76,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Fachliteratur
- Sprache: Englisch
Your business reputation can take years to build--and mere minutes to destroy The range of business threats is evolving rapidly but your organization can thrive and gain a competitive advantage with your business vision for enterprise risk management. Trends affecting markets--events in the global financial markets, changing technologies, environmental priorities, dependency on intellectual property--all underline how important it is to keep up to speed on the latest financial risk management practices and procedures. This popular book on enterprise risk management has been expanded and updated to include new themes and current trends for today's risk practitioner. It features up-to-date materials on new threats, lessons from the recent financial crisis, and how businesses need to protect themselves in terms of business interruption, security, project and reputational risk management. Project risk management is now a mature discipline with an international standard for its implementation. This book reinforces that project risk management needs to be systematic, but also that it must be embedded to become part of an organization's DNA. This book promotes techniques that will help you implement a methodical and broad approach to risk management. * The author is a well-known expert and boasts a wealth of experience in project and enterprise risk management * Easy-to-navigate structure breaks down the risk management process into stages to aid implementation * Examines the external influences that bring sources of business risk that are beyond your control * Provides a handy chapter with tips for commissioning consultants for business risk management services It is a business imperative to have a clear vision for risk management. Simple Tools and Techniques for Enterprise Risk Management, Second Edition shows you the way.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 1335
Veröffentlichungsjahr: 2011
Ähnliche
Contents
Cover
Endorsements
Title Page
Copyright
Dedication
List of Figures
Preface to the Second Edition
AUDIENCE
BOOK OVERVIEW
HOW TO READ THIS BOOK
Acknowledgements
FIRST EDITION
SECOND EDITION
About the Author
Part I: Enterprise Risk Management in Context
1: Introduction
1.1 RISK DIVERSITY
1.2 APPROACH TO RISK MANAGEMENT
1.3 BUSINESS GROWTH THROUGH RISK TAKING
1.4 RISK AND OPPORTUNITY
1.5 THE ROLE OF THE BOARD
1.6 PRIMARY BUSINESS OBJECTIVE (OR GOAL)
1.7 WHAT IS ENTERPRISE RISK MANAGEMENT?
1.8 BENEFITS OF ENTERPRISE RISK MANAGEMENT
1.9 STRUCTURE
1.10 SUMMARY
2: Developments in Corporate Governance in the UK
2.1 INVESTOR UNREST
2.2 THE PROBLEM OF AGENCY
2.3 THE CADBURY COMMITTEE
2.4 THE GREENBURY REPORT
2.5 THE HAMPEL COMMITTEE AND THE COMBINED CODE OF 1998
2.6 SMITH GUIDANCE ON AUDIT COMMITTEES
2.7 HIGGS
2.8 TYSON
