new, emerging risks.
Risk management frameworks have developed only since 1995.
A historical timeline in risk management history might include the following:
1500: Religious belief, fate and superstition – evolutionary theory.
1500–1900: A decline of the above by educational enlightenment in risk.
1900–70: Development of specialist risk professions.
1970–95: Risk management specialism moves towards generalism.
1995–date: The maturing risk profession.
1995–date: The age of risk management standards.
But in the last few hundred years there was another significant trend towards:
More knowledge of causes and effects (as people experienced and better
understood their environment – initially from the passing down of stories
and then from first written records).
Turning mystery and superstition into unknown uncertainty and then into
known uncertainty (the time of the Enlightenment), which moved on into
people being able to measure risk for the first time through the
development of statistics.
There is great value in looking at the past. Not only can it provide insight into the
developmental dynamic of the field, it provides important guidance in
understanding why the modern world appears as it does, particularly with some
of the inherited superstitions and irrationalities.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
8 | © 2016 Institute of Risk Management
‘A brief history of risk management’ (Kloman, 2010), gives a history of risk
management from 1914 until 2008 and it includes something on the development
of risk specialisms, such as insurance, actuarial science, and health and safety.
Though the material skims the surface of a very detailed subject, it serves a
useful role in orienting you towards key events in the history of the field. See the
further reading section at the end of unit 1
Essential reading
Read chapter 4 of Hopkin which looks at the origins of risk management and the
development of risk management specialisms.
Activity 1.4
1 As a modern risk manager, why is it useful to understand something of the
history of risk management?
2 By talking to some of the longer serving members of your organisation, try to
discover something of the history of risk management in your organisation.
Since 2009 we have experienced a number of major risk events such as the
Arab Spring, major natural disasters, the range of sovereign debt crises in many
Eurozone countries and the slow signs of recovery in Western economies. All
these things impact our role in the risk profession.
Indeed, most of the exciting and worthwhile achievements humanity would like to
make are complex and not without their potential pitfalls. Risk management can
help organisations achieve what otherwise might be too risky or uncertain. Good
risk management is about being able to take risk. Good risk management is
about ‘reaching for the stars’.
UNIT 1 | CONCEPTS AND DEFINITIONS OF RISK AND RISK MANAGEMENT
© 2016 Institute of Risk Management | 9
At the same time, risk management is also about safeguarding organisations and
making them more resilient. While being ambitious, it is also important to protect
the value of the organisation. Managing so-called ‘downside risk’ – events whose
potential outcome is negative or undesirable – can help the organisation apply
controls and achieve its objectives.
Increasingly organisations are required by law, regulation or stakeholder
expectations to build risk management competencies and provide reports that
show that those competencies are effective. In the future, these reports might
well be audited in ways similar to the way financial reports are audited today.
1.5 Principles and aims of risk management
This final section looks at the five principles of risk management and the main
benefits or objectives of risk management.
Essential reading
Read chapter 5 of Hopkin on the principles and aims of risk management. Pay
particular attention to the acronyms PACED and MADE2, as these will be
recurring themes throughout module 1. On page 53, Hopkin demonstrates the
failed strategy of a real grocery retail chain from several years ago while on 56
he uses a car’s brakes, clutch and accelerator as a synonym to explain the
benefits of these three levels or types of risk.
Activity 1.5
1 List five benefits of good risk management.
2 Outline the five principles of risk management.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
10 | © 2016 Institute of Risk Management
RISK IN THE
REAL WORLD
PricewaterhouseCoopers (2010: 8) published a composite of a
range of research reports that took place prior to the global
financial crisis in 2009, which showed that strategic risk was by
far the greatest determinant of how shareholder value is
destroyed in business. PwC estimated that strategic risks
explained up to 60% of shareholder value decreases, followed
by 20% for operational risk losses, 15% for financial risk effects
and 5% for compliance risk effects. This study used the COSO
ERM classification of objectives/risks, which we will consider in
unit 3.
Self-assessment questions
These questions will help you to check your knowledge of Unit 1. They use a
multiple choice format similar to that you will meet in the exam. Choose the
option you think is right and then check with the answers at the end of this unit.
1 Which of these is best describes ‘residual’ (or net, or current) risks.
a) A risk before any actions have been taken to manage it
b) A risk associated with speculative opportunities
c) A risk after risk management actions have been taken
2 Which of these is best describes ‘hazard’ risks.
a) Risks associated with the benefits of speculative opportunities
b) Risks associated with ‘pure’ risks or perils
c) Risks associated with the management of uncertainty
3 What are core processes?
a) The means of delivery of strategy and continuity of operations
b) The key things that the organisation needs to be successful
c) Groups of individuals who have a stake in the business, or are affected
by what the organisation does
UNIT 1 | CONCEPTS AND DEFINITIONS OF RISK AND RISK MANAGEMENT
© 2016 Institute of Risk Management | 11
4 What of these best describes the term ‘mandatory’ in relation to risk
management objectives as set out in MADE2?
a) To ensure that risk management complies with the five principles of
PACED
b) To ensure that appropriate risk-management information is available
c) To ensure conformity with rules, regulations and obligations
Further reading
IRM’s Online Resource Centre (ORC) has a list of publications on the
introduction to risk and risk management in the section ‘Principles of risk’. Look
in particular at the subsections called ‘History of risk management’ and ‘Nature of
risk and uncertainty’.
Holton (2004) provides a good summary of how risk has been defined since
Frank Knight tried to distinguish risk from uncertainty and it discusses the
ensuing debate throughout the twentieth century.
Entsgo (undated) provides an easy to read two-page distinction between pure
and speculative risks.
Bernstein (1996) introduces the debate over the actual meaning of ‘risk’.
Historically, the risk management field has tended to define risk solely through its
statistical or mathematical nature, which is appropriate in many settings.
Kloman (2010) offers an introductory historical perspective on key developments
in the history of risk management, especially from 1914 to the start of the 2008
financial crisis.
In December 2013 a new organisation, the International Integrated Reporting
Council (IIRC) produced a major report, which has something to say on the
impact of risk in organisations as part of a much wider agenda to reform
corporate reporting to stakeholders. The IIRC measures value creation in the
form of six different types of capital owned by any organisation (IIRC, 2013: 11).
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
12 | © 2016 Institute of Risk Management
If you are interested in finding out how businesses around the world justify their
investment in risk management (or rather enterprise risk management) you could
briefly review Accenture (2011).
Feedback to activities
Activity 1.1
1 The simplest definition is the one you can get from ISO 31000. You can find
this and several others from Hopkin’s table 1.1 (page 14).
2 The source for your answer to this question can be found in Hopkin chapter 1
‘Types of Risk’ (page 15). As you work through the book look for other
characteristics and differences for these three levels of risks, which he
describes from time to time.
3 If your organisation has a formal definition of risk (perhaps from a policy
document or a risk manual), compare it to some of the more official
definitions.
Activity 1.2
1 Key dependencies are the key things that the organisation needs to be
successful; they might be internal or external things but in short, they are
what the business depends upon for its future success.
2 Core processes are fundamental to organisational success because they are
the means of delivery of strategy and continuity of operations. A core process
can be defined as ‘the collection of activities that deliver a specific
stakeholder expectation’.
3 Stakeholders are the groups of individuals who have a stake in the business,
or are affected by what the organisation does – such as investors, suppliers,
customers, the wider society and government.
Activity 1.3
Controllable risks for heart disease include high blood pressure or cholesterol.
Uncontrollable risks include age or gender.
UNIT 1 | CONCEPTS AND DEFINITIONS OF RISK AND RISK MANAGEMENT
© 2016 Institute of Risk Management | 13
Activity 1.4
1 The scope of risk management has changed to such a degree in recent years
that conventional views of risk have had to be altered. Historically, risk
management has focused on the mathematics of hazard-based risks or on
financial risks. It tended to focus on specific risks. You need to understand
the history of risk and risk management to explain where we are now and
where things may go in the future. You will see that our changing world has
produced new risks that do not easily fit into historical frames of reference. So
in summary, the history helps to explain where we are today and might give
us some guide of the directions to where risk management is going in the
years to come.
2 They may be able to talk about some of the major crises or major periods of
change that the business faced and how the organisation got through those
changes intact.
Activity 1.5
1 Your solution can be found in Hopkin chapter 5. The MADE2 acronym – see
Hopkin’s table 5.2 (page 51) can help you to remember. You can also help
yourself by remembering the definition of risk, which implies that good risk
management will help achieve your organisation’s objectives.
2 Again an acronym from Hopkin chapter 5 is the source of your answer. This
time the acronym is PACED – see table 5.1 (page 50).
Answers to self-assessment questions
1-c
2-b
3-b
4-c
Unit 2 Risk management standards
Unit learning outcome
After studying this unit, you should be able to:
Compare and contrast the main risk management standards
Unit contents Section learning outcomes
2.1 General risk management standards…15
Describe the key stages in the risk management process, the main components of a risk management framework and the key features of the best known risk management standards and frameworks currently in use
2.2 Alternative risk management approaches…22
Compare and contrast a number of risk management standards
Resources
You should make sure you have access to the following resources before starting this unit:
Hopkin (2014), chapter 6
The Orange Book (HM Treasury, 2004), chapter 2
Airmic/Alarm/IRM (2010), part 1
RIMS (2011)
UNIT 2 | RISK MANAGEMENT STANDARDS
© 2016 Institute of Risk Management | 15
Introduction
This unit begins by looking at the main features of key general risk management
standards, including the most generally accepted ISO 31000 standard (ISO,
2009), as well as considering the importance of a range of risk related guidance.
It then looks briefly at some specialist risk management standards.
All risk management standards are recent; indeed, the first ever risk
management standard, the AS/NZS4360 was only released in 1995 (Standards
New Zealand, 2013). If anything, that fact demonstrates the still youthful state of
our profession and why even now risk managers still argue over such
fundamental issues such as the definition of risk.
Your organisation may use the characteristics of one of these standards to
implement a risk management process to manage its risks; it may combine them
and use elements from each; or it may even have its own bespoke standard.
As your career in risk management develops you will need to know well at least
one such risk management standard and how to apply it in your organisation.
2.1 General risk management standards
Risk management has developed over time and across many regions of the
world and many industry sectors, as well as within discrete professions, to meet
diverse needs. Risk management standards, within a clear framework, can
support a more consistent risk management process and this can help to ensure
that risk is managed effectively, efficiently and coherently across an organisation.
The following terminology is generally accepted and applies to ISO 31000:
Risk management
standard =
The risk management
framework +
The risk management
process
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
16 | © 2016 Institute of Risk Management
IRM states that a simple risk management process is all about being able to:
identify risks (and opportunities)
evaluate and prioritise the significant risks (and opportunities)
manage the significant risks
In order to provide an explanation for the content of the risk management
framework, the acronym RASP or ‘Risk Architecture, risk Strategy and risk
Protocols’ has been developed. RASP is a supportive structure of the risk
management process – it is what helps to determine how the process works.
RASP is in fact an introduction to a substantial area of study which you will
undertake in module 2.
This unit looks at some general risk management standards. You have already
looked at the 8Rs and 4Ts model in Chapter 4 of Hopkin on page 40. The 8Rs
and 4Ts of (hazard) risk management does not form part of any wider, present
day risk management standard or framework, However it is surprisingly well
known and you might well find such an approach suitable for your organisation.
We shall now look at three other general risk management standards in the order
in which Hopkin discusses them in Chapter 6:
IRM (2002) model (page 59).
COSO ERM (page 63).
ISO 31000 model (page 65).
The IRM (2002) model
IRM (2002) describes a slightly different framework of the structure,
responsibilities, administration, reporting and communication in relation to risk.
Although slightly different to RASP, it is another acceptable approach to
describing the risk management framework.
UNIT 2 | RISK MANAGEMENT STANDARDS
© 2016 Institute of Risk Management | 17
The risk management framework can be likened to the risk management context.
In other words, it is the context in which the risk management process must
operate. Later, we shall see that the next two standards (COSO ERM and the
ISO 31000) also have something to say on the subject of the risk management
context. Two additional elements of the risk management context are:
External context – typically the organisation’s industry, products, markets,
logistics, supply chain, competitors and countries of operation.
Internal context – typically the organisation’s internal workings – its
divisions, departments, structures, cultures, leadership, strengths and
weaknesses, and so on.
As well as having a primary role of providing the context of risk management, the
framework also has a secondary role of ensuring that the outputs of the process
are communicated, and that the benefits anticipated (MADE2) from the
investment in risk management are delivered.
Essential reading
Read the first part of chapter 6 in Hopkin, ‘Scope of risk management standards’
which introduces the IRM (2002) risk management process – figure 6.1 (page
59). Look briefly as well at the short sections on ‘Risk management [process’ and
‘Risk management framework’.
Activity 2.1
1 In the light of your reading, write a one-sentence definition of each of these key
terms:
a) Risk management standard b) Risk management framework c) Risk
management process
2 Draw a flowchart which describes your organisation’s risk management
process
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
18 | © 2016 Institute of Risk Management
The COSO ERM cube
The concept of enterprise risk management (ERM), which was first developed
around 2000, received a real boost in world-wide popularity during the autumn of
2004 when the Committee of Sponsoring Organisations of the Treadway
Commission (COSO) launched COSO ERM (COSO, 2004).
Essential reading
Look at the fourth part of Hopkin chapter 6 (page 62), ‘COSO ERM cube’, taking
note of figure 6.3 on page 63.
The COSO ERM framework is displayed as a cube, as in Hopkin Figure 6.3:
The front face is the risk management process, and you should be able to
summarise the content of each of the eight items.
The top face of the cube describes the four categories of organisational
objectives. Again you should be able to summarise the meaning of each
of these four items.
Finally, the side face of the cube shows the implementation process of the
standard. It indicates that ERM begins at entity level and then is cascaded
downwards and across the organisation. In that sense, the fully
implemented version of ERM has to be embedded in all roles, operations
and activities of the enterprise.
COSO ERM is an important standard and we will look at it in greater detail in Unit
3.
Activity 2.2
Write a one-sentence definition of each of these key terms:
a) risk architecture b) risk context c) risk protocols d) risk strategy
UNIT 2 | RISK MANAGEMENT STANDARDS
© 2016 Institute of Risk Management | 19
ISO 31000
The ISO 31000 standard, released in 2009, is probably the most straightforward
and certainly the most internationally accepted risk management standard. For
this reason, you should feel comfortable about its content and purpose and
especially be aware of its process.
Essential reading
Read the fifth part in Hopkin chapter 6 ‘Features of RM standards’, for an
introduction to ISO 31000. See in particular Figure 6.4 (page 65).
There are five clauses (or key elements) in ISO 31000, the most internationally
accepted risk management standard. We will briefly describe them here:
Clause 1
This clause defines the scope of the standard as being generic risk
management; in other words the standard is designed to be applicable to
organisations in a general sense and is not focused on any particular type or
form of organisation, nor for any international setting. Anyone can use this
standard irrespective of their particular risk context.
Clause 2
This clause provides definitions of 29 terms used in the standard; these are, in
fact, derived from another ISO document called ISO Guide 73:2009, which is a
glossary of risk management terms. The guide is available (at a cost) from ISO
(see references for a link to the ISO website). You do not need to learn the full
glossary contained in this guide because this study guide will provide you with all
the terms you need to know.
The next three key clauses cover:
the principles of risk management
the framework for risk management
the process of risk management
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
20 | © 2016 Institute of Risk Management
Clause 3
Clause 3 is based on the principles of risk management. In Unit 1, we referenced
PACED as a tool to evaluate the principles of risk management. Clause 3 sets
out eleven principles, which we summarise below:
1 Risk management creates and protects value – the risk management
process should contribute to the achievement of objectives and
improvements in performance.
2 Risk management is an integral part of organisational processes – it is not
a stand-alone process and risk management activities, roles and
responsibilities should be incorporated into normal planning and
operational processes.
3 Risk management is part of decision making – decision making should be
better informed by considering what is known about potential uncertain
outcomes.
4 Risk management explicitly addresses uncertainty – it reinforces the need
to recognise uncertainty around the achievement of objectives and
determine an appropriate course of action.
5 Risk management is systematic, structured and timely – systems and
structures give the risk management process rigour and make its
outcomes more reliable.
6 Risk management is based on the best available information – different
perspectives need to be considered as inputs to the risk management
process, looking both inside and outside the organisation for areas of risk,
and considering the reliability of different information sources.
7 Risk management is tailored – systems should be designed for the
particular organisation, taking account of their context, size and
complexity.
8 Risk management takes human and cultural factors into account – the
systems need to fit the culture(s) of the organisation. They should
recognise the human factors within processes, and recognise human
factors as risks themselves.
UNIT 2 | RISK MANAGEMENT STANDARDS
© 2016 Institute of Risk Management | 21
9 Risk management is transparent and inclusive – a good risk management
system helps stakeholders understand the organisation’s context and
risks, and considers their views on risks and controls.
10 Risk management is dynamic, iterative and responsive to change – to
allow organisations to respond effectively to the continually changing
business environment, the risk management system itself should be
dynamic and always reflect the latest risk environment.
11 Risk management facilitates continual improvement of the organisation –
at the same time as being able to respond to change, the risk
management system needs to continually develop to help organisations
improve their risk management maturity.
Clause 4
The next clause in the ISO 31000 standard is the risk management framework.
This clause includes the essential steps in the implementation and ongoing
support of the risk management process. The initial component of the ISO 31000
framework is ‘mandate and commitment’ by the board and this is followed by:
design of framework
implement risk management
monitor and review framework
improve framework
The Airmic, Alarm, IRM (2010) guide (page 7) states that:
‘ISO 31000 describes a framework for implementing risk management,
rather than a framework for supporting the risk management process.
Information on designing the framework that supports the risk
management process is not set out in detail in ISO 31000. An organisation
will describe its framework for supporting risk management by way of the
risk architecture, strategy and protocols for the organisation.’
Clause 5
The final clause in the ISO 31000 standard, is the risk management process.
Three components of this process are also briefly described in the Airmic, Alarm,
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
22 | © 2016 Institute of Risk Management
IRM (2010) guide on pages 8 and 9. For the moment, you should be able to
sufficiently understand the order so you can yourself draw the process diagram.
Essential reading
Read through part 1 of Airmic/Alarm/IRM (2010). This will provide you with
further information about the standard.
Activity 2.3
Briefly summarise the content of the five clauses of the ISO 31000 risk
management standard (one sentence for each clause)/.
2.2 Alternative risk management approaches
We conclude unit 2 with a brief review of some other approaches to risk
management.
Essential reading
Read the final part in Hopkin chapter 6 ‘Alternative approaches’.
RISK IN THE
REAL WORLD
Hopkin refers to one specialist standard called COBIT, which
provides guidance regarding information technology risk
management, in the box on page 68.
The CoCo framework can be seen as fitting around the internal environment of
COSO ERM. There is a relationship between governance, risk and compliance
(or GRC, which is a theme in module 2) – the board should focus on governance,
with separate risk functions overseeing the risk element, and a separate internal
audit function to monitor compliance.
Most countries of the world have their own corporate governance codes and
indeed there are some international codes. The rationale for a corporate
UNIT 2 | RISK MANAGEMENT STANDARDS
© 2016 Institute of Risk Management | 23
governance approach to risk management is that good risk management has to
start at the top of the organisation. The UK-based Cadbury Committee (1992), in
section 2.5 of its report on corporate governance, described this as the place
where ‘companies are directed and controlled’. In Module 2 you will study
corporate governance as a special topic.
In recent years there has been a trend to complement generic risk management
standards of the sort we have reviewed in this reading with industry-specific
ones. Before we complete this unit, we shall introduce one of them.
The Orange Book (HM Treasury, 2004) was designed in 2004 as a risk
management standard for the UK government sector and so is an example of a
sector-specific risk management standard. However, The Orange Book standard
is so succinct that it has generic value in its own right.
Essential reading
Read chapter 2 of The Orange Book which summarises The Orange Book’s risk
management model and gives a process diagram.
Note that the remaining chapters of The Orange Book describe each element of
the risk management model in detail.
Another sector-specific standard exists for the UK charity sector and we include
a reference to it as a further reading item at the end of the unit, if you are
interested to find out more.
As risk management systems develop in terms of maturity, advisory firms have
also designed their own risk management frameworks and toolkits. While each
promotes the unique selling points of that firm, the broad principles remain the
same: link to strategy objectives and core processes, risk identification,
assessment (or analysis), evaluation and action (treatment).
The article published by RIMS (2011) compares and contrasts a number of
different standards, including familiar ones, such as ISO 31000, COSO ERM,
IRM (2002) – which it calls the FERMA: 2002 standard – and some which are
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
24 | © 2016 Institute of Risk Management
less popular, such as the Open Compliance and Ethics Group standard: 2009
(OCEG), BS 31100: 2011 and Solvency II: 2012.
Essential reading
Turn to RIMS (2011). Briefly look at the first thirteen pages, which are all about
comparing these standards. Pay most attention to the three standards we
covered in this unit. There is a set of comparison tables for the remaining eleven
pages.
Activity 2.4
1 From your work on this unit, do you think opportunity (the flip side of risk) is
adequately addressed by the risk management processes outlined in this unit?
2 Which of the standards and models that we introduced in this unit best fits
the way your organisation manages risks?
Self-assessment questions
These questions will help you to check your knowledge of Unit 2. You can check
with the answers at the end of this unit.