2.9 COMBINED CODE ON CORPORATE GOVERNANCE 2003
2.10 COMPANIES ACT 2006
2.11 COMBINED CODE ON CORPORATE GOVERNANCE 2008
2.12 SIR DAVID WALKER'S REVIEW OF CORPORATE GOVERNANCE, JULY 2009 (CONSULTATION PAPER)
2.13 SIR DAVID WALKER'S REVIEW OF CORPORATE GOVERNANCE, NOVEMBER 2009 (FINAL RECOMMENDATION)
2.14 HOUSE OF COMMONS TREASURY COMMITTEE 2009
2.15 UK CORPORATE GOVERNANCE CODE, JUNE 2010
2.16 THE “COMPLY OR EXPLAIN” REGIME
2.17 DEFINITION OF CORPORATE GOVERNANCE
2.18 FORMATION OF COMPANIES
2.19 THE FINANCIAL SERVICES AUTHORITY AND MARKETS ACT 2000
2.20 THE LONDON STOCK EXCHANGE
2.21 SUMMARY
3: Developments in Corporate Governance in the US
3.1 CORPORATE GOVERNANCE
3.2 THE SECURITIES AND EXCHANGE COMMISSION
3.3 THE LAWS THAT GOVERN THE SECURITIES INDUSTRY
3.4 CATALYSTS FOR THE SARBANES-OXLEY ACT 2002
3.5 NATIONAL ASSOCIATION OF CORPORATE DIRECTORS 2008
3.6 SUMMARY
4: The Global Financial Crisis of 2007–2009: A US Perspective
4.1 THE FINANCIAL CRISIS IN SUMMARY
4.2 HOW THE FINANCIAL CRISIS UNFOLDED
4.3 THE UNITED STATES MORTGAGE FINANCE INDUSTRY
4.4 SUBPRIME MODEL OF MORTGAGE LENDING
4.5 WHY THIS CRISIS WARRANTS CLOSE SCRUTINY
4.6 BEHAVIOURS
4.7 WORLDWIDE DEFICIENCIES IN RISK MANAGEMENT
4.8 FEDERAL REFORM
4.9 SYSTEMIC RISK
4.10 THE FUTURE OF RISK MANAGEMENT
4.11 SUMMARY
5: Developments in Corporate Governance in Australia and Canada
5.1 AUSTRALIAN CORPORATE GOVERNANCE
5.2 CANADA
5.3 SUMMARY
6: Internal Control and Risk Management
6.1 THE COMPOSITION OF INTERNAL CONTROL
6.2 RISK AS A SUBSET OF INTERNAL CONTROL
6.3 ALLOCATION OF RESPONSIBILITY
6.4 THE CONTEXT OF INTERNAL CONTROL AND RISK MANAGEMENT
6.5 INTERNAL CONTROL AND RISK MANAGEMENT
6.6 EMBEDDING INTERNAL CONTROL AND RISK MANAGEMENT
6.7 SUMMARY
7: Developments in Risk Management in the UK Public Sector
7.1 RESPONSIBILITY FOR RISK MANAGEMENT IN GOVERNMENT
7.2 RISK MANAGEMENT PUBLICATIONS
7.3 SUCCESSFUL IT
7.4 SUPPORTING INNOVATION
7.5 THE ORANGE BOOK
7.6 AUDIT COMMISSION
7.7 CIPFA/SOLACE CORPORATE GOVERNANCE
7.8 M_o_R 2002
7.9 DEFRA
7.10 STRATEGY UNIT REPORT
7.11 RISK AND VALUE MANAGEMENT
7.12 THE GREEN BOOK
7.13 CIPFA GUIDANCE ON INTERNAL CONTROL
7.14 MANAGING RISKS TO IMPROVE PUBLIC SERVICES
7.15 THE ORANGE BOOK (REVISED)
7.16 M_o_R 2007
7.17 MANAGING RISKS IN GOVERNMENT
7.18 SUMMARY
Part II: The Risk Management Process
8: Establishing the Context: Stage 1
8.1 PROCESS
8.2 PROCESS GOAL AND SUBGOALS
8.3 PROCESS DEFINITION
8.4 PROCESS INPUTS
8.5 PROCESS OUTPUTS
8.6 PROCESS CONTROLS (CONSTRAINTS)
8.7 PROCESS MECHANISMS (ENABLERS)
8.8 PROCESS ACTIVITIES
8.9 SUMMARY
9: Risk Identification: Stage 2
9.1 PROCESS
9.2 PROCESS GOAL AND SUBGOALS
9.3 PROCESS DEFINITION
9.4 PROCESS INPUTS
9.5 PROCESS OUTPUTS
9.6 PROCESS CONTROLS (CONSTRAINTS)
9.7 PROCESS MECHANISMS (ENABLERS)
9.8 PROCESS ACTIVITIES
9.9 SUMMARY
10: Risk Analysis: Stage 3
10.1 PROCESS
10.2 PROCESS GOAL AND SUBGOALS
10.3 PROCESS DEFINITION
10.4 PROCESS INPUTS
10.5 PROCESS OUTPUTS
10.6 PROCESS CONTROLS (CONSTRAINTS)
10.7 PROCESS MECHANISMS (ENABLERS)
10.8 PROCESS ACTIVITIES
10.9 SUMMARY
11: Risk Evaluation: Stage 4
11.1 PROCESS
11.2 PROCESS GOAL AND SUBGOALS
11.3 PROCESS DEFINITION
11.4 PROCESS INPUTS
11.5 PROCESS OUTPUTS
11.6 PROCESS CONTROLS (CONSTRAINTS)
11.7 PROCESS MECHANISMS (ENABLERS)
11.8 PROCESS ACTIVITIES
11.9 SUMMARY
12: Risk Treatment: Stage 5
12.1 PROCESS
12.2 PROCESS GOAL AND SUBGOALS
12.3 PROCESS DEFINITION
12.4 PROCESS INPUTS
12.5 PROCESS OUTPUTS
12.6 PROCESS CONTROLS (CONSTRAINTS)
12.7 PROCESS MECHANISMS
12.8 PROCESS ACTIVITIES
12.9 RISK APPETITE
12.10 RISK RESPONSE STRATEGIES
12.11 SUMMARY
13: Monitoring and Review: Stage 6
13.1 PROCESS
13.2 PROCESS GOAL AND SUBGOALS
13.3 PROCESS DEFINITION
13.4 PROCESS INPUTS
13.5 PROCESS OUTPUTS
13.6 PROCESS CONTROLS (CONSTRAINTS)
13.7 PROCESS MECHANISMS
13.8 PROCESS ACTIVITIES
13.9 SUMMARY
14: Communication and Consultation: Stage 7
14.1 PROCESS
14.2 PROCESS GOAL AND SUBGOALS
14.3 PROCESS DEFINITION
14.4 PROCESS INPUTS
14.5 PROCESS OUTPUTS
14.6 PROCESS CONTROLS (CONSTRAINTS)
14.7 PROCESS MECHANISMS
14.8 PROCESS ACTIVITIES
14.9 INTERNAL COMMUNICATION
14.10 EXTERNAL COMMUNICATION
14.11 SUMMARY
Part III: Internal Influences – Micro Factors
15: Financial Risk Management
15.1 DEFINITION OF FINANCIAL RISK
15.2 SCOPE OF FINANCIAL RISK
15.3 BENEFITS OF FINANCIAL RISK MANAGEMENT
15.4 IMPLEMENTATION OF FINANCIAL RISK MANAGEMENT
15.5 LIQUIDITY RISK
15.6 CREDIT RISK
15.7 BORROWING
15.8 CURRENCY RISK
15.9 FUNDING RISK
15.10 FOREIGN INVESTMENT RISK
15.11 DERIVATIVES
15.12 SUMMARY
16: Operational Risk Management
16.1 DEFINITION OF OPERATIONAL RISK
16.2 SCOPE OF OPERATIONAL RISK
16.3 BENEFITS OF OPERATIONAL RISK
16.4 IMPLEMENTATION OF OPERATIONAL RISK
16.5 STRATEGY
16.6 PEOPLE
16.7 PROCESSES AND SYSTEMS
16.8 EXTERNAL EVENTS
16.9 OUTSOURCING
16.10 MEASUREMENT
16.11 MITIGATION
16.12 SUMMARY
17: Technological Risk Management
17.1 DEFINITION OF TECHNOLOGY RISK
17.2 SCOPE OF TECHNOLOGY RISK
17.3 BENEFITS OF TECHNOLOGY RISK MANAGEMENT
17.4 IMPLEMENTATION OF TECHNOLOGY RISK MANAGEMENT
17.5 PRIMARY TECHNOLOGY TYPES
17.6 RESPONDING TO TECHNOLOGY RISK
17.7 SUMMARY
18: Project Risk Management
18.1 DEFINITION OF PROJECT RISK
18.2 DEFINITION OF PROJECT RISK MANAGEMENT
18.3 SOURCES OF PROJECT RISK
18.4 BENEFITS OF PROJECT RISK MANAGEMENT
18.5 EMBEDDING PROJECT RISK MANAGEMENT
18.6 PROJECT RISK MANAGEMENT PROCESS
18.7 RESPONSIBILITY FOR PROJECT RISK MANAGEMENT
18.8 PROJECT DIRECTOR'S ROLE
18.9 PROJECT TEAM
18.10 OPTIMISM BIAS
18.11 SOFTWARE TOOLS USED TO SUPPORT PROJECT RISK MANAGEMENT
18.12 TECHNIQUES USED TO SUPPORT PROJECT RISK MANAGEMENT
18.13 SUMMARY
19: Business Ethics Management
19.1 DEFINITION OF BUSINESS ETHICS RISK
19.2 SCOPE OF BUSINESS ETHICS RISK
19.3 BENEFITS OF ETHICS RISK MANAGEMENT
19.4 HOW UNETHICAL BEHAVIOUR CAN ARISE