1 Which one of the following risk standards contains ‘control activities’ as a
feature in the risk process?
a) COSO ERM
b) ISO 31000
c) IRM (2002) standard
2 Which one of the following definitions is the same as the definition of the
risk management context?
a) The risk management strategy
b) The risk management process
c) The risk management framework
UNIT 2 | RISK MANAGEMENT STANDARDS
© 2016 Institute of Risk Management | 25
3 Which part of the risk framework focuses on answering the question ‘Who
does what?’ in the organisation in relation to risk management?
a) Risk architecture
b) Risk context
c) Risk protocols
Further reading
IRM’s ORC (2014) has a segment with a range of publications from many places
on the range of risk management standards. It even has the IRM standard of
2002 translated into many different languages.
IRM (2002) has a range of content which is very useful in several of the following
units of this module as well as module 2. It runs through the whole of the process
(relevant for module 1), as well as providing some information around risk
management framework roles, responsibilities, structures and administration
(relevant for module 2).
Praxiom (2013) is a very useful and easy to read article. It forms a plain English
guide to ISO 31000.
SA/SNZ HB 436:2013 Risk management guidelines - Companion to AS/NZS ISO
31000:2009 is a handbook which provides guidance on the implementation of
AS/NZS ISO 31000:2009 (this is ‘identical to and reproduced from ISO
31000:2009’). The handbook expands on and explains the elements within the
standard and provides advice about applying it, including using it to evaluate and
improve existing risk management practice. The guidelines can be obtained from
the web link given in the references section (Standards New Zealand, 2013), but
you should be aware that there is a cost to access the content.
In 2012 the Treasury Board of Canada Secretariat issued a substantial
guidebook similar to The Orange Book for the management of risk in the
Canadian government sector. If you are interested you can read it on Treasury
Board of Canada Secretariat (2012).
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
26 | © 2016 Institute of Risk Management
Finally, in 2010 the UK Charity Commission issued guidelines for risk
management specific to the charity sector (Charity Commission, 2010).
Feedback to activities
Activity 2.1
1 Your definitions should be along the following lines
a) Risk standard – A published guide for managing risk, usually
comprising a risk framework and (especially) a risk process.
b) Risk framework – Also known as the risk management context. This
comprises the risk strategy, risk architecture and risk protocols and
forms the risk context which helps to drive the risk process.
c) Risk process – The stages in the process of managing risk, which is
driven mainly by how you set up the framework (but also affected by the
internal and external environment).
2 You might actually find some documentation in your department that already
does this. If not, it is a most useful exercise because it could help you to
consider whether there are any gaps in what you do.
Activity 2.2
1 Your definitions should be along the following lines
a) Risk architecture – Part of the risk framework, which focuses on
answering the question ‘Who does what?’ in the organisation in relation
to risk management. This is displayed in Hopkin’s figure 6.2 (page 61).
b) Risk context – This covers three layers of organisation which together
drive the risk process; they are the external environment, the internal
environment and the risk management context (also known as the risk
framework).
c) Risk protocols – The set of tools, procedures and instructions that an
organisation has for managing risk.
UNIT 2 | RISK MANAGEMENT STANDARDS
© 2016 Institute of Risk Management | 27
d) Risk strategy – The agreed overriding purpose and aims of risk
management in the organisation, which involves the publication of a risk
policy document and the setting of the risk appetite.
Activity 2.3
Clause 1: Scope or purpose of ISO 31000.
Clause 2: A set of definitions used in the standard.
Clause 3: The principles and purposes of risk management.
Clause 4: The stages involved in setting up a risk management framework.
Clause 5: The risk management process
Activity 2.4
1 From the range of processes that we have looked at, we can see from the
underlying definitions of risk that most are meant for dealing with both
opportunities and risks (with perhaps the exception of the 8Rs and 4Ts
approach – you should see why when we reach unit 6). But perhaps they
could be criticised in assuming that the process for managing opportunities
does not appear to be distinguished in any way from managing downside risk.
Perhaps you could answer this question by considering your own
organisation: Does your organisation manage opportunities in the same way
that it manages downside risk? If the answer to the question is yes, why
make the distinction between opportunities and risk in the first place?
2 This activity should help you to compare and contrast your process of risk
management with the established standards to find out which of them it most
closely mirrors. Look at the terminology that people use to see which
standard you most closely resemble. In the last three units of the module we
will look at each of the stages of the process in much more detail.
Answers to self-assessment questions
1-a
2-c
3-a
Unit 3 Enterprise risk management
Unit learning outcome
After studying this unit, you should be able to:
Apply the concepts of enterprise risk management (ERM)
Unit contents Section learning outcomes
3.1 Defining Enterprise risk management overview…29
Outline the key characteristics of the COSO ERM framework
3.2 Enterprise risk management overview…31 Explain the key features of an enterprise-wide approach to managing risk
3.3 Implementing ERM …33 Identify the four stages of the ERM implementation process
3.4 Establishing the context for risk management…35
Discuss the various approaches to establishing the context for ERM
3.5 Objective setting…37 Discuss approaches to setting objectives
Resources
You should make sure you have access to the following resources before starting this unit:
Hopkin (2014), chapter 19
The Orange Book (HM Treasury, 2004), chapter 10
COSO (2004)
Airmic/Alarm/IRM (2010), part 2
COSO (2014)
UNIT 3 | ENTERPRISE RISK MANAGEMENT
© 2016 Institute of Risk Management | 29
Introduction
Enterprise risk management (ERM) is probably the most important development
of risk management since the year 2000 because it offers a holistic approach to
risk management. Most of the risk management standards we introduced in unit
2 provide holistic guidance to risk management and so are really enterprise risk
management standards.
From the point of view of the International Certificate and Diploma, risk
management and ERM are synonymous, so this module takes an ERM approach
to risk management. Shortreed (2010: 118) sees ERM as a fundamental part of
general management:
‘The integration of ERM is made possible since risk relates to uncertainty
of achieving objectives and the goal of the general management of an
organisation is to achieve objectives.’
In this unit we will define and provide an overview of ERM. We will describe how
it can be implemented, the context within which it is implemented and the role of
objective setting. We will focus much of our attention on the COSO ERM
framework, but we will also consider ERM’s relevance to ISO 31000.
RISK IN THE
REAL WORLD
To give you an early flavour of an ERM approach to risk
management, take a look at the hotel sector case study in
Hopkin (page 200), which explains the TSOGO SUN risk
management process.
3.1 Defining Enterprise risk management
James Lam (2003), chief risk officer at GE Capital, described ERM as ‘the
integrated management of business risk, financial risk, operational risk and risk
transfer to maximise a firm's shareholder value’. His meaning was that ERM
makes a company more successful by creating a single view of all risks and
managing those risks in a consistent way up, down and across the enterprise.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
30 | © 2016 Institute of Risk Management
More recently, KPMG (2006) summarised the move away from traditional forms
of risk management to an ERM approach as shown in table 3.1 below.
Table 3.1: Comparing traditional risk management with ERM
Aspects of a traditional RM approach Aspects of an ERM approach
Focus on risk identification and analysis Risk in the context of business strategy
Risk as individual hazards Risk portfolio development with risk interconnectivities
Focus on all risks managed in separate areas
Focus on critical risks
Risk mitigation Risk is entity wide
Risk with no owners Identifying and defining risk responsibilities
Risk is insurance Monitoring and measuring risk
Risk is not my responsibility Risk is embedded into everyone’s responsibility
In contrast with the traditional approach, ERM recognises that risks in one part of
the organisation can relate to risks occurring elsewhere and these links and
relationships need to be managed just as much as individual risks in isolation.
Essential reading
Remind yourself what the COSO ERM framework looks like now, by taking a
quick look back to figure 6.3 in Hopkin (page 63), which we introduced in unit 2.
Chapter 19 is the only chapter in Hopkin specifically on the subject of ERM.
Read the first and second parts of this chapter (pages 205–8) on the enterprise-
wide approach and definitions of ERM.
Activity 3.1
1 Write a short definition of enterprise risk management.
2 How does ERM differ from traditional forms of risk management?
UNIT 3 | ENTERPRISE RISK MANAGEMENT
© 2016 Institute of Risk Management | 31
3.2 Enterprise risk management overview
ERM considers risks against the need to meet an organisation’s strategic,
operational, compliance and financial reporting objectives – the four elements of
the top face of the COSO ERM cube.
ERM ultimately implies that risk management should be ‘embedded’ from the top
of the organisation (entity level) downwards through the business. For ERM to
work effectively, it requires a high investment in risk management across the
enterprise, a high level of risk maturity and a strong framework for risk
assurance, because the board needs to know that the framework it has invested
in works effectively and consistently across the enterprise.
ERM stresses the need to consider the interdependency between risks. By
taking account of risk interrelationships and the interdependency of risks across
the enterprise, ERM will enable organisations to more accurately assess the
severity of their risks both individually and in total (this total assessment is
sometimes called the ‘risk exposure’).
RISK IN THE
REAL WORLD
For example, the outbreak of a major flu epidemic could
increase the likelihood of an IT risk event. If employees are
absent from work with flu, there are likely to be fewer people
around to monitor and enforce the organisation’s controls,
including IT controls. As a result, the controls are more likely to
fail. If the IT controls fail, we could then envisage the increased
likelihood of a financial risk arising, such as the inability to
place orders or invoice clients using the financial system.
Essential reading
Read the executive summary Enterprise Risk Management: Integrated
Framework, Executive Summary (COSO, 2004) which gives a good overview.
Page 1 summarises six characteristics of ERM, page 3 discusses the four
categories of organisational objectives and pages 3 and 4 describe the eight
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
32 | © 2016 Institute of Risk Management
Essential reading
elements of the risk management process.
Activity 3.2
1 Explain why the first element on the side face of the COSO ERM cube is
described as ‘entity-level’.
2 Consider how one risk from a single source might impact on many departments
within your organisation.
RISK IN THE
REAL WORLD
Take a brief look at the case study on page 201 in Hopkin on
BG Group, a large energy company with widely dispersed
operations, which operates a group approach to managing
their ERM activities.
The companion research paper Improving organizational governance and
performance: how the COSO frameworks can help (COSO, 2014) explains how
the ERM process from the COSO cube can be used in a four-stage strategy
setting process. It argues that the starting point both to risk management and
strategy setting is a concept called ‘corporate governance’.
Essential reading
Have a brief look now at the research paper (COSO, 2014).
In addition to COSO ERM, there is also an internal control version. The COSO
Internal Control – Integrated Framework (COSO 1992, revised 2013) places the
emphasis on achieving internal control over financial reporting within the
organisation and for that reason it was later used as the framework of choice for
a very important piece of US law, the Sarbanes Oxley Act of 2002 – which you
will review in Module 2.
UNIT 3 | ENTERPRISE RISK MANAGEMENT
© 2016 Institute of Risk Management | 33
Learning activity 3.3
What are the driving forces in the development of ERM in your sector or country?
What are the main restraining factors?
3.3 Implementing ERM
This section considers techniques for implementing ERM. Bear in mind that:
Firstly, organisations will often employ a risk manager or a risk
management function to oversee the implementation and running of the
ERM framework. In some business sectors, such as banking and finance,
and in some countries of the world, the employment of a chief risk officer
is becoming a regulatory requirement.
Secondly, the PACED principles of risk management are essential factors
to take into account as part of the implementation of the ERM framework
in order to achieve the maximum benefits.
Thirdly, an organisation can assess the benefits of a fully implemented
and effective ERM framework by way of a process called FIRM (financial,
infrastructural, reputational and marketplace benefits). You could also
assess ERM benefits by the use of the MADE2 model.
In many ways, ERM implementation in an organisation is not really a type of risk
management but is more about a measure of the maturity of risk management
within the organisation. All things being equal, if you have ERM you are more
mature in risk management than if you do not have it.
Essential reading
Read the third part of Hopkin chapter 19 (pages 208–9) on ERM in practice.
Then skim read the fourth and fifth parts of Hopkin chapter 19 (pages 209–12) on
ERM and business continuity, ERM in energy and finance, and future
developments of ERM as we will consider these ideas later.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
34 | © 2016 Institute of Risk Management
The Airmic, Alarm, IRM guide (2010) identifies four stages to the implementation
process, using the acronym PIML:
planning and designing
implementing and benchmarking
measuring and monitoring
learning and reporting
Activity 3.4
Compare this process to the risk management ‘framework’ (or clause 4) of ISO
31000, which we looked at in reading 2. Can you see similarities between
clauses 4 and the Airmic, Alarm, IRM (2010) approach?
There are many guides and readings providing advice about the implementation
of ERM. In most cases, an overriding conclusion of these guides is that the
method of implementation will be contingent upon the risk characteristics of the
organisation concerned, along with its internal and external environment. In other
words, it is contingent on the ‘organisational context’ – a term we introduced in
unit 2 and will explore more next.
Essential reading
Skim read part 2 (pages 10–18) of the ‘Structured Approach to ERM’ guide
(Airmic/Alarm/IRM, 2010).
3.4 Establishing the context for risk management
Establishing the context for risk management is regarded in most risk
management standards – and notably ISO 31000 – as the starting point of the
risk management process. The University of Wollongong (2013) states:
‘To establish the context means to define the external and internal
parameters that organizations must consider when they manage risk.’
UNIT 3 | ENTERPRISE RISK MANAGEMENT
© 2016 Institute of Risk Management | 35
Essential reading
Figure 6.4 in Hopkin (page 65) shows how ISO 31000 portrays establishing the
context as the first stage in the risk management process. Go on to read the
material on ‘Establishing the context’ in Hopkin Chapter 7 (pages 81–83).
Hopkin argues that there are three components of context: the external
environment, the internal environment and the organisation’s risk management
context.
The external context includes:
the social and cultural, political, legal, regulatory, financial,
technological, economic, natural and competitive environment,
whether international, national, regional or local
the industry, products, markets, competitors, suppliers, customers,
logistics and the regions and countries of operation
key drivers and trends impacting on the objectives of the organisation
relationships with, and the perceptions and values of, external
stakeholders
The internal context relates to the organisation’s structure, objectives, policies,
strategies, processes, culture and the values of its people. It includes:
the organisation’s divisions, departments, structures, systems, processes
and accountability, cultures, leadership, strengths and weaknesses
internal stakeholders – staff, managers and the board
its approach to corporate governance, its resources, competencies and
capabilities, its culture, and the ways it conducts itself
factors that influence how the organisation will try to set and achieve its
objectives, which of course is the primary aim of risk management
The risk management context typically involves the context in which the risk
management process must operate, which can be described using the RASP
acronym. Included in this element of context is something called the ‘risk
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
36 | © 2016 Institute of Risk Management
appetite’; a very important idea around deciding upon an acceptable level of risk
for the organisation.
Figure 3.1 summarises these points and starts to link them to the next stage of
the risk management process, that of risk assessment.
Figure 3.1: Establishing the context
Activity 3.5
1 For your own organisation, which important factors in the wider world (external
context) influence how you do things?
2 And which important factors within the organisation (internal context) influence
the way your organisation works?
UNIT 3 | ENTERPRISE RISK MANAGEMENT
© 2016 Institute of Risk Management | 37
Essential reading
Read The Orange Book (HM Treasury, 2004: 39). Can you see how the
description of ‘context’ has been limited to external context only, which we
covered in Section 3.4 above? This difference in meaning can be a source of
confusion to people. It demonstrates how important it is to communicate clearly
to everyone the meanings of the elements of your organisation’s risk
management activities.
Activity 3.6
1 Suggest 2–3 benefits of establishing the context for risk management.
2 Identify one method you could use to assess the benefits of an investment in
ERM.
In the further reading section at the end of this unit, you will find some examples
of establishing the context for risk management
3.5 Objective setting
The setting of objectives is arguably one of the most important elements of the
context for risk management, especially since it goes to the heart of ISO 31000’s
definition of risk.
Indeed, the COSO ERM (2004: 3) states:
‘Objectives must exist before management can identify potential events
affecting their achievement. Enterprise risk management ensures that
management has in place a process to set objectives and that the chosen
objectives support and align with the entity’s mission and are consistent
with its risk appetite.’
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
38 | © 2016 Institute of Risk Management
That is why the IRM (2002) standard describes the context as being all about
setting the organisation’s strategic objectives.
Essential reading
Briefly go back to Hopkin (pages 23–4) to remind yourself what Hopkin says
about objective setting as part of his attachment of risks theory.
There are a number of reasons why setting business objectives can be hard.
Indeed, some people argue that the objective-setting process can itself be either
a source of risk (if done wrong) or a tool to treat risk (if done right).
First, even if the organisation can agree on its strategic mission, it can be
much harder to choose a range of suitable objectives that support the
mission. When setting objectives, organisations have to balance the
conflicting expectations of a range of stakeholders, and this might be very
hard to do. The result can be a range of compromises or potentially
conflicting objectives.
Second, the organisation’s strategies and objectives need to be
continuously questioned because the internal and external context of an
organisation is constantly changing. So what is a sensible mission today
could become obsolete tomorrow.
Third, if there is an inappropriate strategic mission, or if the mission is not
clear and understood at all levels of your organisation, and if that mission
is not effectively cascaded down through the organisation in supportive
tactical and operational objectives then, with the best of will, people are
likely to interpret the mission in different ways and the result is likely to be
anarchy and disorganisation.
Fourth, an organisation might issue a range of objectives to its staff, but if
these objectives are not fully accepted by those people charged to deliver
them, then you can already see risks arising even in the objective-setting
process – the formal objectives might be at variance with the informal
objectives.
UNIT 3 | ENTERPRISE RISK MANAGEMENT
© 2016 Institute of Risk Management | 39
Fifth, an organisation can reduce its risk exposures, at least in the short
term, if it sets easy-to-achieve objectives, but is likely to increase its
exposures if it sets its objectives as being over-ambitious.
Ultimately then, any risk management activity that supports wrong, unclear or
vague objectives might lead to excellent management of the wrong risks. A
poorly executed objective-setting process can, in itself, be a source of risk.
Figure 3.2 below suggests that objectives can be set at different levels within the
organisation:
In the first instance, organisations must set the overall, organisation-wide
strategic objectives. Ultimately, all objectives should be supportive of, and
be aligned with, the strategic mission and purpose of the business.
Through the process of delegation, organisations must then agree on
compatible tactical objectives, at the level of departments, divisions or
business units. These will focus on the implementation of strategy, and
these will typically cover timescales of around one to three years.
Finally, the tactical objectives will be further delegated into the operational
objectives of teams and even individual personnel, covering a much
shorter period of time ranging typically from days to months.
Figure 3.2: The three levels of objective setting
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
40 | © 2016 Institute of Risk Management
There is a relationship between this three-level objective-setting model and the
three broad categories of risk (opportunity or mainly strategic risks; control or
mainly tactical risks; and hazard or mainly operational risks) in Unit 1.
Learning activity 3.7
Gather information on your organisation’s strategic mission and its strategic
objectives (you might be able to gather this information from the annual report).
Try to identify possible inconsistencies between the set of strategic objectives
that you gather by identifying how the business could achieve one objective at
the expense of another.
UNIT 3 | ENTERPRISE RISK MANAGEMENT
© 2016 Institute of Risk Management | 41
RISK IN THE
REAL WORLD
The survey which we introduced in the further reading for unit 1
(Accenture, 2011), showed that most large organisations
around the developed world had already invested in, or were
actively developing, an ERM framework and process for their
business. It showed that this was primarily due to an increased
expectation, from both within and outside the organisation, that
risks are managed well in order to provide reasonable
assurance of the achievement of objectives.
Although the Accenture survey showed that there has been
improvement in all areas (page 5), the maturity levels were not
as high as hoped for (pages 28–9) and the benefits of the ERM
investment seemed rather elusive (pages 30–1). We should
not forget, however, that this report was presented not long
after the financial crisis, at a time when several commentators
considered that risk frameworks had failed to prevent the crisis
from occurring.
Learning activity 3.8
Think of some possible barriers to the implementation of an ERM approach. For
each barrier try to suggest a way in which the risk manager can overcome them.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
42 | © 2016 Institute of Risk Management
Self-assessment questions
1 Which of the following definitions best describes the term ‘control activities’
in the COSO ERM framework?
a) Identifying internal and external events affecting achievement of
objectives
b) Analysing risks, their likelihood and impact
c) Establishing policies and procedures
2 The full implementation of ERM in a large business is likely to be measured
in terms of which one of the following periods?
a) Up to one year
b) one year to three years
c) More than three years
3 Which of these is part of the risk management context, as opposed to the
external or internal contexts?
a) The regulatory framework
b) The risk appetite
c) The competitors, suppliers and customers
Further reading
Enterprise risk management
IRM’s ORC (2014) has a range of publications on the subject of ERM, including
tips, difficulties, surveys and new developments.
We mentioned that credit rating agencies are now doing assessments of the
ERM maturity of businesses as part of their input into how they score an
organisation’s credit worthiness. The example given of Standard and Poor’s
(2013) shows how Standard and Poor’s do their ERM assessment within the
insurance sector.
UNIT 3 | ENTERPRISE RISK MANAGEMENT
© 2016 Institute of Risk Management | 43
This Chartered Professional Accountants Canada paper (Caldwell, 2012)
provides a fairly extensive guide on the role of the board of directors in ERM.
It includes discussion about the board’s role in the implementation of ERM and
also some discussion on the context of risk management, which it limits to the
external context.
In 2011, COSO produced its own guide on implementing the COSO ERM called
Embracing Enterprise Risk Management: Practical Approaches for Getting
Started, which you may be interested in reviewing (COSO, 2011).