19.5 RECOGNITION OF THE NEED FOR BUSINESS ETHICS
19.6 FACTORS THAT AFFECT BUSINESS ETHICS
19.7 RISK EVENTS
19.8 IMPLEMENTATION OF ETHICAL RISK MANAGEMENT
19.9 SUMMARY
20: Health and Safety Management
20.1 DEFINITION OF HEALTH AND SAFETY RISK
20.2 SCOPE OF HEALTH AND SAFETY RISK
20.3 BENEFITS OF HEALTH AND SAFETY RISK MANAGEMENT
20.4 THE UK HEALTH AND SAFETY EXECUTIVE
20.5 THE EUROPEAN AGENCY FOR SAFETY AND HEALTH AT WORK
20.6 IMPLEMENTATION OF HEALTH AND SAFETY RISK MANAGEMENT
20.7 WORKPLACE PRECAUTIONS
20.8 CONTRIBUTION OF HUMAN ERROR TO MAJOR DISASTERS
20.9 IMPROVING HUMAN RELIABILITY IN THE WORKPLACE
20.10 RISK MANAGEMENT BEST PRACTICE
20.11 SUMMARY
Part IV: External Influences – Macro Factors
21: Economic Risk
21.1 DEFINITION OF ECONOMIC RISK
21.2 SCOPE OF ECONOMIC RISK
21.3 BENEFITS OF ECONOMIC RISK MANAGEMENT
21.4 IMPLEMENTATION OF ECONOMIC RISK MANAGEMENT
21.5 MICROECONOMICS AND MACROECONOMICS
21.6 MACROECONOMICS
21.7 GOVERNMENT POLICY
21.8 AGGREGATE DEMAND
21.9 AGGREGATE SUPPLY
21.10 EMPLOYMENT LEVELS
21.11 INFLATION
21.12 INTEREST RATE RISK
21.13 HOUSE PRICES
21.14 INTERNATIONAL TRADE AND PROTECTION
21.15 CURRENCY RISK
21.16 SUMMARY
22: Environmental Risk
22.1 DEFINITION OF ENVIRONMENTAL RISK
22.2 SCOPE OF ENVIRONMENTAL RISK
22.3 BENEFITS OF ENVIRONMENTAL RISK MANAGEMENT
22.4 IMPLEMENTATION OF ENVIRONMENTAL RISK MANAGEMENT
22.5 ENERGY SOURCES
22.6 USE OF RESOURCES
22.7 POLLUTION
22.8 GLOBAL WARMING
22.9 RESPONSE TO GLOBAL WARMING
22.10 STIMULATION TO ENVIRONMENTAL CONSIDERATIONS
22.11 ENVIRONMENTAL SUSTAINABILITY
22.12 SUMMARY
23: Legal Risk
23.1 DEFINITION OF LEGAL RISK
23.2 SCOPE OF LEGAL RISK
23.3 BENEFITS OF LEGAL RISK MANAGEMENT
23.4 IMPLEMENTATION OF LEGAL RISK MANAGEMENT
23.5 BUSINESS LAW
23.6 COMPANIES
23.7 INTELLECTUAL PROPERTY
23.8 EMPLOYMENT LAW
23.9 CONTRACTS
23.10 CRIMINAL LIABILITY IN BUSINESS
23.11 COMPUTER MISUSE
23.12 SUMMARY
24: Political Risk
24.1 DEFINITION OF POLITICAL RISK
24.2 SCOPE OF POLITICAL RISK
24.3 BENEFITS OF POLITICAL RISK MANAGEMENT
24.4 IMPLEMENTATION OF POLITICAL RISK MANAGEMENT
24.5 ZONIS AND WILKIN POLITICAL RISK FRAMEWORK
24.6 CONTRACTS
24.7 TRANSITION ECONOMIES OF EUROPE
24.8 UK GOVERNMENT FISCAL POLICY
24.9 PRESSURE GROUPS
24.10 TERRORISM AND BLACKMAIL
24.11 RESPONDING TO POLITICAL RISK
24.12 SUMMARY
25: Market Risk
25.1 DEFINITION OF MARKET RISK
25.2 SCOPE OF MARKET RISK
25.3 BENEFITS OF MARKET RISK MANAGEMENT
25.4 IMPLEMENTATION OF MARKET RISK MANAGEMENT
25.5 MARKET STRUCTURE
25.6 PRODUCT LIFE CYCLE STAGE
25.7 ALTERNATIVE STRATEGIC DIRECTIONS
25.8 ACQUISITION
25.9 COMPETITION
25.10 PRICE ELASTICITY/SENSITIVITY
25.11 DISTRIBUTION STRENGTH
25.12 MARKET RISK MEASUREMENT: VALUE AT RISK
25.13 RISK RESPONSE PLANNING
25.14 SUMMARY
26: Social Risk
26.1 DEFINITION OF SOCIAL RISK
26.2 SCOPE OF SOCIAL RISK
26.3 BENEFITS OF SOCIAL RISK MANAGEMENT
26.4 IMPLEMENTATION OF SOCIAL RISK MANAGEMENT
26.5 EDUCATION
26.6 POPULATION MOVEMENTS: DEMOGRAPHIC CHANGES
26.7 SOCIO-CULTURAL PATTERNS AND TRENDS
26.8 CRIME
26.9 LIFESTYLES AND SOCIAL ATTITUDES
26.10 SUMMARY
26.11 REFERENCES
Part V: The Appointment
27: Introduction
27.1 CHANGE PROCESS FROM THE CLIENT PERSPECTIVE
27.2 SELECTION OF CONSULTANTS
27.3 SUMMARY
27.4 REFERENCE
28: Interview with the Client
28.1 FIRST IMPRESSIONS/CONTACT
28.2 CLIENT FOCUS
28.3 UNIQUE SELLING POINT
28.4 PAST EXPERIENCES
28.5 CLIENT INTERVIEW
28.6 ASSIGNMENT METHODOLOGY
28.7 CHANGE MANAGEMENT
28.8 SUSTAINABLE CHANGE
28.9 SUMMARY
28.10 REFERENCES
29: Proposal
29.1 INTRODUCTION
29.2 PROPOSAL PREPARATION
29.3 PROPOSAL WRITING
29.4 APPROACH
29.5 PROPOSAL
29.6 CLIENT RESPONSIBILITIES
29.7 REMUNERATION
29.8 SUMMARY
29.9 REFERENCES
30: Implementation
30.1 WRITTEN STATEMENT OF PROJECT IMPLEMENTATION
30.2 MANAGEMENT
30.3 CUSTOMER DELIGHT
30.4 SUMMARY
30.5 REFERENCES
Appendix 1 : Successful IT: Modernising Government in Action
PROJECT PROFILE MODEL
SUMMARY RISK PROFILE
Appendix 2: Sources of Risk
Appendix 3 : DEFRA Risk Management Strategy
INTRODUCTION
AIM, PRINCIPLES AND IMPLEMENTATION
IDENTIFYING RISKS
ASSESSING RISKS
ADDRESSING RISKS
REVIEWING AND REPORTING RISKS
ROLES AND RESPONSIBILITIES
Appendix 4: Risk: Improving Government's Capability to Handle Risk and Uncertainty
THE GOVERNMENT'S ROLE AND RESPONSIBILITIES
IMPROVING GOVERNMENT'S HANDLING OF RISK
IMPROVING CAPACITY
HANDLING THE COMMUNICATION OF RISK
THE ROLE OF LEADERSHIP AND CULTURAL CHANGE
Appendix 5: Financial Ratios
PROFITABILITY
EFFICIENCY
LIQUIDITY
INVESTMENT RATIOS
Appendix 6: Risk Maturity Models
Appendix 7: SWOT Analysis
UNDERTAKING SWOT ANALYSIS
RANKING STRENGTHS AND WEAKNESSES
Appendix 8: PEST Analysis
UNDERTAKING PEST ANALYSIS
OTHER TYPES OF ANALYSIS
Appendix 9: VRIO Analysis
Appendix 10: Value Chain Analysis
CONFIGURATION OF RESOURCES
Appendix 11: Resource Audit
Appendix 12: Change Management
Appendix 13: Industry Breakpoints
Appendix 14: Probability
LOGIC PROBABILITIES
OBJECTIVE PROBABILITIES
SUBJECTIVE PROBABILITIES
RELATIONSHIPS OF PROBABILITY
CONDITIONAL PROBABILITY
MULTIPLICATION LAW
INDEPENDENT EVENTS
BAYES’ THEOREM
Appendix 15: Value at Risk
Appendix 16: Optimism Bias
METHOD ADOPTED IN CALCULATING OPTIMISM BIAS
METHOD FOR CALCULATING OPTIMISM BIAS FOR COST
Index
First Edition Book Endorsements
Enterprise Risk Management is a necessary and valuable tool for indentifying, quantifying and mitigating risks across an organization but it is also a significant undertaking in terms of knowledge and application. In these days of fiscal, regulatory and political correctness this book addresses ERM in its broadest sense, providing useful reference and examples. Written in a clear and concise manner, the content should be of tremendous value to anyone involved in risk, audit or corporate governance whether as an analyst or board member.