A Harvard Business Review document by Mikes and Kaplan (2014), is all about
a contingency theory of ERM. The lesson from the paper is that to implement
ERM you need to know much about two things: the technical aspects of risk
management and your organisation. The true skill of the ERM implementer is to
be able to blend technical knowledge with organisational knowledge.
ERM context
A useful further reading around the context of risk management, ‘Establish
Context’, is from RISK.COM.AU (undated). It provides a simple bullet point list for
each of the three context categories.
A third brief but thought-provoking article is ‘Really Different’ by Riskviews
(2010). It explores the idea that an organisation’s internal and external risk
context can be subject to violent change at very short notice and suggests the
transition to the financial crisis in 2007–8 is an example of such a violent
transition.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
44 | © 2016 Institute of Risk Management
Feedback to activities
Activity 3.1
1 You can obtain a definition from a number of places in the main Hopkin text.
See for example Hopkin (pages 44 and 207). The latter has a full table with four
different definitions.
2 We saw in unit 1 how traditional approaches were around the development of
specialisms, such as insurance, health and safety and financial risk
management; in other words risk was managed in ‘silos’, often mapped to
individual departments of a business and there was little commonality of systems
and terminologies between them. ERM seeks to overcome this silo-based
approach by what we call a ‘holistic’ approach that is driven from the top (or
board level) of the organisation and embedded down and throughout the rest of
the enterprise. For further details see Hopkin (pages 44 and 201–3).
Activity 3.2
1 This goes to the heart of ERM in that risk management starts at the top of the
organisation, by the management of entity-wide risks and then the same
methodology spreads from there down and across the enterprise. These entity-
wide risks might well be the strategic types of risk that if they occur will impact
upon the whole of the organisation. Read more about this in the COSO ERM
reading and you will see how often the word entity is referred to.
2 To answer this question you might wish to track the potential consequences of
one department’s list of risks to see how that could translate to consequences in
other departments. This activity of mapping the consequences of a single risk is
the only way to determine its enterprise level severity. The mapping the
consequences of risk is something we will look at in detail in unit 4
UNIT 3 | ENTERPRISE RISK MANAGEMENT
© 2016 Institute of Risk Management | 45
Activity 3.3
Some of the major influences might be: (i) laws and regulations, (ii) cultures in
both the country and sector, (iii) competitor behaviour and (iv)the influences of
powerful stakeholders. Some of the restraining factors might include: (i)
knowledge and the lack of it, (ii) cultures in both the country and sector, (iii)
competitor behaviour and of course (iv costs
Activity 3.4
The first stage of the Airmic, Alarm, IRM (2010) ‘planning and designing’ clearly
relates to ‘design of framework’ in ISO 31000 clause 4, ‘scoping’ the
implementation project to cover all activities of the business and clarifying the
risk management framework. Both standards also require a board mandate in
the first stage in the process.
The second stage ‘implementing and benchmarking’ concerns itself with the
main stages of the risk management process. There are parallels with ISO
31000’s ‘implement risk management’. Key to this stage is recording the risk
assessments in the risk register and embedding risk management within the
organisation. We will discuss these ideas further in module 2.
The third stage ‘measuring and monitoring’ mirrors ISO 31000’s ‘monitor and
review framework’.
The fourth stage focuses on learning from the implementation and further
developing ERM. The risk professional should always be asking: ‘How can we
improve our risk management activities?’ They can develop methods for routine
and non-routine reporting and looking for deficiencies or inefficiencies from which
an organisation can learn to better manage risk. This stage reflects the ‘improve
framework’ in the final stage of ISO 31000’s clause 4.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
46 | © 2016 Institute of Risk Management
Activity 3.5
You could possibly divide the organisation’s ‘world’ (or the external context) into
two dimensions. First, there is the inner world, which deals with the
organisation’s competitive environment and includes the organisation’s
competitors, suppliers and customers. Second, there is the outer world, which
deals with wider macro subjects such as the economic, technological, ethical and
legal trends in the wider society in which the organisation operates.
The internal context is likely to include your organisation’s structures, cultures,
the views and behaviours of the board of directors and the relative internal
strengths and weaknesses that your organisation has.
We will look at sources of risks from the external context and the internal
environment in the next unit.
Activity 3.6
Establishing the context of the risk management process should help to justify
the resources needed for risk management. The context of the risk management
process can help define the objectives, scope, responsibilities and resources for
risk management. It can also help to identify methodologies to be used and how
risk management performance will be evaluated.
You can find the advantages of an ERM approach by the use of the FIRM
scorecard in table 19.3 in Hopkin (page 209). But we must emphasise that the
organisation can only realise these advantages if the framework is working as it’s
intended to work. A tool to measure the good principles of a risk management
approach is the PACED acronym.
One method you could adopt is to take the benefits from table 19.3 in Hopkin
(page 209) and identify performance measures to mirror your expectations. For
example, on the reputational measure you could undertake a questionnaire of
stakeholders to get their views on their perceptions of the organisation, say one
year after implementing an ERM framework.
UNIT 3 | ENTERPRISE RISK MANAGEMENT
© 2016 Institute of Risk Management | 47
Activity 3.7
Try to identify possible inconsistencies between the set of strategic objectives
that you gather by identifying how the business could achieve one objective at
the expense of another. Where objectives conflict, there is the risk that the
overall strategic purpose of the business might be at peril. In that sense, it could
be described as the first stage of the risk identification activity, which we will
discuss in the next unit.
Bear in mind as well that an organisation’s mission statement is often too broad
or undefined to facilitate assessing risks to their achievement. The core strategic,
tactical and operational objectives and processes are established to deliver the
mission statement, but even these objectives may still be at a high level and risks
might not be easy to identify. When objectives have been defined, actions to
achieve them need to be set, and these should have specific targets against
which risks can be assessed.
Activity 3.8
Table 36.2 in Hopkin (page 389) provides a set of the barriers, but also
suggestions on how to overcome them. It is likely that when your organisation
developed its risk management approach it would have experienced all of these
problems to a lesser or greater extent.
You may also like to read the BBC News article ‘Rock risks ‘were not
foreseeable’’ (BBC News, 2007). Are there unforeseeable risks in your
organisation” How can you adapt your ERM framework to detect risks which are
very hard to foresee, but which could kill your business?
Answers to self-assessment questions
1-c
2-c (Shortreed (2010) mentions a period of three to five years)
3-b
Unit 4 Risk assessment 1:
introduction and identification
Unit learning outcome
After studying this unit, you should be able to:
Examine the main approaches to risk identification
Unit contents Section learning outcomes
4.1 Risk assessment considerations…49
Describe the critical importance of risk assessment, outlining the range of techniques that are available and the advantages and disadvantages of each one
4.2 Risk causes (sources) and consequences…56
Explain the life cycle of risk, including causes, the risk event itself and the consequences, along with some of the tools for identifying and managing causes and consequences
4.3 Risk classification systems …60 Describe the importance of risk identification, including the key features of the best established risk classification systems
Resources
You should make sure you have access to the following resources before starting this unit:
Hopkin (2014), chapters 13 and 14
The Orange Book (HM Treasury, 2004), chapter 3
‘StrategicRISK 2012 Risk Report’ (StrategicRISK, 2012)
‘Risk Management: It’s Not Rocket Science – It’s Much More Complicated’ (Adams, 2007)
Introduction
This unit is the first of two on risk assessment – a key element of the process of
enterprise wide risk management. In the unit we introduce the wide-ranging
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 49
subject of risk assessment before going on to deal with the first ISO 31000
element of risk assessment, risk identification. In unit 5, we will cover the other
two ISO 31000 elements of risk assessment: risk analysis and risk evaluation.
As in unit 3, we will be using the ISO 31000 standard as the basis of our work
and we will do this for the remainder of the module, although we will refer to
other standards too, especially the COSO ERM and The Orange Book.
4.1 Risk assessment considerations
ISO 31000 states that establishing the context, which includes setting objectives
and developing a risk appetite, is the first stage of the risk management process.
Risk assessment is the next stage and it is vitally important.
This ISO 31000 standard identifies three components of risk assessment –
identification, analysis and evaluation – which IRM neatly summarises
(Fundamentals of Risk Management (FoRM) 2013) as:
Risk identification:
o What might happen (the event)?
Risk analysis:
o How likely is it to happen?
o If it does, what might the impact be?
Risk evaluation:
o So what?
o Is it within our risk appetite and tolerance?
For the moment, do not worry about the meaning of any of these terms, as we
will cover each of them in detail during this unit and the next.
COSO ERM (2004) and chapter 2 in The Orange Book (HM Treasury, 2004)
tackle risk assessment in slightly different ways way – Table 4.1 below looks at
them side by side.
In Table 4.1 the elements in bold text are those which relate to risk assessment.
The third and fourth elements in the COSO process are ‘event identification’ and
‘risk assessment’ – the latter one is similar to ISO 31000’s ‘risk analysis’ and ‘risk
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
50 | © 2016 Institute of Risk Management
evaluation’. Similarly, on page 13 of The Orange Book the relevant elements are
similar to those of COSO ERM; namely ‘identifying risks’ and ‘analysing risks’.
Table 4.1: Reconciling risk assessment across three risk management processes
ISO 31000 COSO ERM The Orange Book
Setting the context Internal environment Identifying risks
Risk identification Objective setting Assessing risks
Risk analysis Event identification Addressing risks
Risk evaluation Risk assessment Reviewing risks
Risk treatment Risk response Communication and learning
Communication and consultation
Control activities
Monitoring and review Information and communication
Monitoring
Risk assessment is a relevant process for the three layers of risks that we
introduced in Unit 1: strategic, tactical and operational.
There are two approaches to risk assessment:
Top-down: the first approach is to start risk assessment with the board
and then work down the organisation – this method will tend to start with a
focus on strategic objectives and strategic risks, especially external risks.
It has the advantage of gaining top management commitment, but it has
the danger of superficiality, especially with deeper causes of risk.
Bottom-up: an alternative approach is to start from the bottom of the
organisation and work upwards – this method will tend to start with a focus
on operational objectives and risks, especially internal risks. But it could
have the disadvantage of individuals having a very local view of risk. Risk
professionals call this a ‘silo-based’ approach, which may not reveal the
interconnectedness of risks throughout the organisation. It might also be
distorted by a range of different perceptions of risk by the people involved.
Of course a possible third option to deal with the potential disadvantages of each
approach, as set out in tables 4.2 and 4.3 below, is to undertake a combined
approach; by combining the bottom-up with top-down approaches and maybe
meeting somewhere in the middle.
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 51
Table 4.2: Top-down risk assessment
Advantages Disadvantages
A top-down assessment is likely to result in an enterprise-wide approach – the risks at the top will have impacts throughout the business
Overly focused on external risks
The most significant strategic risks can be captured quickly
Little awareness of internal operational risks and in particular links and interdependencies of risks within the business
Shows risk management buy-in from the top of the enterprise, resulting in a cascaded acceptance of risk management activities at all levels
Danger that the approach becomes too superficial
Since it originates from a single point, it results in a high chance of methodological consistency here and in other parts of the enterprise
Danger that new risks emerging from the operational activities of the business might not be seen by senior management
Since it originates from a single point, it should result in a manageable number of risks and the process of assessment should be quick and less costly
Table 4.3: Bottom-up risk assessment
Advantages Disadvantages
Significant buy-in at all levels of the enterprise Little focus on external risks or strategic risks
Can be mirrored to an existing organisation chart
Very detailed and time consuming to assess risks. May demotivate as it will take longer to get overall enterprise results, resulting in a perceived low cost-benefit outcome
Operational staff have great awareness of their local risks, including the causes of those risks, which might elude higher levels of management
Danger that the approach becomes too detailed and blinkered, resulting in a silo approach to risk assessment
Methodology can be varied according to local norms and culture (useful for an international approach)
Danger that new risks emerging from the operational activities of the business might not be recognised or reported by operational staff
If led by a risk professional, risk impacts beyond the immediate impacts in the operational area can be mapped out
Who should assess the risks? The manager responsible for delivering an
objective should assess the risks that impact on his or her range of
responsibilities, but a range of general or specialist risk professionals can help
that manager. Module 2 deals with risk management responsibilities.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
52 | © 2016 Institute of Risk Management
Essential reading
Read the first three parts of Hopkin chapter 13 (pages 141–5). ‘The importance
of risk assessment’ defines the subject and ‘Approaches to risk assessment’
begins a discussion of the practical applications of risk assessment. ‘Risk
assessment techniques’, is the most important part of the chapter because it
explains more practical techniques that organisations can use for risk
assessment.
Risk assessment techniques
There are four well-established techniques for risk assessment – for identifying
risks, for deciding on the severity of the risks (risk analysis) and deciding on
whether the risks need to be treated (risk evaluation). These are (1) checklists
and questionnaires; (2) workshops and brainstorming; (3) inspections and audits;
and (4) flowcharts and dependency analysis.
Depending on organisational cultures, structures, industries and locations of
operation, some methods will be more suitable than others.
This list of four techniques is by no means a complete list of risk assessment
techniques; for other examples of such techniques please see the further reading
listed in unit 4 of the study guide.
Some techniques are more suited to a quantitative analysis of risks, while others
are more suited to a qualitative analysis. We shall address the topic of risk
analysis in Unit 5, and so at present you do not need to understand the
differences.
The fourth part of Hopkin chapter 13 is titled ‘Nature of the risk matrix’.
It introduces the techniques for recording the severity of a risk, by way of risk
likelihood and risk impact measures, which we collectively call risk analysis.
Essential reading
For the moment we recommend just a skim read of this fourth part of Hopkin on
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 53
the risk matrix (pages 145–7). For the present, disregard tables 13.3 and 13.4
because we will cover this content in much more detail in unit 5, along with
describing terms such as ‘risk map’, ‘risk matrix’ and ‘test for significance’.
Activity 4.1
What risk assessment techniques does your organisation use to identify its
risks (Hopkin, 2014: chapter 13, starting on page 141)? How does that
compare with the way you identify risks in your specific team?
Risk perception
When we assess a risk it is tempting to assume that people have full information
about the risk, and can use that information rationally and optimally in order to do
their assessment correctly. However, each individual is unique and involved in
the risk management process will have different views or perceptions of risk.
Risk has both an objective reality (a likelihood that it will rain tomorrow or it will
not) and what might be called a subjective reality (the human perception of the
risk, shaped by psychological factors, cultural factors and other intangibles) that
may lead people to under- or over-state the severity of risk.
Different perceptions of risk might exist at different levels of seniority of the
organisation – the board may be less aware of operational risk at shop floor level
while shop floor workers may be less aware of strategic risks at the entity level.
Furthermore, individual risk perceptions are likely to change over time and
through experience.
Activity 4.2
Try to think of an unexpected event that affected you badly – for example a
street robbery, or a sudden unexpected major loss.
a How did it change your view of the world in terms of your own risk
identification, analysis and controls?
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
54 | © 2016 Institute of Risk Management
b Following the event, do you feel that the future likelihood of the event
changed, or was it just your perception of a repetition of the event that
had changed?
Differing risk perception is important because problems can occur in the
identification of risks, where some risks might be missed, while other irrelevant
risks might be captured. Some of the issues around different risk perceptions are
as follows:
People have different perceptions of what a risk is and how a risk can
manifest itself (risk identification).
People might hide risks or present false risks for their own self-interest
rather than for the benefit of the organisation’s risk management activities
(risk identification).
People have different views of the likelihood of a specific risk occurring
(risk analysis).
People have different knowledge of the way and the level in which a risk
can impact (risk analysis).
People may deliberately understate or overstate risk severity for their own
self-interest rather than for the benefit of the organisation’s risk
management activities (risk analysis).
People have different views of levels of an acceptable level of risk to
accept (risk evaluation).
Misperception of risk results in incorrect or inconsistent data being
collected in order to fully assess and correctly treat risks.
Some risks are true ‘unknown unknowns’ and cannot be directly perceived
or identified through scientific method.
The subject of differing risk perceptions implies that the way individuals assess
their risk world is likely to be very inconsistent. No two people will have exactly
the same view and no one will have a completely objective and accurate view of
risks because their perception will influence their judgement. There are two real
dangers that may result:
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 55
Organisations are likely to manage the same risks very inconsistently,
depending on the individual who must manage that risk, thus increasing
the overall organisational uncertainty.
Risk managers could seek to achieve greater kudos among their
stakeholders by focusing their efforts on helping to manage the
stakeholders’ fears over what they perceive to be the most significant risks
rather than what are actually the most significant risks.
Essential reading
Read the fifth part of Hopkin chapter 13 (pages 147–8) on ‘Risk perception’.
Hopkin states that, because it is people who undertake risk assessment, each
person will have different perceptions of the risks they face and that can result in
inconsistencies.
Skim read the sixth and final part of Hopkin chapter 13 (pages 149–51) called
‘Attitude to risk’. You need only do a skim read because in unit 5 we will review
Hopkin chapter 20, which describes the subject in detail.
There are further reading sources on the subject of risk perception at the end of
this unit. In particular, the ‘Alarmed and Dangerous’ article in StrategicRISK (April
2011) provides a short discussion of the top ten factors that affect risk perception
and how the quantitative aspects of risk assessment can actually lead to a
complete misperception of the real level of risk people face.
4.2 Risk causes (sources) and consequences
In this section we look into the causes and consequences of risk events, and
their relationships, along with a discussion of the associated difficulties for good
risk management.
We begin, in Tables 4.4 and 4.5 below, by comparing good and poor descriptions
of risk, and how poor descriptions of risk can lead to difficulties for risk
management.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
56 | © 2016 Institute of Risk Management
Table 4.4: Examples of good risk descriptions
Risk description Increased staff turnover in IT services department
Causes Job dissatisfaction
Lack of training or development opportunities
Autocratic management style
Uncompetitive salaries
Consequences Loss of valuable IT knowledge
Poorer response to IT queries
Lack of technological development in IT
Delay in delivery of business objectives
Risk description Failure to comply with a key section of the Sarbanes Oxley Act 2002
Causes Lack of awareness of the specific provisions
Lack of a compliance checklist or register
Lack of funds to develop an acceptable framework of financial controls
Consequences
Adverse publicity
Specific criminal and financial penalties for senior staff
Large fines on the business
Loss of shareholder value
Table 4.5: Examples of poor risk descriptions
Risk description Lack of IT training in the HR department
Causes Lack of funds
Lack of interest
Consequences Errors in data processing
Losses of important or confidential data
Why it is a poor risk description: A lack of IT training is a cause of risk (even though it might have an underlying cause itself); the provision of training can be regarded as a control to mitigate the risks of data errors and losses.
Risk description Fines
Causes A failure to comply with laws and regulations
Consequences Financial losses
Losses to reputation, especially if it is due to a moral failure
Maybe loss of access to certain markets
Why it is a poor risk description: Fines are the impact of a risk on the organisation – the risk is one of a failure to comply, because of lack of knowledge or a control failing. Also, this description is very wide, making any specific control hard to specify.
Risk description A failure to hit our 5% net profit to sales target
Causes Too many to mention
Consequences Redundancies
Poor share price performance
Losses to reputation
Downsizing, market or product withdrawals
Why it is a poor risk description: We have described a consequence rather than a risk. Risk is the effect of uncertainty on objectives. Here we describe the consequence
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 57
of possibly many uncertainties on an objective.
Identifying risks can help to investigate what can go wrong. However an
investigation into the cause of risk will also help to explain why things can go
wrong, how they can go wrong and when they can go wrong. If you can identify
why, how and when, in addition to what, you can decide whether:
your existing risk treatment can manage those risk causes
you need to change your existing treatment
you need new or additional treatment controls
you can or cannot control the risk at all.
Essential reading
Look again at the bottom of page 15 of The Orange Book (HM Treasury, 2004:
15). Using a train journey by way of example, it shows right and wrong ways to
identify risks to a set objective. Can you see how some of the so called ‘risks’
were in fact consequences of events rather than risk events themselves?
Risk consequences
Investigating the consequences of a risk helps us to understand the impact on
specific aspects of our organisation such as objectives, core processes, key
dependencies and stakeholders; it helps us see where things can go wrong as
the result of a negative risk event.
By identifying where risks could occur we can discover the most vulnerable areas
of impact and then take actions to protect them. For example, where we have
just one supplier for a critical component, we might wish to obtain a second
supplier, or where we have one specialist member of staff to cover a key
process, we might wish to train another. This is a core element of business
continuity planning (BCP), which we shall look at in detail in Section 6.7 of this
study guide.
The causes and consequences of risk can also be illustrated using a ‘bow-tie
diagram’ (see figure 4.1 below). The centre of the bow-tie is the major event or
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
58 | © 2016 Institute of Risk Management
uncertainty. To the left are the immediate and underlying threats or causes. To
the right are the immediate and ultimate consequences.
Figure 4.1: The bow-tie tool
Assembling the diagram helps to focus on the precise nature of each risk and
provides a logical basis for analysing the context, causes and consequences.
Control measures acting on specific causes or consequences can then also be
clearly identified and evaluated.
The bow-tie tool also allows us to:
Take risk causes and consequences not just to one level but (in the case
of figure 4.1 above) to two levels.
Plot several contributory causes for one risk and show one risk as having
several consequences.
This second point is a sound argument for an ERM approach, because it
requires us to look at the causes of the risks from all aspects of the enterprise
and similarly to map enterprise-wide consequences.
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 59
Essential reading
Look at what Hopkin says about the ‘Bow tie representation of risk management’
in Chapter 4 (pages 47–48).
Activity 4.3
Using the diagram on page 48 in Hopkin, try to identify a second level cause of
each of the two risk sources on the diagram. And what might be a second level
consequence for each of the three consequences on the diagram?
There are other tools, such as flowcharting and fishbone analysis, that we can
adopt for helping us understand causes and consequences of risk and we
include some references for further reading at the end of the unit. Flowcharting,
for example, is especially useful for project risk management in that it can help
identify critical project paths, or process bottlenecks, where the organisation is
especially vulnerable.
Activity 4.4
You are studying for IRM’s International Diploma in Enterprise Risk
Management.
a Identify three risks which could impact on your objective to gain that
qualification.
b Identify two causes for each of the three risks that you identify.
Undertaking a full cause and consequence analysis of risks can take a very long
time, as you could probably identify hundreds and maybe thousands of risks
facing your organisation, all of different severities. It is therefore often advisable
to start this investigative work by first focusing on what you think are the most
important (severe) risks and afterwards extending your investigations to the
many less important risks. An advanced risk management information system
can also help us to map causes and consequences for the whole enterprise.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
60 | © 2016 Institute of Risk Management
Activity 4.5
Try to map out the consequences of a risk, in your area of responsibility, in
which the consequences of your risk goes beyond your area of responsibility,
impacting say on another department.
How might you manage the consequences of this risk?
4.3 Risk classification systems
In this section, we look at identifying and classifying risks. We start by defining
‘risk identification’ and explaining its purpose. We then review several risk
classification systems, including the FIRM risk scorecard and COSO categories.
Identifying risks
The COSO ERM (2004: 4) describes the ‘event identification’ activity as follows:
‘Internal and external events affecting achievement of an entity’s
objectives must be identified, distinguishing between risks and
opportunities. Opportunities are channelled back to management’s
strategy or objective-setting processes.’
Meanwhile IRM (2002: 5) says:
‘Risk identification should be approached in a methodical way to ensure
that all significant activities within the organisation have been identified
and all the risks flowing from these activities defined. All associated
volatility related to these activities should be identified and categorised.’
We could also utilise a definition of risk identification from the Chartered Institute
of Internal Auditors (CIIA, 2005: 25) as follows:
‘The process of determining what events might occur to affect the
objectives of the organisation and their root causes’.
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 61
In one way, the CIIA viewpoint is too simple, because we should also consider
events that might impact on key dependencies, core processes, and
stakeholders as well as ‘objectives’.
Risk identification is a really important part of risk management. Some might say
it’s the most important part, since if you fail to identify your risks, then your risk
management process will stop there. You cannot treat risks if you do not first
know your risks. In fact, even if you can get staff to identify their risks and do no
more than that, it means they will subconsciously be starting to prepare for those
risks, which will automatically reduce their severity.
The aim of risk identification, within a risk management process, is to generate a
comprehensive list of risks from the events/uncertainties that might negatively
impact or enhance the achievement of objectives. If a risk is not identified, then
there is no opportunity of doing anything to prevent or mitigate it.
We often identify risks consciously, for example through some of the risk
assessment techniques discussed above. But we can also identify risks
subconsciously. For example, when we drive a car we are constantly looking out
of the window to identify and respond to risks, without even realising it. Adams
(2007), calls this a ‘directly perceived’ risk.
Here are some of the reasons why organisations choose to classify risks. Risk
classification:
Provides structure to the process of risk identification, which can facilitate
the identification of more risks – for example, by delegates in a risk
management workshop – than would be the case if a risk classification
does not exist.
Helps with the development of consistent risk terminologies across the
organisation, which is essential for ERM to work.
Enables the organisation to collect together similar risk types throughout
the organisation, which can:
o enhance organisation knowledge
o assign responsibilities for specific types of risk
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
62 | © 2016 Institute of Risk Management
o estimate total exposure to risk by type of risk using the expertise of
relevant professionals for each risk type
o help to determine the level of risk by type that can be accepted by
the organisation
o enable a bundling together of risks for similar treatment – such as
single insurance policies for one type of risk – which can increase
the efficiency of risk management
Most of Hopkin chapter 14 focuses on a range of models for classifying risks and
we will look at these in turn.
Short-, medium- and long-term risks
Risks can be classified as short-, medium- and long-term:
Short-term risks – in other words, those risks with an immediate impact,
primarily with operational activities.
Medium-term risks with tactics – in other words, those risks whose impact
becomes apparent between a few months and a year.
Long-term risks with strategy – in other words impacting between one and
five years after the event.
Essential reading
Read the first two parts of Hopkin chapter 14 (pages 152–4) called ‘Short,
medium and long-term risks’ and ‘Nature of risk classification systems’.
RISK IN THE
REAL WORLD
The box in Hopkin on page 151 shows how we can identify a
small selection of risks for the three levels of impact timescale
when buying a car.
As Hopkin suggests, several different classification systems are well established,
including the COSO ERM top face, the FIRM risk scorecard and PESTLE.
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 63
The FIRM risk scorecard
The FIRM scorecard classifies risks as Financial, Infrastructure, Reputational
and Marketplace. This model can also be used as a tool to determine the
organisation’s objectives, consequences of risks and sources of risk. We have
already referred to the FIRM acronym in Section 3.3 of this study guide, and we
will continue to apply it from time to time in later units.
A second dimension within FIRM is to classify risks that are derived:
Internally, from within the business (for example, staff fraud), which can be
seen as the financial and infrastructural risks. The source of internal risk is
the internal context.
Externally, from outside the business (for example, exchange rate
variability), which can be seen as reputational and marketplace risks. The
source of this risk is the external context.
Identification should include risks where the source may or may not be under the
control of the organisation. External risks are more frequently overlooked than
internal risks – generally people know the internal workings of their organisations
well, so there are fewer surprises from them.
Meanwhile IRM (2002: section 2.1) outlines the types of risk as financial,
strategic, operational and hazard, and then superimposes a second dimension
according to whether risks are internally or externally driven.
Another way to look at FIRM and the IRM Risk Management Standard
classification is to regard them as very high-level classifications of risk, which
could then be disaggregated into subcategories. For example, the financial class
of risk could be disaggregated into the following subclasses:
treasury risks
sales management risks
purchase management risks
payroll risks
financial reporting risks
financial forecasting risks
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
64 | © 2016 Institute of Risk Management
These could then be broken down further into sub-subcategories. So for
example, purchase risks could include supplier risks, payment risks, delivery
risks, authorisation risks and so on.
PESTLE
PESTLE is a risk classification system for classifying risks from the
organisation’s external context. The PESTLE risk classification system varies
between authors, but typically is used to represent political, economic, social,
technological, legal and environmental (or sometimes ethical) risks.
Essential reading
Read the third, fourth and fifth parts of Hopkin chapter 14 (pages 154–9),
‘Examples of risk classification systems’, ‘FIRM risk scorecard’ and ‘PESTLE risk
classification systems’. Then look further ahead to Hopkin’s table 17.2 (pages
183–5) which presents a full range of risks for each of the four FIRM categories.
RISK IN THE
REAL WORLD
Have a look at the case study on page 137 of Hopkin, which
shows how Australian Mines Limited identify and classify risks.
Hazard, control and opportunity risks
Essential reading
Read the last part of Hopkin’s chapter 14 (pages 159–61), on ‘Hazard, control
and opportunity risks’.
It is in practice possible to build a three-dimensional classification model, where:
The first dimension is type – in terms of hazard–control–opportunity (or
operational–tactical–strategic).
The second dimension is the timescale of the impact.
The third dimension is the external/internal dimension.
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 65
Figure 4.2 below shows how such a classification model can look.
Although it has not been suggested by research, ultimately we could envisage a
multi-dimensional model to classify risks, making it very complicated indeed.
Implicitly, such an approach might well exist in some organisations, although one
thing we can conclude is that each organisation will have its own best way of
classifying its risks.
Figure 4.2: Risk identification: applying different lenses
Risk identification can also be:
Forward looking: To try and identify what could happen. This typically
involves brainstorming workshops to develop a list of risks. Such a
workshop should consider possible causes and scenarios that show
what consequences could occur. All significant causes and
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
66 | © 2016 Institute of Risk Management
consequences for each risk should be considered. To ensure, as far as
possible, that risks are not missed, it is important that people involved
in the process have the necessary mix of knowledge and experience.
Historic: Looking at what has happened as a means of identifying what
could happen and how likely it is. Analysis of accidents over time is a
good example of this. The danger of historic analysis, however, comes
from confining it to too short a time period. Volcanoes, for instance,
may only erupt once every 100 or 200 years so an analysis focused
solely on the recent past would ignore this.
Other risk classification systems
There are many other risk classification systems, which Hopkin does not include.
We will not discuss these in any great depth, but if you are interested, or if
maybe you are considering running a risk management workshop for your
organisation, you could explore them further by accessing the references. We
will begin with The Orange Book.
Essential reading
Read chapter 3 of The Orange Book (HM Treasury, 2004: 15–17) which presents
a set of three risk classification systems for strategic level objectives, for tactics
and for operations. Note the similarities to Hopkin.
You will see that The Orange Book describes a two-stage approach to risk
identification: an initial and a continuous stage. The book cautions us that the
precise definition of a risk, in a practical sense, can actually be quite confusing; it
is something that organisations must overcome by suitable staff training, in order
to get a consistent approach across the enterprise.
It concludes that it is important not only to identify present day risks that can
impact on objectives, but also to consider future scenarios of risks that might
impact a long time into the future.
A second example is the StrategicRISK (2012) report which is an interesting,
brief and easy to read report that categorises externally derived risks on the
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 67
basis of the World Economic Forum – namely economic, geopolitical,
environmental, societal and technological risks. It therefore has some similarities
with the PESTLE system. Its focus is on future (or emerging rather than existing)
risks and so there is a high degree of uncertainty that these risks will occur at all;
that if they do occur their future severity is very uncertain; and that their
timescale for any impact is also uncertain.
Thirdly, Adams (2007) explains that we can categorise risks three ways: into
virtual risks, risks perceived by science and risks perceived directly. It could be
argued that we have seen a process of moving from virtual risk to risk perceived
through science as a result of the expansion of knowledge of our environment,
but that would be mistaken. As we move old risks from the ‘virtual’ form to the
‘perceived through science’ form, new risks are always emerging to fill the pot of
virtual risks. One could go further and argue that there is a fourth category of
risks: those risks which are yet to be discovered, that one day will enter the pot of
virtual risks.
Here are a few more examples of risk classification systems:
Airmic, Alarm, IRM (2010) confirms that ISO 31000 does not classify risks.
But the reading itself does suggest that risk classification systems are
usually based on the division of risks into those related to financial control,
operational efficiency, reputational exposure and commercial activities. It
then provides a range of information (in table 1 on page 5) that an
organisation should collect on each risk identified, which includes
information relating to all aspects of the risk assessment process.
In 2002, Jacqueline Jeynes made an early contribution to classifying risks.
She classified risks into a set of ten, which she called the 10Ps (Jeynes,
2002: 14–49 – you can download a summary). Jeynes then undertook
some research by applying the 10Ps to different organisations and found
that, in different sectors, certain types of risks were much more important
than in others (an idea which is taken up in the first unit of Module 2,
referring to the subject of ‘risk emphasis’).
Another means of classifying risks is the 4Ps approach, categorising
events by people, premises, processes and products. This is a model that
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
68 | © 2016 Institute of Risk Management
can be used to identify risks to the key dependencies of key people, key
premises, key processes and key products.
There are also some especially comprehensive risk classification systems. One
of the most popular of these is the risk wheel which, as you can see from figure
4.3 below, categorises risks into eighteen categories and which, when taking the
lead from the BASEL II approach, could be further divided into subcategories.
The risk wheel demonstrates that there is no theoretical limit to the level of detail
in which you can categorise or subcategorise your risks, right down ultimately to
the specific individual risks themselves.
Figure 4.3: The IRM risk wheel
The finance sector classifies risk into market, credit and operational risks; this
system has been partly influenced by the regulatory bodies, such as BASEL II,
which further disaggregates operational risk into several subcategories. You
might well find that your organisation has its own specific classification system
that is based on specific needs (such as regulatory guidance) or sector.
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 69
We can conclude this section on risk identification with a cautionary quote from
BBC radio in 2010 that it is sometimes best to operate your business in a state of
blissful ignorance:
‘The more we know that risks are out there, the more we worry they will
occur. This leads to total paralysis for fear that these risks will indeed
occur and there’s too much work and not enough money to manage all of
them.’ (BBC Radio 4, Today programme, 28 July 2010)
Essential reading
Skim read StrategicRISK (2012) now to get a flavour of the classification
system it uses. This is an interesting, brief and easy to read report
Read the Adams (2007) article. It is just three pages long and it explains how
we can categorise risks three ways according to the level of knowledge we
have of a risk.
Further optional readings at the end of this unit show how you can use two
generic risk classifications to categorise risks (a) specific to your sector and (b)
along the value chain of your organisation’s core processes.
Learning activity 4.6
1 Identify three reasons why organisations find it useful to classify risks.
2 List the six risk categories for each of the PESTLE acronym and identify
three advantages and disadvantages of the PESTLE risk classification system.
3 Try to think of three reasons why sometimes we will treat risks without
knowing the underlying causes of that risk.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
70 | © 2016 Institute of Risk Management
Self-assessment questions
1 Which of these is an advantage of using questionnaires and checklists for
risk assessment?
a) A consistent structure can guarantee consistency
b) Greater interaction produces more ideas
c) Physical evidence forms the basis of opinion
2 Which of these is an advantage of using flowcharts for risk assessment?
a) A consistent structure can guarantee consistency
b) Greater interaction produces more ideas
c) Analysis produces better understanding of the process
3 A top-down approach to risk assessment is likely to:
a) Provide a good picture of internal risks
b) Gain senior management commitment
c) Gain high levels of staff commitment.
Further reading
Risk assessment techniques
Airmic/Alarm/IRM (2010: 13) illustrates six risk assessment techniques. Hopkin
(table 13.1) lists four but does go on to discuss additional methods that might be
employed and their associated advantages and disadvantages.
Meanwhile IRM (2002), in sections 4.1 and 4.2, identifies a separate set of
techniques for risk identification and risk analysis. The risk analysis techniques
are further divided into techniques for opportunity, control and hazard risks.
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 71
Risk identification
IRM’s ORC (IRM 2014) has a range of publications on the subject of risk
identification, if you are interested in gaining a deeper insight.
Risk perception
In the general section on risk assessment, we mentioned how people can
perceive risk in all sorts of different ways. An early research paper by Slovic,
Fischhoff and Lichtenstein (1980) showed how people’s general perception and
fear of risk can be extremely inconsistent. Their initial discussion of earlier
research also shows that perception can be affected both by prior risk
crystallisations and the way the risk events are communicated through the media
and other channels.
Risk causes
Holmquist (2014) is a simple and easy-to-read introduction to risk causes and in
particular on how to distinguish between a risk and a cause of risk.
A general reading on root cause analysis, which is a more complex approach to
Hopkin’s bow-tie analysis of a kitchen fire on page 48, can be found in Rooney
and Vanden Heuvel (2004).
Feedback to activities
Activity 4.1
To help you with this question refer to table 13.1 in Hopkin, and select the
methods that seem to be closest to those you use in your organisation. Are there
any other methods that you could use and would there be any value in
considering those methods? If there is a difference between the way your team
and your organisation, try to find out why such differences occur.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
72 | © 2016 Institute of Risk Management
Activity 4.2
a) You might find that following the event you re- appraise the likelihood of a
repeat event, perceiving that as it’s happened once it could occur again, and
because of the unpleasant outcome, you really would not want it to happen.
b) The questions you can ask yourself are: Is your reappraisal of the risk rational
or logical? Is the risk any more likely just because it’s happened once before?
Taking this idea forward to your professional work, do you think that
organisations adopt a similar attitude when a risk event hits them? Often the
answer is “yes’’, and cynics often describe the post-event response as a “knee-
jerk reaction’’.
Activity 4.3
A possible cause of faulty electrical equipment is a lack of routine checking and
maintenance. A possible cause of unattended cooking might be a lack of staff at
necessary times of activities, such as at lunch and dinner time. A possible
consequence of asset destruction is a financial loss to the business caused by
having to replace the assets and from business interruption. Smoke inhalation
could result in the consequence of long-term staff absences and thus affect the
ability of the business to trade. The consequences of accident or injury to staff
might be financial penalties (fines) resulting from a breach of health and safety
regulations and a loss of reputation to the business.
Activity 4.4
Here, we hope you can think of a full set of risks – such as illness, family events
and a lack of time to study – to the less likely events – such as getting lost on the
way to the exam centre or forgetting your pen! You could complete the cause →
risk → consequences analysis by asking yourself what, if you do fail to achieve
the qualifications, could be the consequences for your future career.
UNIT 4 | RISK ASSESSMENT 1: INTRODUCTION AND IDENTIFICATION
© 2016 Institute of Risk Management | 73
Activity 4.5
You can use the bow-tie analysis as a tool to help you map out the
consequences. You will see, in unit 6, that we have specific types of responses
that focus on managing consequences; but since this risk goes beyond your area
of responsibility, it might if possible be best to prevent the risk from occurring as
you can then control all of the consequences.
Activity 4.6
1 Check off your reasons for classifying risks against our list earlier in this
unit.
2 The six categories of the PESTLE risk classification system are political,
economic, social, technological, legal and environmental (or sometimes
ethical) risks. Its big advantage is in identifying external risks; it is less
appropriate for identifying internal risks. Hopkin also provides a list of the
advantages and disadvantages of PESTLE in chapter 14 (pages 158–9).
3 If the cost of investigation is very high then it might simply be too expensive.
If the timescale between the risk event and its impact is very short there
might not be time to investigate the causes. If the severity of the risk is so
great (for example, in the form of a crisis), we cannot delay in trying to
contain the symptoms (we will later define this idea of cost containment)
while we discover the causes
Answers to self-assessment questions
1-a
2-c
3-b
Unit 5 Risk assessment 2: risk
analysis and evaluation
Unit learning outcome
After studying this unit, you should be able to:
Use the main approaches to the analysis and evaluation of risk
Unit contents Section learning outcomes
5.1 Introduction to risk analysis…75
Describe the concept and purpose of risk analysis within the risk management process
5.2 Risk likelihood and impact…77
Consider the two dimensions of likelihood and impact, using a quantitative and qualitative approach to analysing risks
5.3 Risk evaluation and risk appetite …84
Explain the importance of risk appetite as a planning tool in the implementation of a risk management initiative and its interface with operations, projects and strategy
5.4 Loss control…89 Describe the main components of loss control as loss prevention, damage limitation and cost containment, providing practical examples
5.5 Defining the upside of risk…90
Outline the alternative approaches to defining the upside of risk and the application of these approaches to strategy, projects and operations
Resources
You should make sure you have access to the following resources before starting this unit:
Hopkin (2014), chapters 15–17 and 20
The Orange Book (HM Treasury, 2004), chapters 4 and 5
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 75
Introduction
This unit continues our work on risk assessment. While Unit 4 dealt with the first
ISO 31000 element of risk assessment, risk identification, this unit focuses on the
other two elements: risk analysis and risk evaluation. Figure 6.4 in Hopkin (page
65) shows the ISO 31000 risk management process.
We begin by introducing risk analysis before going on to explore two key aspects
of risk analysis: likelihood and impact. We then go on to discuss risk appetite.
The final sections of the unit examine loss control and the upside of risk. We will
continue to use the ISO 31000 standard as the basis of our work, although we
will refer to other standards too, especially COSO ERM, IRM (2002) and The
Orange Book.
5.1 Introduction to risk analysis
Risk analysis helps us to determine the severity of the risks our organisation
faces by analysing the likelihood of the risk materialising together with the
severity of the impact on the organisation.
The ISO define risk analysis as:
‘… (The) process to comprehend the nature of risk and to determine the
level of risk’.
They follow this up with a note to the effect that ‘…risk analysis provides the
basis for risk evaluation and decisions about risk treatment’. (ISO 31000, 2009).
There are, of course, a number of other definitions and here is one from the
Chartered Institute of Internal Auditors (CIIA, 2005: 26):
‘The systematic use of available information to determine the likelihood of
specified events occurring and the magnitude of their consequences,
i.e. their impact.’
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
76 | © 2016 Institute of Risk Management
Airmic, Alarm, IRM (2010) describe the purpose of risk analysis as:
‘The result of the risk analysis can be used to produce a risk profile that
gives a rating of significance to each risk and provides a tool for
prioritising risk treatment efforts. This ranks the relative importance of
each identified risk.’
Meanwhile The Orange Book and the COSO ERM place risk analysis within the
broader subject of risk assessment.
Risks are analysed in order to:
prioritise risks for treatment in terms of their significance
achieve consistent perceptions of significance across the organisation
inform decisions on how scarce resources are allocated
inform decisions about whether to proceed with a new strategy, project, or
investment, and so on.
Risk analysis is not easy: not only do we have to gather the information from
many sources, and use many different methods to gather it, but also we must
process it in a way that generates reliable likelihoods and impacts in order to
determine the severity of a risk and prioritise it for subsequent treatment.
Essential reading
Turn to Chapter 4 of The Orange Book (HM Treasury, 2004). This provides a
useful two-page introduction to the key themes of risk analysis.