(Robin Paris, Director, Group Risk, Nestlé)
This book provides an excellent introduction to enterprise risk management set in the context of strong corporate governance. The writing is clear and direct, combining a comprehensive understanding of enterprise risk with a practical and straightforward guide to tools and techniques from strategic to operational level. As a result I have no doubt that it will find its way onto the shelves of the more experienced risk managers.
(Caroline Donaldson, Director, Head of Risk, Network Rail)
Robert Chapman has distilled years of experience and produced a book which is easy to read and full of practical/useful information. Having devised and implemented an enterprise risk management process, I found much of the material instantly recognizable and relevant. My one regret is that this book was not available earlier!
(Matt Smith, Group Risk Manager, Tate & Lyle plc)
This book will be of benefit to all levels of risk practitioner and sets ERM in the context of corporate governance and internal control requirements. It provides a particularly clear description of a risk management process defined by IDEFO diagrams with a useful discussion of internal and external risk factors.
(Andrew Wood, Director, Risk Management, Serco Group plc)
This edition first published 2011 Copyright © 2011 John Wiley & Sons, Ltd
Registered Office John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom
For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com.
The right of the author to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought.
Library of Congress Cataloging-in-Publication Data
Chapman, Robert J.
Simple tools and techniques for enterprise risk management / Robert J. Chapman. – 2nd ed.
p. cm.
ISBN 978-1-119-98997-4 (hbk) – ISBN 978-1-119-99065-9 (ebk) – ISBN 978-1-119-99064-2 (ebk)
1. Risk management. 2. Risk. 3. Uncertainty. 4. Decision making. I. Title.
HD61.C494 2011
658.15'5–dc23
2011042252
ISBN: 978-1-119-98997-4 (hbk) ISBN: 978-1-119-96321-9 (ebk)
ISBN: 978-1-119-99065-9 (ebk) ISBN: 978-1-119-99064-2 (ebk)
A catalogue record for this book is available from the British Library.