RISK IN THE
REAL WORLD
In practice there is some evidence that organisations favour
the qualitative approach to analyse risks. A 2009 study, by the
Institute of Internal Auditing, of 321 chief audit executives in
large US listed companies showed that round 70% of the
companies used a non-quantified approach to analyse risks.
(IIA, 2009: 16)
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 77
Activity 5.1
How do you measure risk in your organisation? To what extent do you adopt a
quantitative approach to risk analysis?
5.2 Risk likelihood and impact
Risk analysis focuses in particular on the two dimensions of risk analysis, which
are risk likelihood and risk impact. In this section we will look at these in turn,
before going on to discuss the application of a risk matrix, a key risk analysis
tool.
Likelihood, probability and frequency
Likelihood is a term which tries to measure the chances of a specific event
occurring. It captures the expected probability and frequency of an event:
Probability – Likelihood can be expressed numerically as value between
0 and 1 (or 0% and 100%) used as a probability measurement, such as:
‘There is a 2% chance of rain in the city of Jeddah on any one day during
the next month.’
Frequency – Likelihood can also be expressed numerically as a frequency
measurement, such as: ‘In just one day in 2005 Hurricane Katrina resulted
in a one-in-a-hundred-year flood to New Orleans.’ This frequency
measure could be converted to a probability measure as follows: the
chances tomorrow of another Hurricane Katrina severity flood hitting New
Orleans is 1 day × 365 days in a year × 100 years, or a 0.003% chance.
Impact, magnitude and consequence
We can either measure impact in a quantitative way (by describing impact in
terms of e.g. financial loss, gain in market share, or number of customers
affected) or in a non-quantitative way (by describing the impact of an event as
e.g. high, medium, low and maybe zero).
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
78 | © 2016 Institute of Risk Management
Many organisations attempt a composite form – so for example, the high
financial impact might be greater than $1m while a low financial impact might be
less than $1,000.
Some risks such as financial risks (e.g. financial losses and gains) and
marketplace risks (e.g. income or market shares) on the FIRM scorecard are
easier to quantify than infrastructural and reputational risks. We will look further
at the range of criteria used to measure impact in the section below on the
application of a risk matrix.
Module 3 looks in more detail at quantitative approaches to risk analysis.
However it is useful to be aware of some of the misconceptions and half-truths
that can arise from poor quantitative analysis of risk. For example, if likelihood is
quoted as one in two million, does that mean two million years or two million
events? It is essential to specify exactly what the numbers mean.
Activity 5.2
Write a short definition of the term ‘risk analysis’.
Application of a risk matrix
We can use a risk matrix to analyse the likelihood and the impact of a risk. Note
the important point that the design of the matrix, as well as the most suitable risk
scoring system, will depend upon the specific features and needs of the
organisation.
A simple 2 x 2 risk matrix compares two measures for the severity of impact or
magnitude and two measures for the severity of likelihood. This will give us four
risk scores: HH for high impact and high likelihood, HL for high impact and low
likelihood, LH for low impact and high likelihood and finally LL for low impact and
low likelihood.
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 79
Essential reading
Figure 1.1 in Hopkin on page 20 shows a 2 x 2 risk matrix.
Then look again at the part of Hopkin chapter 13 on risk matrix (pages 145–7).
His Tables 13.3 and 13.4 give example definitions of likelihood and impact.
Figure 5.1 below shows a 3 × 3 matrix, which uses red, amber, yellow and green
colours to highlight the relative severity of risks. Colour coding a common way to
present a risk matrix; for this reason, risk matrices are sometimes called ‘risk
heat maps’, with red denoting the hot zone, as an indication of danger.
Sometimes people also refer to them as a ‘risk map’ or a ‘RAG diagram’, where
RAG stands for red, amber and green.
Figure 5.1: Risk matrix with multiplied risk scores
Imp
act
High {3}
3
6
9
Medium {2}
2
4
6
Low {1}
1
2
3
Low {1} Medium {2} High {3}
Likelihood
You populate the risk matrix with your department’s risks as in figure 5.2. As you
can see, the big advantage of a risk matrix is that it is a tool that can visually alert
us to which risks need most attention and that is why it is so popular.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
80 | © 2016 Institute of Risk Management
Figure 5.2: Risk matrix with risks plotted
Imp
act
High {3}
3
6
Risk 4
9
Risks 9 & 1
Medium {2}
2
Risk 3
4
Risks 8 & 2
6
Risk 6
Low {1}
1
Risk 7
2
3
Risk 5
Low {1} Medium {2} High {3}
Likelihood
Risks 1 and 9 are the most serious risks on this 3 × 3 matrix because not only is
the impact of these risks high, but also the likelihood of the risks occurring is
high. Meanwhile, risk 7 is the least serious risk because this risk is unlikely to
occur and, even if it does, its impact is expected to be low.
Many people use a 4×4 qualitative classification of likelihood and impact, with 16
potential risk scores, though some organisations may use a 5×5 or 6×6 basis
(with 25 or 36 potential risk scores) – however it rarely goes beyond that
because of the time that would be needed to analyse risks in such great detail.
RISK IN THE
REAL WORLD
The colours on the matrix above often relate to the extent that
risks are tolerated. So in some industries, such as in nuclear
energy, where there is less tolerance of risk, anything up to
30% of the matrix could be red. The colours also provide a
guide to expectations over the monitoring and management of
the risks. So, for example, red areas require immediate
responses and constant reporting; yellow or amber might
require slower responses and less frequent reports; while
greens require no responses and reports only if their severity
becomes more serious over time.
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 81
It is possible to use alternative criteria for analysing the impact of risk where
there are different types of risk as in tables 5.1 and 5.2 below.
Table 5.1: Estimating impact – criteria
Reputation Finance Service delivery
Compliance Safety
Extreme Loss of credibility with key stakeholders; extensive adverse media; external intervention
Financial loss exceeding £X
Total sustained disruption to critical services
Intervention by regulator; serious breach of legal or contractual obligation
Fatality
(multiple)
High Significant loss of trust; significant adverse media
Financial loss exceeding £X
Significant sustained disruption to critical services
Censure by regulator; breach of legal or contractual obligation
Serious injury or ill-health (disabling)
Medium Significant complaints
Financial loss exceeding £X
Some short-term disruption to services
Failure to meet recommended best practice
Injury or ill-health resulting in lost time
Low Isolated complaints Low-level or no financial loss
Minor disruption to services
Failure to meet internal standards or SLA
Minor injury (no lost time)
Table 5.2: Estimating impact – criteria
Environmental Staff Infrastructure ICT Business disruption
Extreme Major long-term irreversible environmental damage
Sudden or unexpected loss of a number of key personnel
Long term and permanent loss of critical assets / buildings
Non recoverable loss of critical data or records.
Cessation of major business critical services for up to 3 weeks
High Major environmental damage, reversible with long-term remediation
Low retention rates of key personnel
Sustained damage to assets. Repair or replacements lasting more than 2 months
Large loss or theft of data.
Severe inability to access critical files, data or records.
Major service delivery targets not met for two weeks. Business critical service not back in agreed time
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
82 | © 2016 Institute of Risk Management
Medium Environmental damage reversible with medium-term remediation
Inability to attract and retain key personnel in identified high demand roles or hard to fill locations
Significant but temporary damage to assets or property / facilities
Recoverable loss of critical files, data or records
Business critical service services lost for up to one week
Low Superficial impact on environment with cosmetic remediation
Difficulty in recruiting or replacing officers in critical or key departmental positions within reasonable timeframes
Minor property damage
Loss of non-critical files, data or records
Minor effect on services and/or programmes for one day.
Chesshire (2009: 160) lists some of the sources of information for your risk
analysis. To determine your impact and likelihood, you could:
look at past records
look at personal relevant experience (and intuition)
look at industry-relevant experience of the risk
look at published literature on the risk
do some testing or experiments (for example, market research)
use economic or statistical models to make forecasts
use experts in the area of that risk to make judgements.
And you might do some of these things through the risk assessment techniques
that we presented in Unit 4.
You can use the risk matrix to show inherent or gross risks – the risk before any
control measures are taken – or the current, residual or net level of risk – the risk
taking account of existing control measures. You could even plot both inherent
and current risk on a single matrix and draw a line between them in order to
show the effect of any risk treatment.
Essential reading
Read the first two parts of Hopkin chapter 15 (pages 163–6), on ‘Application of a
risk matrix’ and ‘Inherent and current level of risk’. You will see that figure 15.1
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 83
(page 164) shows another simple 2 × 2 risk matrix, while Figure 5.3 shows how
inherent, current and even target risks can be mapped.
Activity 5.3
1 In your reading you will have seen the debate about analysing risks at the
inherent and current levels. Which do you think makes most sense?
2 For your organisation, if you score risks, do you use a 3 × 3 dimension to
measure likelihood and impact or something else? Do you know why your risk
scoring method was chosen?
Essential reading
Take a quick look at section 4.7 of The Orange Book (HM Treasury, 2004: 20).
Like Hopkin, in the first part of chapter 15, it also discusses whether to plot risks
at the inherent or at the residual level of risk.
Risk significance
In doing our risk analysis, we need to ask the question: What makes our impact
significant? How do we decide when our risk analysis has revealed a significant
risk exposure to the organisation?
Essential reading
Read fifth part of Hopkin chapter 15 (pages 168–9), titled ‘risk significance’.
There is no need now to read the third, fourth and sixth parts of Hopkin chapter
15, titled ‘Control confidence’, ‘4Ts of risk response’ and ‘Risk capacity’. We will
return to these parts later in this unit and in unit 6.
Hopkin refers to scoring mechanisms and to an important term, used in risk
analysis, ‘benchmark tests for risk significance’. A risk is significant if it could
have an impact in excess of this benchmark test. Benchmark tests can reduce
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
84 | © 2016 Institute of Risk Management
the number of identified risks from many hundreds or thousands to those few
which are most the significant and which we must treat first.
5.3 Risk evaluation and risk appetite
We now move on to the final element of risk assessment, risk evaluation. The
central idea behind risk evaluation is that after analysing a risk analysis to
estimate its severity, we then have to decide whether to:
respond to the risk in some form in order to reduce our exposure (hazard
risk), reduce the level uncertainty (control risk), or modify the investment
(opportunity risk); or
simply tolerate the level of risk that we have estimated without any further
action.
So risk evaluation is, in effect, a decision point in which we decide whether to
respond or not to respond to the risk.
Activity 5.4
Look back at figure 6.4 in Hopkin (page 65) on ISO 31000, the IRM (2002) risk
process, presented in figure 6.1 (page 59) and the COSO ERM cube (Hopkin,
page 63). Where does risk evaluation fit into the risk management process in
each of these standards?
Essential reading
The Orange Book (HM Treasury, 2004: 20) has useful, brief discussion of the
process of risk evaluation, in sections 4.4 and 4.5.
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 85
Importance of risk appetite
Absolutely central to the process of risk evaluation is the idea of risk appetite.
The Chartered Institute of Internal Auditors (CIIA, 2005: 26) provides a working
definition of risk appetite which we can use, as follows:
‘…the process used to determine risk management priorities by
comparing the level of risk against predetermined standards, target risk
levels or other criteria.’
Essential reading
In unit 4 we saw how Hopkin’s chapter 13 on risk assessment introduced risk
perception (pages 147–9) and risk attitude (pages 149–51). Remind yourself of
these ideas now.
If an organisation is to achieve a consistent approach to risk management across
the enterprise (ERM), those who manage risk clearly need to know the trigger
point, in terms of risk severity, above which they should respond. If staff do not
know when to respond and when to tolerate a risk, then the result is that the
overall risk exposure of the business will increase because of the inconsistencies
that would arise. Staff will respond to risks of equal severity based on their
unique personal attitude to risk rather than the consistent attitude to risk that the
organisation wishes.
The most common criterion that organisations use to help staff make a
consistent decision on whether to respond or not to the risks that they face is
called the ‘risk appetite’ and not surprisingly it is the board which has the
responsibility to decide on that risk appetite. For this term there are a range of
definitions, as shown in table 5.3.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
86 | © 2016 Institute of Risk Management
Table 5.3: Definitions of risk appetite
Hopkin (2014: 213)
IRM (2011: 7, 8 & 10)
ISO Guide 73 The Orange Book (2004: 49)
CIIA (2005: 26)
The immediate or short-term willingness of an organisation to undertake an activity that involves risk
The amount of risk that an organisation is willing to seek or accept in the pursuit of long-term objectives
Those risks that they actively wish to engage with
The amount and type of risk that an organisation is willing to pursue or retain
The amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point of time
The level of risk that is acceptable to the board or management. This may be set in relation to the organisation as a whole, for different groups of risks or at an individual risk level
Risk appetite varies from organisation to organisation – some are generally more
risk taking (or risk aggressive) and others are more risk averse. Even within the
same organisation, the appetite for risk taking will vary between different
functions. For example, a finance department is likely to be highly risk averse,
while the research and development section may be more risk taking.
An ERM approach requires organisations to understand their overall appetite for
risk and then apply a consistent approach across the organisation. The
organisation can then make consistent decisions about how to respond to a
particular risk. We will discuss risk responses in unit 6.
Essential reading
Look briefly at Chapter 5 in The Orange Book (HM Treasury, 2004: 23–5) is
about the risk appetite. Section 5.1 describes risk appetite for opportunities as
well as for hazards or threats. Sections 5.2 and 5.3 describe the nature of
corporate level risk appetite, risk appetite for projects and delegated risk
appetite, which is cascaded down the organisation in order to gain a consistent
management of risk. Section 5.5 explains how you can use risk appetite for
decision making in areas such as resource allocation and project approval.
Read also the first parts of Chapter 20 in Hopkin on the importance of risk
appetite (pages 212–220)
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 87
Risk appetite has to be identified within the context of the organisation’s overall
business strategy, tactics, operations and its need to comply with relevant
legislation and regulation. However, boards are primarily concerned with
business drivers and strategic imperatives, leading to the possibility of decisions
being taken that don’t fully take into account the actual levels of risk exposure, or
the organisation’s willingness to tolerate such levels of risk.
One charity attempted to use The Orange Book approach to undertake an
assessment of risk appetite. It first looked at risk appetite for different
classifications of risks and then derived an organisational-level risk appetite from
the average of the risk appetites of each of the classifications of the risks. This is
shown in table 5.4.
Table 5.4: A simple risk appetite estimate
Risk type Risk
appetite
Legend
Customer health and safety
0 Ratings Risk appetite
Meaning
Staff health and safety
0 0 Extremely low
Almost no residual risk is acceptable
Financial risk
2 1 Very low Residual risk only acceptable in extreme situations (e.g. where the risk has a very low impact and likelihood)
IT risk
3 2 Fairly low Residual risk is managed down low on a cost-benefit basis. However, on balance, control is weighted higher than acceptance
Reputational risk
2 3 Moderate Residual risk is accepted to moderate levels. Moderate implies a pure cost-benefit approach
Crisis management
3 4 High Residual risk is accepted to quite high levels
Environmental risk
3 5 Very high Acceptance of very high levels of residual risk
Fraud and corruption risk
1
Overall risk appetite
1.75
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
88 | © 2016 Institute of Risk Management
As you can see, the charity had a fairly conservative approach to determining the
level of risk it was prepared to accept, but it was prepared to accept some higher
levels of risks for some categories of risk. It did not take the final step advocated
in The Orange Book to undertake risk evaluation down to individual risks.
RISK IN THE
REAL WORLD
Go back to Hopkin chapter 15 (page 171). There you will see a
discussion about the risk capacity of a bank and how this
relates to risk exposure and risk appetite.
You will have seen that Hopkin considers the need to
undertake a more complex form of risk analysis. In this,
organisations consider not just the most likely impact level of a
risk but the full possible range of impacts that might result from
the risk.
RISK IN THE
REAL WORLD
In looking at a relationship between risk capacity and risk
appetite, a trading business unit within a utility company might
have a very large possible capacity for risk, but external
influences, such as public perceptions or political constraints,
might limit its capacity to increase its risk appetite, since to
exceed it might damage the business’s reputation.
Essential reading
Now read what Hopkin says about risk appetite statements (pages 220-223), and
risk appetite and lifestyle decisions (pages 224 and 225).
The further reading section at the end of this unit provides further interpretations
on risk evaluation. However, you will encounter several other readings on this
area in later modules and especially in modules 2 and 3.
Now that we have decided on the criteria by which we decide to tolerate or
respond to the risk our organisation has, we can move on to discuss the more
specific subject of loss control.
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 89
5.4 Loss control
This section unit discusses loss control. It explains the need to identify
appropriate control measures to prevent a risk materialising, limit the damage
and contain the costs when a risk does materialise. The focus of this section is
the treatment of risks and it describes how we can minimise the potential losses
after having done our risk analysis. In fact, much of the section is as relevant to
the subject of risk treatment in unit 6 as it is to risk analysis here in unit 5.
The section focuses on the treatment of hazard-type risks. Before you begin your
readings, ensure you can recall the meaning of hazard-type risks and be able to
distinguish them from uncertainties and opportunities, which we covered in
unit 1.
Hazard risks and loss control
There are many examples of hazard risks and dependencies that could cause
hazard risks. Loss control relates to the mitigation of hazard risks and the
components of loss control that are identified as loss prevention, damage
limitation and cost containment. This gives rise to a useful formula to remember:
Loss control = loss prevention + damage limitation + cost containment
The most important of these three components is the loss prevention response,
which is to identify treatments that help to prevent hazards and which we also
call (not surprisingly) ‘preventive controls’.. The order of the three components of
loss control are as follows:
Loss prevention: focuses on reducing likelihood.
Damage limitation: focuses on reducing magnitude.
Cost containment: focuses on reducing impact and consequence.
Loss prevention is based on preventive responses that organisations could use
for different types of risks, including health and safety, fire, fraud and theft.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
90 | © 2016 Institute of Risk Management
The purpose of damage limitation is to limit the damage as soon as the
organisation can detect the risk event unfolding. Good examples include fire
sprinkler systems and first aid facilities located near to dangerous places of work.
There is a clear distinction between damage limitation and cost containment. The
latter is about salvage and post-incident management, to ensure an efficient and
effective recovery. These ideas are all closely connected with business continuity
management and the PCDD control types, subjects we will look at in detail in
Unit 6.
Chapter 16 of Hopkin has six parts:
Risk likelihood – reviewing the first dimension of risk analysis and how we
can reduce likelihood by managing hazard risks.
Risk magnitude – reviewing the second dimension of risk analysis and
how we can reduce impact by managing hazard risks.
Hazard risks – providing some examples of hazard risk and how these can
be managed through three loss control techniques.
Loss prevention – discussion of the first of the loss control techniques.
Damage limitation – discussion of the second of the loss control
techniques.
Cost containment – discussion of the third of the loss control techniques.
Essential reading
Read the whole of Hopkin chapter 16 (pages 172–8).
5.5 Defining the upside of risk
Risk is not just about threats and negative consequences. Managing risk can
lead to positive outcomes and realisation of opportunities. Entrepreneurs are
generally considered to be people who are prepared to take bigger risks,
because they see the potential for significant benefits/gains. But, of course, there
is uncertainty about whether the benefits will be achieved. Managing risks to
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 91
enhance the likelihood of positive outcomes can be just as important as
managing risks to reduce the likelihood or magnitude of negative outcomes.
There are various definitions of an upside risk. A common definition of upside
risk is ‘opportunities that can be seized with a desirable outcome’. A high upside
risk represents a high likelihood of a desirable outcome.
The upside of risk, covered in chapter 17 of Hopkin, is a challenging concept
because it argues that organisations should address the upside of risk along with
the much more obvious and traditional downside aspects. We will cover the
upside of risk as it relates to strategy, tactics and operations – which, if you recall
from unit 1, is the primary way in which Hopkin divides risks. We will look at the
role of opportunity assessments and an approach to assessing the overall
riskiness of an organisation.
As the risk management profession increasingly has to justify its added value in
organisations, a discussion of the upside of risk management is very relevant for
risk managers.
People often use a double-sided risk matrix (a simple example is shown in figure
5.3) to compare opportunities as well as downside risks. This type of matrix can
be presented in a variety of ways. In some cases, upside risk is presented on the
right of the matrix with downside risk on the left. With upside risks, the aim is to
move the risk to the top left hand-corner of the above upside risk matrix, by
increasing the likelihood and/or desirable consequence.
Figure 5.3: Risk Matrix for opportunities and hazards
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
92 | © 2016 Institute of Risk Management
The black arrowed lines indicate the objectives of risk treatment (see Unit 6), to maximise the
upside risk and reduce the downside risk.
The idea of using the likelihood dimension to score upside risk is less universally
applied than it is for hazard risks. For example, one industry scores opportunity
using the term ‘ease to implement’ when estimating the likelihood of the
opportunity emerging. However we could use exactly the same techniques that
we discussed for risk identification – such as the risk wheel, the bow-tie,
workshops and questionnaires – to identify opportunities.
There is a range of ways in which upside risk can be manifested. We could
possibly fit these into two forms: upside through good management (managed
positive outcomes) and upside through good fortune (random positive
outcomes).
Taking the managed positive outcomes in a little more detail, there is a link
between the upside of risk to the MADE2 acronym, which simply describes the
upside of risk as being the benefits of good risk management. In that sense, we
could argue that the upside of risk is simply the managed achievement of
objectives. Good hazard-risk management, however, in itself provides
opportunities to take on more risky ventures through knowing that the
organisation can manage its hazard risks well. Thus good hazard risk
management is a source of strategic competitive advantage.
From a practical point of view, the upside of risk is something risk managers
often spend little time thinking about because the organisation expects them to
Two-sided Risk Matrix
1:100
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 93
manage hazards, not exploit opportunities; it is someone else’s job to do the
exploiting.
We now move on to discuss the upside of risk from the perspectives of strategy,
tactics and operations.
The upside of risk can be categorised into three – strategy, projects (tactics) and
operations – the same categories as can be used for downside risk. There are
three separate parts in this reading which discuss these three categories further.
Essential reading
Read the first part of chapter 17 in Hopkin (pages 179–81), titled ‘Upside of risk’.
Achieving the upside of risk
Essential reading
The second part of chapter 17 in Hopkin (page 182), ‘Opportunity assessment’,
focuses on upside in the strategic context and how consultancy firms and a
theatre can assess opportunities in terms of choices over new products and/or
markets.
In fact product/market analysis is a core concept of strategic management and it
provides evidence of how many organisational disciplines overlap (in this case,
risk and strategic management). Note also, from Unit 3, how we described ERM
as a ‘process…applied in strategy-setting and across the enterprise’, because
this definition underlines that the link between these two disciplines is a
deliberate one.
The upside of risk in relation to strategy relates implicitly to the two Es (effective
and efficient) in the MADE2 acronym. The upside in strategy is all about
increasing the likelihood and positive impact of the particular strategic decision.
The selection of an inappropriate strategy can be the most catastrophic risk that
an organisation can experience.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
94 | © 2016 Institute of Risk Management
Risk management can help us choose an effective strategy and it is important to
note that:
implementation of the chosen strategy involves a range of tactical
decisions in the form of effectively delivered change projects and
programmes
delivery of the chosen strategy involves efficient core operational
processes.
The upside of risk management in terms of tactics, or change management to
implement strategy is an important consideration. It is necessary to distinguish
the difference between efficient and effective. The objective of the change is to
improve both the efficiency and effectiveness of the core processes.
So the upside of risk here is around selecting the best change activities to
implement strategy, and ensuring the selected change activities are effectively
delivered. In that sense we can argue that tactics are merely a response to help
manage strategic risk.
Efficient processes represent the upside of risk in operations. Carefully consider
what this means. The upside of risk management is that it can place the
organisation at a competitive advantage over its competitors, thus identifying
further strategic opportunities.
So all in all, there is a cycle in the upside of risk management moving from
strategy to tactics, tactics to operations and operations back to strategy.
Essential reading
Read the rest of chapter 17 in Hopkin (pages 182–189). ‘Riskiness index’
describes an alternative model to analyse risks. ‘Upside in strategy’, ‘Upside in
projects’ and ‘Upside in operations’ provide a detailed discussion of upside of risk
in strategic level activities, tactical level activities and operational level activities.
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 95
RISK IN THE
REAL WORLD
Take a look at the box in Hopkin on page 188, which explains
how changed economic circumstances have provided
opportunities to a restaurant chain and an electrical generating
company.
Activity 5.5
Upside risk: Think of some examples in your organisation where a risk event can
result in positive or beneficial outcomes.
We summarise the whole activity of risk analysis, by describing a feedback
activity in the ISO 31000 process next.
ISO 31000 and the upside of risk
As we identify and analyse the risks that can affect our objectives, we will
monitor and review the information that we obtain from these two processes.
In doing this, you can appreciate that if the severity of the risks identified and
analysed is too great (or too little) to be acceptable, this is likely to result in either
treating the risks (the next stage in the process) or going back to review and
possibly change our objectives (or alternatively change our criteria for
acceptability).
After such a review, if we do change our objectives, we then have to repeat the
risk identification and risk analysis processes based on those revised objectives.
This iterative process may occur several times before we have a satisfactory
risk-aware set of objectives that enable us to deliver an efficient and effective
strategy.
Monitoring and review (like all aspects in the risk management process) must
therefore be a continuing activity.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
96 | © 2016 Institute of Risk Management
Self-assessment questions
1 Which one of the following formulae is the best way to calculate the severity
of a risk?
a) Risk inherent impact × risk residual likelihood
b) Risk frequency × risk probability
c) Risk outcome × risk probability
2 Which of these terms is defined by Hopkin as ‘the amount and type of risk
that an organisation is willing to pursue or retain’:
a) Risk appetite
b) Risk magnitude
c) Risk impact.
3 Which of these is an expression of probability:
a) ‘In just one day in 2005 Hurricane Katrina resulted in a one-in-a-
hundred-year flood to New Orleans.’
b) ‘There is a 2% chance of rain in the city of Jeddah on any one day
during the next month.’
c) ‘Rainfall in June 2015 was higher than usual.’
Further reading
Risk analysis
IRM’s ORC (2014) has a section called ‘Risk management tools and techniques’,
with a subsection on ‘risk assessments’, which has a range of publications and
guidance covering all aspects of risk assessment.
Some people argue that, when analysing risks, impact is a more important
measure of severity than likelihood. For an illustration of this approach, see the
UK Charity Commission publication (Charity Commission, 2010: 16).
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 97
A useful reference related to how a quantitative approach to risk analysis could
be abused, by taking advantage of people’s natural illiteracy in statistical
analysis, is Gigerenzer (2011: 39), which is an IRM publication.
Risk appetite
If you are interested in the area of your personal risk appetite, you should look at
the subject of risk compensation first put forward by John Adams.
Page 11 of RIMS (2011) is a small section of the reading and shows how COSO
presents four elements of the risk appetite:
The existing risk profile, defined as ‘the existing level of distribution of risks
across risk categories (for example, financial risk, market risk, operational
risk, reputation risk, and so on)’.
The risk capacity, defined as ‘the maximum risk a firm may bear and
remain solvent’.
The risk tolerance, defined as ‘acceptable levels of variation an entity is
willing to accept around specific objectives’.
The desired level of risk, defined as ‘the desired risk/return level’.
Feedback to activities
Activity 5.1
You might find that some of your risks are measured in a quantitative manner
while others are measured qualitatively. Financial risks for example might be
very measurable quantitatively or semi quantitatively. Where you measure a
quantitative impact, such as a financial loss, you may also use a qualitative
measure of likelihood, such as a high, medium or low measure.
Activity 5.2
Here is a possible definition: ‘Risk analysis helps us to determine the severity of
the risks our organisation faces by analysing the likelihood of the risk
materialising together with the severity of the impact on the organisation.’
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
98 | © 2016 Institute of Risk Management
Activity 5.3
1 The debate on whether, as a profession, we should focus our risk
assessment (or more precisely risk analysis) at the inherent or residual level
of risk has never been fully resolved. Again, this discussion is more relevant
after discussing risk treatment in unit 6 and we will return to it then; at this
stage however, we focus on analysing inherent risk.
2 Organisations will choose their risk matrix according to their own needs and
circumstances. However, it is important to check continually whether the
matrix is appropriate.
Activity 5.4
Both ISO 31000 and the IRM (2002) risk process include risk evaluation as a
separate element within the wider subject of risk assessment. The COSO ERM
cube (and The Orange Book) subsume risk evaluation (as they did risk analysis)
within the broader subject of risk assessment.
Activity 5.5
We can tackle this question from the three core levels of risk: strategy, tactics
and operations. From tactics, the emphasis is on the nature of the uncertainty
aspect of risk in the area of project management. Here we can see that a risk
event could be both positive and negative. Thus, a positive risk is that the project
might be completed early, under budget and with more beneficial outcomes than
anticipated. In terms of strategy, the dominant emphasis is on choosing the most
beneficial opportunities based on the organisation’s strengths, weaknesses,
opportunities and threats. In the area of financial operations, it might just be that
random processes result in a favourable return on the business’s investment of
their free cash reserves rather than an unfavourable one.
Answers to self-assessment questions
1-c (outcome is however a less common term to define the result of a risk event; we usually use the terms impact, magnitude or consequences instead)
2-a
UNIT 5 | RISK ASSESSMENT 2: RISK ANALYSIS AND EVALUATION
© 2016 Institute of Risk Management | 99
3-b
Unit 6 Risk response and risk
treatment
Unit learning outcome
After studying this unit, you should be able to:
Distinguish the main features of risk control techniques
Unit contents Section learning outcomes
6.1 Introduction to risk treatment and risk response…101
Explain the meanings and purposes of risk response
6.2 The 4Ts…104 Describe the risk response options in terms of tolerate, treat, transfer and terminate
6.3 Risk control techniques (PCDD)…107
Describe the types of controls that are available, in terms of preventive, corrective, directive and detective (PCDD) controls
6.4 Control of selected hazard risks…110
Explain how to determine whether controls are cost-effective, looking at selected hazard risks, including risks to finances, infrastructure, reputation and marketplace
6.5 Introduction to monitoring and review…111
Apply the activity of monitoring and reviewing the risk management process, learning from controls
6.6 Insurance and risk transfer…117 Describe the importance of insurance and the circumstances in which insurance is purchased, including the involvement of a captive insurance company
6.7 Business continuity planning…119
Build a simple business continuity plan using the latest techniques
Resources
Make sure you have access to the following resources before starting this unit:
Hopkin (2014), chapters 18, 21, 22, 23 and 24
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 101
The Orange Book (HM Treasury, 2004), chapters 6, 7 and 8, and appendix A
Introduction
This unit concludes the module. It completes the process of enterprise risk
management (ERM) by considering the risk treatment stage. As before, we will
be using the ISO 31000 standard as the basis of our work, although again we will
refer to other standards from time to time.
6.1 Introduction to risk treatment and risk response
We start the unit by looking at how risk treatment and risk response fit into a
range of risk management standards and processes.
Essential reading
To start this unit, return to figure 6.4 in Hopkin (page 65) and see how ISO 31000
shows the activity of risk treatment.
Activity 6.1
By looking in Hopkin and The Orange Book (HM Treasury, 2004), see if you can
find where the IRM (2002), COSO ERM (2004), the 8Rs and 4Ts process and
The Orange Book show the activity of risk treatment. (Clue: Look at pages 59, 63
and 41 respectively in Hopkin and page 13 in The Orange Book.)
Now that you can see where risk treatment lies in the risk management process,
we can go on to discuss the purpose of risk treatment and its relationship to
inherent (gross) risk, residual (net or current) risk and target risk.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
102 | © 2016 Institute of Risk Management
Purpose of risk treatment
Having set our objectives (at strategic, tactical and operational levels), and then
identified and analysed our risks to determine their severity, the next stage
logically is to respond to, treat or control the identified risks. Figure 6.1 shows a
model of how risk appetite can inform this.
Figure 6.1: Objectives, risks and controls
Following initial risk identification and analysis, the risk exposure of an
organisation may be made up of many high-, medium- and low-severity risks.
If risk analysis takes place purely on inherent risks (which implies that the
organisation has not responded to any of its risks), then most risks would have
the maximum possible impact on the organisation.
Even without reference to any risk appetite statement, we can imagine the
organisation will wish first to reduce its highest level (red) risks so that they at
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 103
least become medium-level (yellow) risks and the risk matrix in figure 6.2 (below)
shows this. It also shows that the organisation will probably tolerate the low-
severity, low likelihood (green) risks, especially since all of its initial effort must
be to tackle the red risks.
Figure 6.2: Simplified risk matrix
Imp
act
High
?
Respond
Low
Tolerate
?
Low
High
Likelihood
We may then find that our risk appetite requires us to consider the more severe
of the residual risks within the yellow, medium-severity level. This should move
some of the yellow, medium-level risk into the green, low-severity risk area.
Ideally, while our organisation would like to eliminate all of the high-severity and
many of the medium-severity risks, this may not be possible for reasons of
practicality or cost-effectiveness. And of course, flaws in the risk analysis
process could result in an understating of the true levels of inherent risk severity,
such that a risk we perceive as a medium-severity risk could in fact be high.
For the risk management process to work correctly we must build a feedback
loop into the risk management process as follows:
We treat a risk by comparing the inherent risk with the risk appetite. If the
inherent risk severity exceeds the risk appetite, we will treat it.
Then we re-analyse the residual risk after treatment. If the residual
severity still exceeds the risk appetite, we will treat it again to reduce the
risk further.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
104 | © 2016 Institute of Risk Management
Then we re-analyse the residual risk again. Only when the residual
severity is less than or equal to the risk appetite should we cease treating
the risk. If we cannot reduce the risk sufficiently or economically then we
might have to consider avoiding the risk completely by revising our
objectives and thus beginning the whole risk management process again.
In practice this is more likely to be a constant feedback loop, because both the
severity of our risks and our risk appetite are likely to be constantly changing.
The feedback activity is part of the monitoring and review stage of the full ISO
31000 risk management process.
This approach can however be a source of risk in itself, because only with an
indication of the inherent risk can an organisation fully determine what might
happen if the present-day controls fail. You might wish to consider what your
organisation does and why your organisation has chosen to estimate its risks in
the way that it does.
Essential reading
Turn to Hopkin chapter 15 and read the second part of that chapter, called
‘Inherent and current levels of risk’ (pages 165–6) which introduces risk
treatment. Note particularly the content of figure 15.3 on page 166 because this
shows risk treatment in relation to inherent, residual and target levels of risk.
Activity 6.2
Can you recall what aspect of risk evaluation helps us to identify our ‘target risk’?
6.2 The 4Ts
The 4Ts process is made up of four different responses to hazard risks: tolerate,
treat, transfer and terminate. The 4Ts is a very important set of approaches. You
should be able to describe the meaning of each T and also be able to provide
one or two examples for each T. The 4Ts also links the previous stage in the risk
management process (risk evaluation) to the next stage (monitoring and review).
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 105
To look at the 4Ts in turn:
An organisation will normally tolerate a hazard risk if the risk’s perceived
severity is less than the risk appetite. Clearly, an organisation will tend to
tolerate low severity risks. However, it may tolerate some high-severity
risks – for example, where it has failed to identify risks or has under-
estimated the severity of the risk. Toleration of high-severity risk makes
the organisation especially vulnerable and some people argue that it is not
the known risks that destroy an organisation, but those risks that are
unknown and implicitly tolerated.
We treat a risk by retaining it in the organisation and taking action to
modify its severity, likelihood or impact. You will also see that the most
common approach to respond to risks is through the ‘treat’ option
An organisation may try to transfer risk exposure to a third party, such as
an insurance company. In practice though it is very unlikely an
organisation can fully transfer a risk and for that reason the term ‘risk
sharing’ is often used. Other examples of risk transfer include joint
ventures, outsourcing and risk financing. These are areas that you will
study in later modules.
To terminate a risk an organisation will often need to terminate the activity
which is associated with the risk. Termination is something that
organisations usually undertake reluctantly and because the residual
severity of the risk is simply too high after the organisation has considered
all other possible cost-effective responses (from transfer or treat).
There are circumstances where an organisation cannot terminate even its
highest-severity risks, especially in the public services (where there is an
obligation to deliver a service even if the risks are very high) or where the
consequential loss of reputation would be deemed an even greater risk. In these
situations, the only option left is to tolerate the residual risk that remains, even
though it exceeds risk appetite.
It is possible to distinguish the term ‘impact’ from the term ‘magnitude’. We can
say that impact is a risk analysis measure at the residual risk level, whereas
magnitude is a risk analysis measure at the inherent risk level.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
106 | © 2016 Institute of Risk Management
If we then adopt a risk management approach based on residual risk rather than
inherent risk we can say that:
Where residual impact and likelihood are high: If the severity cannot be
reduced further by more treatment then the only remaining option might
be to terminate the activity that gives rise to the risk.
Where residual impact is high and likelihood is low: We might have treated
the risk to reduce its likelihood, but we are still highly exposed if the risk
occurs, although that is now not very likely. Therefore, it might be most
cost-effective to transfer the risk to another party who can manage the risk
either more expertly or more cost-effectively than we can.
Where residual impact is low and likelihood is low: We have treated this
risk as far as we need, so no further treatment is required. We can
therefore tolerate it.
Where residual impact is low and likelihood is high: We have helped to
reduce the impact, but with the likelihood quite high, there is room to take
further steps to reduce its likelihood and/or its impact further.
This approach can be criticised as being rather blunt. It falls down where risks
are analysed on the boundaries between high and low of the two axes, and in
particular around the cross-over point in the dead centre of the matrix.
Essential reading
Read The Orange Book (HM Treasury, 2004: 27), section 6.1 for a very simple
summary of the 4Ts. Note that it also describes a fifth T – the need to take an
opportunity or a positive project variation as it arises.
Then read the first parts of chapter 21 in Hopkin (pages 226–233) on ‘The 4Ts of
hazard response’, ‘Tolerate risk’, ‘Treat risk’, ‘Transfer risk’ and ‘Terminate risk’.
Activity 6.3
Provide one practical example in your organisation of each of the 4T responses.
Try to identify if the focus of the response is to try to reduce the risk’s impact or
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 107
the likelihood, or both, or neither!
Essential reading
Read the final part of Hopkin chapter 21 (pages 233–7) ‘Project and strategic risk
response’ which introduces the 4A and 4E approaches.
Activity 6.4
Consider your organisation’s responses to project and strategic risks
(as opposed to hazard risks). Do you have an alternative way to the 4As and 4Es
of classifying these types of responses?
RISK IN THE
REAL WORLD
Appendix A of The Orange Book (HM Treasury, 2004: 41)
shows how organisations can typically bring their risk
identifications, analyses and responses together using a risk
register. It presents the results of managing three risks that
could impact on a single objective. Look at the register
carefully and see if you can identify how the person displays
inherent, residual (current) and target risk.
6.3 Risk control techniques (PCDD)
We now go on to discuss an alternative classification of responses to hazard-
type risks: control theory. Control theory describes a hierarchy of risk responses
as preventive, corrective, directive and detective (abbreviated as ‘PCDD’) and it
provides some indication of when the different types of controls might be
appropriate. In general, this section refers to Hopkin chapter 22.
It is possible (although not universally accepted) to link PCDD to the 4Ts as a
dominant form of response to risk, dependent on the risk’s residual severity. This
will give rise to the following links, with risk severity scores for likelihood then
impact measured (H = high, L = low):
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
108 | © 2016 Institute of Risk Management
HH = Preventive and terminate.
HL = Corrective and treat.
LH = Directive and transfer.
LL = Detective and tolerate.
However, the approach of slotting a specific T into a quadrant of the risk matrix is
not suggested by all standards, and many other contributors to discussions on
risk treatment, such as The Orange Book (HM Treasury, 2004: sections 6.2 and
6.3) do not compartmentalise each PCDD into a specific quadrant.
Preventive controls are the most important, though prevention may not
always be cost-effective, especially if the likelihood of a risk occurring is
low. For risks that we have no control over, such as some external risks, it
might be impossible to prevent them anyway, in which case we are left
with considering only the other three options. In that sense, a cost-benefit
analysis of any preventive control is vital.
Corrective controls are in place where preventive controls are not feasible,
desirable or cost-effective (although they could be used also as a
secondary defence, should the preventive controls fail). Again, alongside
their adequacy and effectiveness, the corrective controls’ value for money
also needs to be tested.
Directive controls are the most common type of control and are based on
giving directions to another person or party as to how they should behave
in certain circumstances. This type of control is based on the behaviour of
individuals and, therefore, may not be very reliable. Contracts are directive
controls because a contract instructs the parties to the contract what they
should do in specified circumstances.
A fire alarm which detects a fire moments after the first puff of smoke is
likely to be a much quicker detection of a fire risk than the detection of a
project off-track through an audit review taking place six months into a
project. Nevertheless, they are both examples of detective controls.
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 109
Remember that there is a relationship between detective and corrective controls
and the extent of deviation from the expected standard that is required before the
detection triggers the need to apply a corrective control. For example, where we
detect a potential overspend of a financial budget, we must consider what the
acceptable tolerances are before we take corrective action.
Some control theorists have referred to the idea of ‘anticipatory controls’. These
controls are forward looking, similar to directive controls, but they tend to be
more long term and strategic in nature; they are controls set in advance of
possible future scenarios and their aim is to help the organisation to adapt itself
effectively and in good time to those future scenarios, should they occur.
In essence then, the difference between anticipatory and directive controls is that
the latter are based on the broad organisation’s present day internal and external
environment, while anticipatory controls anticipate changes to those
environments and prepares an organisation for such changes.
Essential reading
Read the first part of Hopkin chapter 22 (pages 238–9), called ‘Hazard risk
zones’.
Then read The Orange Book (HM Treasury, 2004: 28), sections 6.2 and 6.3, for
a very simple summary of the PCDD.
After that, read the remaining five parts of Hopkin chapter 22 (239–46). As you
read these parts, note in particular Hopkin’s hierarchy (or order) for the
application of these controls.
RISK IN THE
REAL WORLD
Hopkin provides examples from the real world for the use of
this hierarchy of controls:
in table 22.2 (page 241), for fraud and health and safety
risks
in the case study of a road transport company on
page 243.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
110 | © 2016 Institute of Risk Management
Activity 6.5
Provide one practical example in your organisation of each of the PCDD
responses for a single risk of your choice. Then consider whether your
organisation has any anticipatory controls in place – try to find out how important
people think anticipatory controls are.
From our discussion of the 4Ts and the PCDD we can conclude that not only can
we classify risks into various types of risk, but we can also classify controls!
6.4 Control of selected hazard risks
We now go on to see how we can apply some of the more general theories of
control that we have looked at to a range of selected hazard risks. Hopkin gives
more detail on the control of particular types of risk, with examples of financial,
infrastructure, reputational and marketplace risks from the FIRM scorecard.