To Kay, Dominic and Gemma
List of Figures
Figure 1.1 The role of the board and the integration of risk management
Figure 1.2 ERM structure
Figure 4.1 Relationship between the parties engaged in the subprime housing market
Figure 4.2 Increased foreclosures from mortgages resetting
Figure 4.3 Negative equity triggers mortgage defaults
Figure 4.4 Housing surplus leads to fall in construction and job losses
Figure 4.5 Overlapping vicious circles
Figure 5.1 Risk management survey questions and their responses
Figure 6.1 Composition of the Combined Code 2003 and its relationship to the Turnbull guidance
Figure 6.2 Internal control and risk management in context
Figure 7.1 Parties responsible for risk management in government
Figure 7.2 Decision making within the management hierarchy of an organisation
Figure P2.1 Stages in the risk management process
Figure P2.2 IDEFO process design notation: process elements are described by IDEFO using inputs, outputs, controls and mechanisms
Figure 8.1 Structure of Chapter 8
Figure 8.2 The “establish the context” process illustrating the inputs, outputs, constraints and mechanisms
Figure 8.3 Structure of Section 8.8
Figure 9.1 Structure of Chapter 9
Figure 9.2 Risk identification process
Figure 9.3 Structure of questionnaire
Figure 9.4 Definition of categories of risk
Figure 9.5 Software development risk taxonomy
Figure 9.6 Techniques for identifying business risk
Figure 10.1 Structure of Chapter 10
Figure 10.2 Risk analysis process
Figure 10.3 Cause and effect
Figure 10.4 Main causes of effect
Figure 10.5 Main, level 1 and level 2 causes
Figure 10.6 Cause and effect diagram for a petrochemical company
Figure 11.1 Structure of Chapter 11
Figure 11.2 Risk evaluation process
Figure 11.3 Probability tree
Figure 11.4 Dependent events
Figure 11.5 Utility functions
Figure 11.6 Decision tree of land purchase decision
Figure 11.7 Decision tree rolled back
Figure 11.8 Directed diagram
Figure 11.9 Probability over two periods
Figure 11.10 Stages in cost–benefit analysis
Figure 12.1 Structure of Chapter 12
Figure 12.2 Risk treatment process
Figure 13.1 Structure of Chapter 13
Figure 13.2 Risk monitoring and review process
Figure 14.1 Structure of Chapter 14
Figure 14.2 Communication and consultation process
Figure P3.1 Structure of Part III
Figure 15.1 Structure of Chapter 15
Figure 16.1 Structure of Chapter 16
Figure 16.2 Taxonomy of strategy risk
Figure 16.3 Taxonomy of people risk
Figure 16.4 Systems perspective of sources of turnover
Figure 16.5 Taxonomy of processes and systems risk
Figure 16.6 Taxonomy of external events risk
Figure 16.7 Events causing disruption to organisations in 2004
Figure 17.1 Structure of Chapter 17
Figure 17.2 The investment decision-making process
Figure 18.1 Structure of Chapter 18
Figure 18.2 Risk management process
Figure 19.1 Structure of Chapter 19
Figure 19.2 Four levels of a responsible business enterprise
Figure 19.3 Seven-step business ethics programme
Figure 20.1 Structure of Chapter 20
Figure 20.2 Components of a health and safety management system
Figure P4.1 Structure of Part IV
Figure 21.1 Structure of Chapter 21
Figure 21.2 The circular flow of income in a national economy
Figure 21.3 An aggregate demand curve
Figure 21.4 Shifts of and movements along the aggregate demand curve
Figure 21.5 An aggregate supply curve
Figure 21.6 Short-run aggregate supply curve
Figure 22.1 Structure of Chapter 22
Figure 23.1 Structure of Chapter 23
Figure 23.2 Division between public and private law
Figure 24.1 Structure of Chapter 24
Figure 25.1 Structure of Chapter 25
Figure 25.2 Sources of market risk and opportunity
Figure 25.3 Product life cycle stages
Figure 25.4 Alternative strategic directions for business development
Figure 25.5 The marketing mix composed of the four Ps
Figure 26.1 Structure of Chapter 26
Figure 28.1 Influences on a change process
Figure 29.1 Preparation of a proposal
Figure A1.1 Summary risk profile
Figure A10.1 The value chain
Figure A14.1 Complement of event A
Figure A14.2 Union of events A and B
Figure A14.3 Mutually exclusive events A and B
Figure A14.4 Venn diagram illustrating types of degree held by employees
Figure A14.5 Tree diagram for two suppliers
Figure A14.6 Probability tree diagram for two suppliers
Figure A16.1 Optimism bias for capital expenditure
Preface to the Second Edition
Since the publication of the first edition in 2006 the landscape of enterprise risk management (ERM) has changed dramatically. Clearly the single most prominent event has been the financial and economic “earthquake”, whose epicentre lay in the United States. The “aftershocks” continue to be felt around the globe. I think it is safe to say that never before have governments, regulators, businesses and the public been so preoccupied with risk exposure. Never before has risk management been written about, spoken of or debated with the same intensity. The “man on the street”, particularly in Europe and the United States, is now only too acutely aware of the risks to his nation's economy, his employer, his employment and his standard of living. Poor risk management was cited time and time again in the aftermath of the global financial crisis. Clearly, making predictions solely on