In general, this section refers to most of Hopkin chapter 23, but we leave out the
first part and last part which we will review in the next section.
Essential reading
You may first wish to remind yourself of the FIRM scorecard by reviewing table
17.2 in Hopkin (pages 183–5) and table 21.2 (page 229), which both describe a
range of risks using the FIRM scorecard.
Then read the second to fifth parts of Hopkin chapter 23 (pages 250–9).
6.5 Introduction to monitoring and review
We shall now introduce the stage of the risk management process called
‘monitoring and review’, which you will study in much more detail during module
2 and later, in module 4. Along with other sources, this section refers to the
remaining parts of Hopkin chapter 23 that were not covered in the previous
section.
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 111
Activity 6.6
Firstly, where is ‘monitoring and review’ shown in the various risk management
standards? Look at the IRM (2002) risk management standard in figure 6.1 in
Hopkin (page 59), COSO ERM figure 6.3 (Hopkin page 63) and most importantly,
ISO 31000 in figure 6.4 (Hopkin page 65).
Under the title ‘feedback mechanisms’ within the risk management process,
Airmic, Alarm, IRM (2010: 9) states that:
‘ISO 31000 recognises the importance of feedback by way of two
mechanisms. These are ‘monitoring and review’ of performance and
‘communication and consultation’. Monitoring and review ensures that the
organisation monitors risk performance and learns from experience.
Communication and consultation is presented in ISO 31000 as part of the
risk management process, but it may also be considered to be part of the
supporting framework.’
Similarly, The Orange Book (HM Treasury, 2004: 31–3), in chapter 7, describes
an activity called ‘reviewing and reporting risks’, in which it encourages staff to
review their risk management activities and undertake self-assurance, while also
investing in independent reviews and assurance by internal audit, and then
reporting all these activities through to audit and risk committees. This
demonstrates full accountability of risk management throughout the enterprise.
Chapter 8 of The Orange Book (HM Treasury, 2004: 35–6) then describes an
activity called ‘communication and learning’ in which learning specifically takes
place, and good practice is disseminated around the organisation, so that full
enterprise-wide benefits of risk management can be achieved. To some extent
these two process activities combine to provide a simplified summary of ISO
31000’s ‘monitor and review’ and ‘communication and consultation’ activities.
This section focuses on three things that can only be uncovered by monitoring
and reviewing our risk management activities:
costs of risk controls (against their benefits)
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
112 | © 2016 Institute of Risk Management
learning from controls
learning from risk events.
All the activities provide an organisation with the source of valuable knowledge
from which it can improve its overall risk management activities.
The cost of risk controls
Although there is a cost to the organisation if a hazard risk materialises, there is
also a cost associated with responding to and/or treating the risk. In fact, there is
a cost in performing the activities of identifying, analysing and evaluating the risk
(risk assessment). The lower the risk appetite becomes, the more risk averse an
organisation is, and by implication the lower the acceptable target risk is, so the
cost of the response will become greater and greater. However, this will be offset
by a reduced exposure (or expected loss) from the risk itself.
So at the inherent level of risk, the total risk exposure of the organisation will be
very high, while the cost of response will be zero. As we invest in controls, the
total cost of expected risk exposure will decline (it will probably decline quickly at
first, since we’ll focus our responses on the most serious risks), but at the same
time the total cost of all our risk responses will increase.
At some point the total cost of responses will increase to the point at which it
becomes no longer sensible to invest further in risk response because the
increased cost of control will not be sufficient to offset the reduction in risk
exposure.
The theory of a diminishing level of return from investing in hazard-risk
responses is a compelling one, simply because of its logic and that some degree
of judgement has to be made on the appropriate point to stop investing in risk
responses and start tolerating risk exposure.
The reality however is that an accurate cost-benefit analysis of risk management
is only likely to be effective some time into an implemented risk management
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 113
initiative and that is why monitoring and review becomes an increasingly
important activity in our risk management process over time.
If a risk manifests itself in its expected way, the control might be fully effective,
but if a risk manifests itself in ways other than the most expected way, the effect
of the control might be much less certain and indeed it might not help to mitigate
the risk at all; it might even exacerbate it.
Writers on the laws of unintended consequences argue that all risk responses
will produce side-effects on organisations in a similar way that medical drugs
have side-effects on patients. Thus a response to reduce one risk’s exposure
might result in an increase on exposure from another risk. Exactly how bad (or
good) the side effect will be is often not immediately obvious.
This subject leads us into the area of risk assurance and the work undertaken by
internal audit in independently reviewing the efficiency and effectiveness of
controls. This is an important area and you should be comfortable that you
understand the contribution made by internal audit activities to the successful
management of risk. The internal audit activities will be considered in more detail
in module 2.
Essential reading
Read the first part of chapter 23 in Hopkin (pages 247–50), on ‘Cost of risk
controls’, which defines monitoring and review and considers the cost of risk
management in relation to its benefits. Hopkin then moves on to consider the
cost-benefit analysis of controls.
Activity 6.7
Consider how you determine the value for money of risk management in your
organisation. Is there a consistent evaluation and when does the evaluation of
cost-benefit take place? Who makes the final decision?
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
114 | © 2016 Institute of Risk Management
Learning from critical controls
When we first plan and implement a control, we do not know how effective it will
be in managing the risk. The range of possible residual risk outcomes could be
quite wide and unpredictable. Monitoring and reviewing our controls can help us
better understand their effectiveness, thus enabling us to redesign them in a
more effective manner to ensure more predictable residual risk outcomes.
When we review a control we need to answer two questions:
Is the control we chose to implement really the best control for the risk?
Is that control effective in practice?
We could add a third question:
Does the control provide good value for money?
Monitoring and review enables learning and improvement in our risk
management activities and that is the primary purpose for it.
As with the cost of developing and implementing responses, we must also note
that there are additional costs that we must pay for monitoring, reviewing,
learning and improving our responses. With finite resources, we cannot
constantly monitor and review all our controls.
So, which of our controls is it most important to learn from? Critical controls are
those that reduce the organisation’s most critical risks. If these controls are not
effective there could be major consequences and impacts for the business, so it
is important to monitor, review, learn and improve these critical controls more
frequently than is the case for other, less critical controls.
Monitoring and review should not just be limited to learning from controls. Indeed
most of the risk management standards indicate that we can (and should) apply
learning to the whole process and framework of risk management. Some of the
learning benefits of undertaking reviews of the whole risk management process
include:
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 115
To ensure our responses are effective and efficient, including the
identifying and closing of any holes or gaps in our control defences.
To identify and manage potential adverse side effects and unintended
consequences of our responses.
To build up knowledge to improve risk identification and analysis.
To better link risks to objectives, key dependencies, core processes and
stakeholder expectations.
To detect and prepare for changes in our internal or external context.
To detect and prepare for changes and trends in our risks.
To identify and prepare for new and emerging risks.
To identify good risk management practice, build on it and disseminate it
to other parts of the organisation.
Learning from risk events
Our final discussion on learning relates to the monitoring and review of actual
events that can take place in any organisation; risk incidents and near misses.
You will study more about learning from risk events in the final unit of module 2.
If a risk incident actually takes place, there is much we can learn from the event
itself. Similarly, if a particular risk has been managed especially well, the lessons
we learn can be applied as good practice exemplars to be transferred to other,
less risk-mature parts of the organisation.
We can also learn lessons from a review of near-miss incidents. A near miss
could be described as a crystallisation of a risk that does not result in significant
impact, but could have done (the impact could have been positive or negative).
Examples of negative near-miss incidents include:
A small fire that was detected early enough to prevent any damage.
A small fraud that was detected before money was lost.
A plane that makes an emergency landing.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
116 | © 2016 Institute of Risk Management
A disaster that affects a competitor but which could, just as easily, have
affected us (think of the lessons to be learned by other oil and gas
companies following the BP Deepwater Horizon event in 2010).
By reviewing the near-miss event we can understand better:
Why it occurred.
Whether we had previously identified it as a possible risk.
Why it did not have a big impact.
Whether we had correctly analysed its likelihood and impact.
In summary then, risk incidents provide the greatest opportunity for learning and
improving our risk management framework and since the range of risks and
controls within an organisation are so vast, there is constant opportunity for
learning and improvement.
Essential reading
Read the final part of chapter 23 in Hopkin (pages 259–62) on ‘Learning from
controls’, which explains in more depth how to learn from the controls we
employ.
Activity 6.8
A hospital finds that a cause of higher patient deaths is due to ambulances
failing to reach emergency patients in sufficient time. The hospital manager’s
response to this risk is to issue an instruction that ambulance drivers must
reach emergency patients in less than eight minutes if they are to have a
reasonable chance of survival. Identify some of the possible unintended
consequences of this risk response.
Try to identify a near miss event in your organisation’s history. What were the
reasons for the impact of that risk being much less severe than it could have
been? Was it good risk management or good luck? What lessons did your
management learn for the future?
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 117
RISK IN THE
REAL WORLD
As we near the end of our travels through the risk management
process, take a look at the case study in Hopkin (ages 272–3)
to see how the Nationwide Building Society undertakes its risk
management and control activity. As you read the case study,
look for evidence of risk identification, analysis, treatment and
monitoring and review.
6.6 Insurance and risk transfer
We now move on to consider aspects of insurance, risk financing and other
mechanisms of the risk transfer element of the 4Ts, covering the main classes of
insurance. In general, this section refers to Hopkin chapter 24. We give an
introduction here – you will cover the subject in much more detail in module 4.
The importance of insurance
The fundamental principle of insurance is indemnity. The insured organisation
makes a contract with the insurer for an insurance policy that provides indemnity
for insured events that will put the insured back in the position (at least
financially) as if the loss had never occurred.
There are advantages and disadvantages of insurance, which enable an
organisation to make a decision on whether the insurance option is a suitable
one for a particular risk. Sometimes a company will self-insure by establishing its
own insurance company subsidiary, referred to as a captive insurance company.
As you might expect, there are both advantages and disadvantages with the
captive form of insurance.
The following are examples of different types of insurance, in three main
categories:
legal and contractual obligations
balance sheet/profit and loss protection
employee benefit/protection of employee assets.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
118 | © 2016 Institute of Risk Management
Many insurance policies will be compulsory, mostly those which are liability
classes, though these will vary from country to country.
Essential reading
Read the whole of chapter 24 in Hopkin (pages 263–72). As you read, make sure
you understand the principle of how insurance works, the difference between first
party and third party insurance, and advantages and disadvantages of captive
insurance.
RISK IN THE
REAL WORLD
Hopkin’s table 24.2 (page 265) provides a checklist that you
can follow for the types of insurance cover you might wish to
buy, depending on the specific characteristics of your
organisation. Earlier, Hopkin (page 262) explains how the
development of insurance grew rapidly, following the effects of
the great Chicago fire in 1871.
Learning activity 6.9
Talk to the people responsible for insurance in your organisation and ask them
how they determine the value for money for the insurance service your
organisation receives.
6.7 Business continuity planning
We will end this unit with by looking at another specialist area of risk
management: business continuity planning (BCP), within the broader concept of
business impact analysis, disaster recovery planning and civil emergencies.
No matter how sound our controls are, no matter how many layers of control we
have to protect a core process, there is always the possibility that our preventive
controls will fail because of gaps or deficiencies. Should that occur, we must be
able to recover quickly and efficiently from any incident and this is what business
continuity planning is all about. As was the case for the subject of insurance, we
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 119
only give an introduction to BCP here – you will cover the subject in much more
detail in module 4.
BCP is all about planning in advance of a disaster; an organisation must be
prepared for a crisis. When a disaster is about to strike, it will be too late to think
about preventing it and while the crisis is running its course the situation is likely
to be too chaotic to effectively mitigate the consequences. So BCP should be
considered as a specific type of risk treatment, because it has the purpose of
allowing an organisation to continue operating with minimal disruption.
Some examples of events that can threaten business continuity include:
major fires/explosions
IT failures
power/water outages
fuel shortages
severe weather or other natural disaster
loss or absence of key staff
terrorist incident
loss of key supplier or raw material
breakdown or loss of key equipment.
These events tend to have a low likelihood of occurring but an extremely high
impact on the organisation if they do. So, although some IT failures are quite
common and rarely result in any major impact, very rarely a major IT disaster
could result in a significant loss of data or operating capability severe enough to
interrupt normal business operations for a considerable time. Similarly, while bad
weather is usually an inconvenience, sometimes it can be devastating.
The particular circumstances of an organisation might make it more susceptible
to one continuity risk than another (in other words, the likelihood, although low,
will be slightly higher).
For example, an IT consultancy organisation located near the San Andreas Fault
in California might be more at risk from earthquakes than an oil and gas business
located in Texas. However, the oil and gas business might be more at risk from
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
120 | © 2016 Institute of Risk Management
fire or explosions or, due to its location, hurricanes. Meanwhile, an organisation
manufacturing a complex product using materials from a complex web of
suppliers and subcontractors might find itself more vulnerable than average to
the loss of a key supplier, while the Californian consultancy is more vulnerable
than average to the loss of key people.
A special component of BCP may focus on IT continuity planning, which is called
‘disaster recovery’ as an example of a disaster recovery plan.
The three components to BCP can be listed as:
To prepare for a crisis.
To manage a crisis as soon as possible after it happens and minimise the
immediate damage.
To recover from the crisis efficiently and effectively.
You should consider and understand how the three components of BCP enable
an organisation to consider resilience to disaster using a PCDD approach: first,
do all you can to prevent a crisis; then detect it early; and then correct it
effectively through a range of directed activities.
As Hopkin explains on page 193, the new business continuity standard, ISO
22301 has now replaced BS 25999 and you should become familiar with the
main requirements of this new ISO standard. Consider the example of the flu
pandemic of 2009 to illustrate the importance of business continuity planning.
What arrangements do you think should be put in place by an engineering firm
on a large industrial estate?
Essential reading
Read the first part of chapter 18 in Hopkin (pages190–2) titled ‘Business
continuity management’. When you reach figure 18.1 on page 192 go forward
briefly and look at pages 196–7, in which the diagram is applied to a
broadcasting organisation.
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 121
RISK IN THE
REAL WORLD
Hopkin describes, on page 196, the possible continuity
responses that organisations could plan for, should the world
be affected by a pandemic.
Business impact analysis
You should become familiar with what business impact analysis (BIA) means and
why it is important. In effect, it is an analysis stage in the BCP cycle, where we
analyse the effect of an interruption to our key dependencies and core
processes.
The major benefit of a BIA approach is that our focus becomes less on the
events that could cause a major disruption to our organisation, and more on
identifying the critical parts of our organisation and then prioritising our BCM
towards striving to protect these critical parts from any event that could disrupt or
destroy them.
There are certain compliance issues associated with BCP, which are becoming
increasingly a concern for the public and government sectors which have
increasing legal and regulatory obligations for sound continuity planning.
BCP can be considered to be a very important component of loss control.
Business continuity planning is related to the area of cost containment and BCP
can also be linked to damage limitation, although BCP is generally not
considered to be linked to loss prevention.
The example of BP’s Deepwater Horizon oil spill disaster of 2010 provides a
case study of where the business appeared to be unprepared, from the point of
BCP, especially in terms of damage limitation.
There is also a link between BCP and insurance and a wider relationship
between insurance, cost containment and BCP. Insurance companies have
increasingly offered cost containment policies that focus on providing the
necessary finance to an organisation to allow it to recover quickly following some
form of crisis, disaster or other critical impact.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
122 | © 2016 Institute of Risk Management
Indeed, if an organisation has adequate BCPs in place, it is likely that insurance
premiums will be lower and so will any claims that arise. Because of the
settlement delays that inevitably occur following a claim, every business should
ensure its BCP offers sufficient assurance to guarantee minimum disruption
following an event.
Essential reading
Read the parts of chapter 18 in Hopkin (pages 193–8), titled ‘Business continuity
standards’, ‘Successful business continuity’ and ‘Business impact analysis’.
Learning activity 6.10
Think about this in the context of your organisation. What are your organisation’s
core activities that you could not afford to lose? What type of event could
seriously disrupt the continuity of your organisation?
Think of BCM not just for the organisation as a whole, but specifically for your
risk management activities. Where are your risk team’s (or your risk
department’s) highest likelihood continuity risks, and what are you doing about
them in order to ensure that the service of the risk team can be maintained in a
crisis?
Essential reading
Read the final two parts of chapter 18 in Hopkin (pages 198–9), titled ‘Business
continuity and ERM’ and ‘Civil emergencies’, which discuss the same themes,
but in more detail.
RISK IN THE
REAL WORLD
At the beginning of his text (page 44), Hopkin demonstrates
just how integrated ERM and BCP are with reference to a
pharmaceutical group. This looks at potentially catastrophic
events as the first level of risk identification.
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 123
Self-assessment questions
1 Which one of the following best describes a risk prior to any risk treatment?
a) Residual risk
b) Target risk
c) Current risk
d) Gross risk.
2 Which one of the following options from the 4Ts of hazard risk management
would not result in a reduction in risk severity?
a) Terminating the source of the risk
b) Treating the risk
c) Transferring the risk
d) Tolerating the risk.
3 Which one of the following types of control is a fire insurance policy a good
example of?
a) preventive
b) Corrective
c) Directive
d) Detective.
4 Which one of the following outcomes does a fire alarm produce as a risk
treatment in the case of a fire?
a) Reduce likelihood but not impact
b) Reduce impact but not likelihood
c) Reduce both impact and likelihood
d) Reduce neither impact nor likelihood.
5 Which of the following scenarios is an anticipatory response relevant to?
a) Emerging future situations
b) Providing clear guidelines for risk treatment
c) A type of preventive control
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
124 | © 2016 Institute of Risk Management
d) The activity of learning and improving the risk management process.
6 Which one of the following types of risk is ‘accept’ a suitable response to?
a) Operational risk
b) Tactical risk
c) Business continuity risk
d) Opportunity risk.
7 Which one of the following types of risk can a ‘fifth T’ be used as a
response to?
a) Hazard risk
b) Operational risk
c) Business continuity risk
d) Opportunity risk.
8 Which one of the following outcomes is the initial treatment of risk in an
organisation not likely to result in?
a) Reduce the inherent risk
b) Reduce the high-level severity risks
c) Reduce the medium-level severity risks
d) Reduce the overall risk exposure.
Further reading
IRM’s ORC (2014) has a section called ‘Specialist risk areas’, with subsections
on insurance and business continuity.
No system of control guarantees the elimination of risk and the achievement of
objectives. Reason (2000) describes the ‘Swiss cheese’ model, which shows
that, no matter how many layers of control and risk response we employ, there is
always the possibility that disaster might strike.
If you are interested in the subject of insurance, including its background, history,
types of policies, you could search Wikipedia for its article on ‘Insurance’. Further
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 125
information on captives is also available on Wikipedia under ‘Captive insurance’.
(See references section under ‘Wikipedia’ for direct links.)
You may also wish, if you are interested, to look briefly at Business Continuity
Institute (2013). It provides a six-stage business continuity management plan,
which is compatible with ISO 22301.
For those who would like to see another business continuity standard based
around ISO 31000, there is the AS/NZS 5050:2010, a summary of which can be
found in CompliSpace (2011).
Feedback to activities
Activity 6.1
The Orange Book (HM Treasury, 2004) describes risk treatment as ‘addressing
risks’ in its chapter 6. The Orange Book is referred several times in this unit, as it
goes through the subject of the 4Ts and PCDD.
The IRM (2002) process (Hopkin, 2014: 59), includes a special section on risk
treatment, which it defines, on page 7 of the standard, as “the process of
selecting and implementing measures to modify the risk”.
Referring to the COSO ERM (2004) model (Hopkin, 2014: 63), we can see that
“risk treatment” can be accommodated in the following two stages of the process,
which are taken from the original executive summary (COSO, 2004: 4):
‘Risk response: Management selects risk responses – avoiding, accepting,
reducing, or sharing risk; developing a set of actions to align risks with the
entity’s risk tolerances and risk appetite.
Control activities: Policies and procedures are established and implemented to
help ensure the risk responses are effectively carried out.’
Finally, the 8Rs and 4Ts process (Hopkin, 2014: 41), describes risk treatment as
“responding to risks” using the 4T approach.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
126 | © 2016 Institute of Risk Management
Activity 6.2
It is of course the risk appetite. It tells us not only whether to treat a risk, but also
when to stop treating it. Referring to scenario presented on figure 15.3 in Hopkin
(page 166), do you think this is likely to be risk aggressive or risk averse in
relation to the risk presented?
Activity 6.3
This is a useful exercise to reinforce your learning of the differences between
each of the 4Ts. You should find it quite easy to identify a “treat” since, as Hopkin
says, this is the most common form of response. But you might find it harder to
detect a “terminate” since by implication this is something that is likely to have
happened in the past; moreover, people might regard it not as a defensive
withdrawal as a result of high risk, but a positive decision to take advantage of an
opportunity.
Activity 6.4
You might find that you have a specific set of procedures in dealing with project
activities, including their management of risks, that is distinct from operational
activities; you might also well find that the project procedures focus more on
project hazards than project opportunities.
However, it is highly likely that strategic level risk management will be a separate
activity and possibly an informal one, led by the board of directors. Perhaps your
best way of answering this question is to see if you have any procedures which
cover strategic level risks.
Activity 6.5
In the case of fraud risk, a detective control could be a review of new suppliers
set up by staff on the organisation’s accounting system, to try to detect any false
or ghost suppliers to which money could be channelled. Another example would
be the encouragement of confidential whistleblowing arrangements and fraud
hotlines.
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 127
A preventative control could be applied by suitable vetting of candidates’
backgrounds at job interview stages, or a range of penalties that could be
invoked on any members of staff who are found to be defrauding the company,
thus reducing the incentive to be fraudulent.
A corrective control might be in areas of media handling activities, designed to
mitigate any damage that might arise through reputation and bringing in the
police to take charge of the fraudsters in order to remove the cause of the fraud
from the business.
A directive control could be a document with a set of procedures to adopt to
either discourage fraud or to invoke if fraud is suspected.
Look at the fraud risk responses in your organisation; it is highly likely that a full
range of responses exist, since fraud is a ubiquitous risk, which no organisation
will be immune from. Speak to your internal auditor, because fraud risk is one of
the major areas that internal audit looks at, or look at your organisation’s fraud
policies (a directive control) to get an idea of the full set of fraud responses.
You could of course try to apply PCDD to any major areas of risk in your
organisation, such as health and safety risk, or consider PCDD for a major
project in your business, such as a new computer system.
As for an anticipatory control, have a look to see if there are any procedures in
place for anticipating a complete change in the business model for the future.
Going back to the section of the study guide, you will know that anticipatory
controls relate to preparing for a changing future rather than managing the
present.
Activity 6.6
Most risk management standards have something to say on monitoring and
review as a tool to enable learning and improvement in risk management
activities. Monitoring and review is the last stage of the risk management process
that we shall discuss in this module.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
128 | © 2016 Institute of Risk Management
Activity 6.7
Many businesses will find it much easier to estimate the cost of risk management
rather than the benefits that come from managing risks.
The costs are here and now. We can estimate much of them by the amounts we
spend on staff who spend time managing risks, administering the ERM
framework, providing assurance and the payments for running controls or paying
for insurance. So while the total cost of risk might be not too difficult to calculate,
calculating the costs of managing individual risks will be much harder to compute
because of the need to allocate those total costs to the management of individual
risks. (Think, for example, how you would allocate your time to all of the
individual risks that the organisation faces.)
Assessing the risk management benefits are more elusive than the costs
because risks are future events: they may never actually occur (in which case
the value of the control is zero). Moreover, it may be impossible to calculate how
much any individual control helped to reduce the likelihood or impact of a risk,
since you never know what would have happened if the risk had occurred and
you had no controls in place. Nor can you isolate the individual contribution of
one control if one risk is managed by several controls.
Even if the risks do or do not occur, the sense of assurance that people feel that
things are under control is very valuable, but it is also very hard to calculate.
It is therefore most likely that the weighing of the risk cost-benefit scales is an
intuitive one, like so much in risk management.
Speak to your organisation’s internal auditor (if you have one) and try to find out
if a value for money review has ever been undertaken.
Activity 6.8
This real example from the healthcare sector of a western country led to many
unintended consequences. First, it encouraged ambulance drivers to drive
dangerously if they were in danger of failing to hit the time deadline.
UNIT 6 | RISK RESPONSE AND RISK TREATMENT
© 2016 Institute of Risk Management | 129
Second, ambulance drivers might give up trying to reach a patient once they
knew they were unlikely to hit the eight-minute target – arriving after one hour
was no worse a performance than arriving at 8 minutes and one second.
Third, it encouraged the falsification of records. For example: (i) those patients
living close to the ambulance station were more likely to be regarded as
emergencies; or (ii) a deliberate delay in logging the calls would give ambulance
drivers an early start before the clock began.
Fourth, it failed to take account of driving conditions: heavy snow in the rush hour
would undoubtedly result in poorer performances compared with clear
conditions, early in the morning on a quiet national holiday.
Activity 6.9
The cynic might say that your organisation’s insurance function needs a good
portfolio of insurance products in order to maintain its purpose in the organisation
so treat what they say with some degree of caution.
So you could go one stage further and ask them about the situations where the
organisation has made claims to the insurers in the past and what might have
happened to the business had those claims not been met.
Do you see any evidence of overkill in risk treatment; in other words, do you feel
there are some risks where insurance seems less cost effective because you
believe the organisation already adequately manages those risks in-house?
Another thing you could do is to check to see if there has ever been an internal
audit review of the insurance function and try to get a copy of the report and any
recommendations that followed.
Activity 6.10
In focusing on your organisation, you should ask the additional question: Which
of these set of risks is likely to be most common? If your business handles
inflammable chemicals in a dry region of the world, then a catastrophic fire risk is
probably more likely than a catastrophic flood risk.
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
130 | © 2016 Institute of Risk Management
In focusing on the risk function itself, the catastrophic fire risk might be less likely
than the catastrophic risk of disruption resulting from multiple staff absences all
occurring at the same time due to a flu outbreak. Another continuity risk could
result from a catastrophic failure in your risk management software.
Answers to self-assessment questions
1-d (Gross risk – which is also known as inherent risk)
2-d (Tolerating a risk does not result in any reduction in severity as we are
tolerating the risk at its present level)
3-b (Corrective control – because it helps to correct a problem)
4-d (It reduces neither impact nor likelihood – because without any further
response (normally a corrective control) the alarm will just ring but nothing else
will automatically happen to reduce the impact of the fire (for example, the use of
an extinguisher or the evacuation of staff, which are corrective controls))
5-a (Emerging future situations – because it is about being able to anticipate
change and provide a route map to successfully respond to it)
6-b (Tactical risk – because it is one of the 4A responses described in Hopkin,
page 234)
7-d (Opportunity – which comes from The Orange Book and is all about taking
the opportunity (HM Treasury, 2004: 28))
8-c (The initial treatment will not focus on reducing medium severity risks
because the initial treatment will focus first on reducing those highest level risks,
which pose the greatest business danger. Only once those have been dealt with
will we turn our attention to medium level risks).
References
Accenture (2011) Report on the Accenture 2011 Global Risk Management Study.
Accenture Risk Management. Available at:
https://www.rims.org/resources/ERM/Documents/Accenture_Global_Repo
rt%202011.pdf
Adams, J (2003) in R Ericson and A Doyle (eds) Risk and Morality. University of
Toronto
Adams, J (2007) ‘Risk Management: It’s Not Rocket Science – It’s Much More
Complicated’, Public Risk Forum, May 2007. Valby, Denmark: European
Institute for Risk Management in collaboration with PRIMO (Public Risk
Management Organisation) Europe. Available at:
http://www.eirm.com/en/Who%20We%20Are/~/media/Business%20Card/
Articles%20%20EIRM/Publications%20by%20EIRM/PRF%20May%20200
7.ashx
Adams, J (2011) ‘Not 100% sure? The ‘public’ understanding of risk’ in DJ
Bennett and RC Jennings, Successful Science Communication.
Cambridge: Cambridge University Press. Available in unpublished proof
form at: http://www.john-adams.co.uk/wp-content/uploads/2006/08/risk-
communication.pdf
Airmic/Alarm/IRM (2010) A structured approach to Enterprise Risk Management
(ERM) and the requirements of ISO 31000. London: Association of Risk
Managers/ Public Risk Management Association/Institute of Risk
Management. Available at:
http://www.theirm.org/media/886062/ISO3100_doc.pdf
BBC News (2007) ‘Rock risks ‘were not foreseeable’’, 16 October 2007. London:
BBC News. Available at: http://news.bbc.co.uk/1/hi/business/7046959.stm
Bernstein, PL (1996) ‘The New Religion of Risk Management’, Harvard Business Review, March 1996. Boston, Massachusetts: Harvard Business Publishing. Available at: https://hbr.org/1996/03/the-new-religion-of-risk-management
Business Continuity Institute (2013) Good Practice Guidelines 2013 Global
Edition Edited Highlights: A Guide to Global Good Practice in Business
Continuity. Reading, Berkshire: Business Continuity Institute. Available at:
http://www.bcifiles.com/GPGLite.pdf
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
132 | © 2016 Institute of Risk Management
Cadbury Committee (1992) Report of the Committee on the Financial Aspects of
Corporate Governance Corporate governance (1992), London:
Gee/Professional Publishing Ltd. Available at:
http://www.ecgi.org/codes/documents/cadbury.pdf
Caldwell, JE (2012) A framework for board oversight of enterprise risk. Toronto:
Chartered Professional Accountants Canada. Available at:
file:///C:/Users/User/Downloads/A-Framework-for-Board-Oversight-of-
Enterprise-Risk-July-2015.pdf
CGMA (2014) ‘Porter’s Five Forces of Competitive Position Analysis’. Chartered
Global Management Accountant. Available at:
http://www.cgma.org/Resources/Tools/essential-tools/Pages/porters-five-
forces.aspx
Charity Commission (2010) Charities and Risk Management. London: Charity
Commission. Available at:
http://www.charitycommission.gov.uk/media/94007/cc26text.pdf
Chesshire J (2009) Corporate Governance and Risk Management. London:
Chartered Institute of Internal Auditors.
CIIA (2005) An approach to implementing risk based internal auditing. London:
Chartered Institute of Internal Auditors. This guide sets out an approach that
may be used to implement risk based internal auditing (RBIA). Access to this
document is for IIA members only.
CII (2012) Future Risk: Learning from History. London: Chartered Insurance
Institute. Available at:
http://www.cii.co.uk/media/1756409/cii_future_risk_learning_from_history_
final_web.pdf
CompliSpace (2011) ‘Australian Business Continuity Management Standard
AS/NZS 5050:2010 – A Risk Perspective’. CompliSpace. Available at:
http://complispace.wordpress.com/2011/03/24/australian-business-
continuity-management-standard-asnzs-50502010-a-risk-perspective/
COSO (2004) Enterprise Risk Management: Integrated Framework, Executive Summary. Committee of Sponsoring Organizations of the Treadway Commission: Available at: http://www.coso.org/documents/coso_erm_executivesummary.pdf
COSO (2010) COSO’s 2010 Report on ERM: Current State of Enterprise Risk
Oversight and Market Perceptions of COSO’s ERM Framework.
Committee of Sponsoring Organizations of the Treadway Commission.
Available at: http://www.coso.org/documents/COSOSurveyReportFULL-
Web-R6FINALforWEBPOSTING111710.pdf
REFERENCES
© 2016 Institute of Risk Management | 133
COSO (2011) Embracing Enterprise Risk Management: Practical Approaches for
Getting Started. Committee of Sponsoring Organizations of the Treadway
Commission. Available at:
http://www.coso.org/documents/EmbracingERM-
GettingStartedforWebPostingDec110_000.pdf
COSO (2013) Internal Control – Integrated Framework, Executive Summary.
Committee of Sponsoring Organizations of the Treadway Commission.
Available at:
http://www.coso.org/documents/990025P_Executive_Summary_final_may
20_e.pdf
COSO (2014) Improving organizational governance and performance: How the
COSO frameworks can help. Committee of Sponsoring Organizations of
the Treadway Commission. Available at:
http://www.coso.org/documents/2014-2-10-
COSO%20Thought%20Paper.pdf
Entsgo (undated) Risk Management – Pure Risk and Speculative Risk
Explained. Austin, Texas: Entsgo. Available at:
http://www.entsgo.com/Content/Technology/RiskManagement2.pdf
Gigerenzer, G (2011) ‘Statistical Illiteracy Endemic in Healthcare’, in Risk Management Professional, March 2011. London: Institute of Risk Management. Available at: http://dev4.vm1-host0592.cammail.net/content/features/statistical-illiteracy-endemic-healthcare
HM Treasury (2004) The Orange Book: Management of Risk – Principles and
Concepts. London: HM Treasury. Available at: http://hm-
treasury.gov.uk/orange_book.htm
Holmquist, E (2014) ‘Don’t confuse risks with risk sources: Sources are causes,
risks are effects’. ABA Banking Journal. Available at:
http://www.bankingexchange.com/news-feed/item/4348-don-t-confuse-
risks-with-risk-sources
Holton, GA (2004) ‘Defining Risk’, Financial Analysts Journal, vol. 60, no.6.
Charlottesville, Virginia: CFA Institute. Available at:
http://glynholton.com/wp-content/uploads/2006/10/risk.pdf
Hopkin, P (2014) Fundamentals of Risk Management, London: Kogan Page
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
134 | © 2016 Institute of Risk Management
IIA (2009) Knowledge Alert: Internal Auditing and Risk Management. October
2009. Altamonte Springs, Florida: Global Audit Information Network
(GAIN), Institute of Internal Auditors:
http://www.acl.com/images/blog/Recent_Impacts_on_the_Staffing_and_S
ourcing_of_North_American_Internal.pdf
IIRC (2013) The International <IR> Framework, December 2013. International
Integrated Reporting Council. Available at: http://www.theiirc.org/wp-
content/uploads/2013/12/13-12-08-THE-INTERNATIONAL-IR-
FRAMEWORK-2-1.pdf
IRM (2010) Fundamentals of Risk Management: A Practical Introduction to
Enterprise Risk Management and ISO 31000. London: Institute of Risk
Management: https://www.theirm.org/media/886062/ISO3100_doc.pdf
IRM (2002) A Risk Management Standard. London: Institute of Risk
Management. Available at:
https://www.theirm.org/media/886059/ARMS_2002_IRM.pdfIRM (2011)
Risk Appetite and Tolerance: Executive Summary. London: Institute of
Risk Management. Available at:
http://www.theirm.org/publications/documents/IRMRiskAppetiteExecSum
maryweb.pdf
ISO (2009) ISO 31000 Risk Management – Principles and Guidelines. Geneva:
International Organization for Standardization. Available (at a cost) at:
http://www.iso.org/iso/home/standards/iso31000.htm
ISO (2009) ISO Guide 73: 2009; Risk management – Vocabulary. Geneva:
International Organization for Standardization. Available (at a cost) at:
http://www.iso.org/iso/catalogue_detail?csnumber=44651
Jeynes, J (2002) Risk management: 10 principles. Oxford: Butterworth-
Heinemann. Available at:
http://ghalenoy.persiangig.com/BOOK/Risk_Management_-
_10_Principles.pdf/download
Knight, F (1921) Risk, Uncertainty, and Profit, Boston, MA: Hart, Schaffner &
Marx; Houghton Mifflin Co. Part III.VII The Meaning of Risk and
Uncertainty. Available at: http://www.econlib.org/library/Knight/knRUP.html
Kloman, HF (2010) ‘A brief history of risk management’, in J Fraser and BJ
Simkins (eds) Enterprise Risk Management. Hoboken, New Jersey: John
Wiley & Sons, Inc.
REFERENCES
© 2016 Institute of Risk Management | 135
KPMG (2006) ERM: Enterprise Risk Management: Complacency Is No Longer an Option, but a Practical Start Is. Available at: http://www.kpmg.com/lu/en/services/advisory/regulatory-consulting/regulatoryriskandcompliance/governanceandriskmanagement/documents/erm-complacency-no-longer-an-option.pdf
Lam, J (2003) Enterprise Risk Management: From Incentives to Controls. Wiley
and Son, ISBN: 978-0-471-43000-1.
Mikes, A, and Kaplan, RS (2014) Towards a Contingency Theory of Enterprise
Risk Management (Working Paper 13–063, 13 January 2014). Harvard
Business School. Available at:
http://www.hbs.edu/faculty/Publication%20Files/13-063_5e67dffe-aa5e-
4fac-a746-7b3c07902520.pdf
Mind Tools (undated) ‘Cause and Effect Analysis: Identifying the Likely Causes
of Problems’. London: Mind Tools Ltd. Available at:
http://www.mindtools.com/pages/article/newTMC_03.htm
ORC (2014) ‘Online Resource Centre’. London: Institute of Risk Management. Available at: https://www.theirm.org/knowledge-and-resources/online-resource-centre.aspx
ourcommunity.com.au (undated) ‘Establishing a context for risk management in your organisation’. Melbourne, Victoria: Our Community Pty Ltd. Available at: https://www.ourcommunity.com.au/insurance/view_help_sheet.do?articleid=339
Praxiom (2013) ‘ISO 31000 2009: Plain English Introduction’. Edmonton, Alberta:
Praxiom Research Group Ltd. Available at: http://www.praxiom.com/iso-
31000-intro.htm
PricewaterhouseCoopers (2009 Maximizing internal audit: A 10-step imperative
for thriving in a challenging economy. Available at:
http://www.pwc.com/us/en/internal-audit/assets/maximizing-internal-
audit.pdf
Reason, J (2000) ‘Human error: models and management’, British Medical
Journal. London: BMJ Publishing Group Ltd. Available at:
https://mbchb.dundee.ac.uk/dundeerisk/files/2010/09/human-errors-
models-and-management.pdf
Recklies, D (undated) ‘The Value Chain’. Recklies Management Project GmbH.
Available at:
http://www.fao.org/fileadmin/user_upload/fisheries/docs/ValueChain.pdf
MODULE 1 | PRINCIPLES OF RISK AND RISK MANAGEMENT
136 | © 2016 Institute of Risk Management
RIMS (2011) An overview of widely used risk management standards and
guidelines. Risk and Insurance Management Society, Inc. Available at:
http://www.rims.org/resources/ERM/Documents/RIMS%20Executive%20R
eport%20on%20Widely%20Used%20Standards%20and%20Guidelines%
20March%202010.pdf
RISK.COM.AU (undated) ‘Establish Context’. Available at:
http://www.risk.com.au/establish_context
Riskviews (2010) ‘Really Different’. Riskviews. Available at:
http://riskviews.wordpress.com/2010/10/01/really-different/
Rooney, JJ, and LN Vanden Heuvel (2004) ‘Root Cause Analysis for Beginners’,
Quality Progress, July 2004. American Society for Quality. Available at:
https://servicelink.pinnacol.com/pinnacol_docs/lp/cdrom_web/safety/mana
gement/accident_investigation/Root_Cause.pdf
SA/SNZ HB 436:2013 Risk management guidelines - Companion to AS/NZS ISO
31000:2009. Available at:
http://www.preventionweb.net/publications/view/41427
Sedgwick Law (2006) Risky Business: Risk Assessment and Planning for GCs.
GC California Magazine, September 2006 by Bruce Celebrezze. Available
at: http://www.sdma.com/Publications/detail.aspx?pub=4558
Shortreed, J (2010) ‘ERM Frameworks’, in J Fraser and BJ Simkins (eds)
Enterprise Risk Management. Hoboken, New Jersey: John Wiley & Sons,
Inc.
Slovic, P, B Fischhoff and S Lichtenstein (1980) ‘Facts vs. fears: understanding
perceived risk’, in RC Schwing and WA Albers in Societal Risk
Assessment: How Safe is Safe Enough? Springer
Sondalini, M A (undated): Understanding How to Use The 5-Whys for Root
Cause Analysis. Rossmoyne, Western Australia: Lifetime Reliability
http://www.lifetime-reliability.com/tutorials/lean-management-
methods/How_to_Use_the_5-Whys_for_Root_Cause_Analysis.pdf
Standard and Poor’s (2013) Enterprise Risk Management, 7 May 2013. New
York, NY: Standard and Poor’s Financial Services LLC. Available at:
http://www.maalot.co.il/publications/MT20151123154908.pdf
Standards New Zealand (2013) SA/SNZ HB 436:2013 Risk management
guidelines - Companion to AS/NZS ISO 31000:2009. Wellington, New
Zealand: Standards New Zealand. Available to purchase
at: http://shop.standards.co.nz/catalog/436%3A2013(SA%7CSNZ+HB)/vie
w
REFERENCES
© 2016 Institute of Risk Management | 137
StrategicRISK (2011) ‘Alarmed and Dangerous’, April 2011. London: Newsquest
Specialist Media. Available at: http://www.strategic-risk-
global.com/alarmed-and-dangerous/1389574.article (Subscription
required)
StrategicRISK (2012) ‘StrategicRISK 2012 Risk Report: The top concerns of European risk managers’, April or May 2012? Sponsored by Marsh Risk Consulting. London: Newsquest Specialist Media. Available at: http://www.strategic-risk-global.com/risk-report-2012-update/1397747.article
Treasury Board of Canada Secretariat (2012) Guide to Integrated Risk
Management. Ottawa: Treasury Board of Canada Secretariat. Available
at: http://www.tbs-sct.gc.ca/tbs-sct/rm-gr/guides/girm-ggir01-
eng.asp#toc1_1
Tversky, A, and D Kahneman (1974) ‘Judgment under Uncertainty: Heuristics
and Biases’, Science, New Series, vol. 185, no. 4157, pp. 1124–31.
Washington, DC: American Association for the Advancement of Science.
Available at:
http://psiexp.ss.uci.edu/research/teaching/Tversky_Kahneman_1974.pdf
University of Wollongong (2016) WHS Risk Management Guidelines. University
of Wollongong. Available at:
http://staff.uow.edu.au/content/groups/public/@web/@ohs/documents/doc
/uow016948.pdf
WCO (undated) WCO Customs Risk Management Compendium, Volume 1.
Brussels: World Customs Organization. Available at:
http://www.wcoomd.org/en/topics/enforcement-and-
compliance/instruments-and-
tools/~/media/45BE65FFE12748FDA6D41BA7F3451C75.ashx
Wikipedia (undated). Article on ‘Insurance’ available at:
http://en.wikipedia.org/wiki/Insurance. Article on ‘Captive insurance’.
Available at: http://en.wikipedia.org/wiki/Captive_insurance
top related