observations and experience and adopting “bell curve” methods of inference1 from short time horizons was fundamentally flawed. Risk predictability was found wanting and the ramifications of a lack of forewarning have been devastating. As described in 2009 by Angel Gurría, Secretary-General of the Organisation for Economic Co-operation and Development (OECD), “the current global economic crisis is costing the world trillions of dollars, a protracted recession, millions of lost jobs, a huge loss of confidence in financial markets and a reversal in our efforts to curb global poverty”. Bank executives have been pilloried for their risk-seeking behaviour, which at times has been described as reckless. Hector Sants, the chief executive of the UK Financial Services Authority (FSA) at the time of writing, remarked after the crisis: “Remuneration practices – bonuses – have been a symbol; a lightening rod of society's lack of trust in bankers and to address the trust issue this state of affairs has to be recognised and resolved”. While a minority of board directors exhibited all of the destructive “d’s”, from being deceitful, delinquent, devious, dictatorial and dishonest through to disreputable, they kept the media spotlight on board behaviour. Surveys completed by the large accounting firms post the financial crisis lead to the common conclusion that the UK is still not there yet in terms of fully embedding ERM into board behaviour. Clearly ERM (which embraces both corporate governance and ethics) still has a long journey to travel before it is ingrained in the culture of businesses and can be seen to be contributing to business longevity and profitability.
The changes included in this revision reflect world events, national initiatives to address corporate governance failings and the growing importance of project risk management, business ethics, and health and safety management. These last three subjects have been included in the business risk taxonomy described in Chapter as additional internal processes, as it is considered they warrant specific attention.
The major differences between the first and second edition are summarised below.
New chapters:
Chapter 4 The Global Financial Crisis 2007–2009, a US Perspective
Chapter 5 Developments in Corporate Governance in Australia and Canada
Chapter 14 Communication and Consultation: Stage 7
Chapter 18 Project Risk Management
Chapter 19 Business Ethics Management
Chapter 20 Health and Safety Management
Significantly modified chapters:
Chapter 2 Developments in Corporate Governance in the UK
Chapter 3 Developments in Corporate Governance in the US
Chapter 9 Risk Identification – Stage 2
Chapter 25 Market Risk
Chapter 26 Social Risk
New appendices:
Appendix 15 Value at Risk, Recommended Reading
Appendix 16 Optimism Bias, Method of Calculation
Reordering of chapters:
Part II, covering the appointment of consultants, has been moved to the end of the book as Part V (Chapters 27–30).
AUDIENCE
Like the first edition, this book is written for a number of audiences: the competent practitioners who may be looking to broaden their approach; board members; non-executive directors who want to become more familiar with the processes and concepts of ERM; company risk directors; members of the Institute and Faculty of Actuaries,2 the Institute of Risk Management,3 project risk management practitioners wishing to extend their skills; business analysts; change agents; lecturers; and graduate and undergraduate students. Different parts of the book are aimed at different audiences as described below.
BOOK OVERVIEW
The book is composed of five parts. The target audience is different for each part.
Part I, “Enterprise Risk Management in Context”, sets out the impetus behind ERM and describes corporate governance in the UK and overseas. It provides a detailed description of the global financial crisis of 2007–2009, the effects of which are still very evident in 2011 in Europe, North America and elsewhere. It explains the relationship between corporate governance, internal control and risk management, and reviews the development of risk management in the private sector. It is aimed at all audiences to set the scene and is particularly focused towards the chief executive, non-executive directors and the board in general.
Part II, “The Risk Management Process”, is composed of seven chapters, each of which describes a stage within the overall risk management process. The process stages are based on the stages described within ISO 31000, published in 2009 by the International Organization for Standardization. Part II explains the activities to perform risk management using a standard process definition notation. Process goals, inputs, outputs, mechanisms and controls are fully explained for each stage. Simple tools and techniques are described to accomplish the individual stages. This part is specifically aimed at risk practitioners, chief risk officers, audit committees and business risk managers.
Part III, “Internal Influences – Micro Factors”, describes the five sources of risk considered to be controllable (to a degree) by businesses, labelled in this text as financial, operational, technological, project and business ethics. This part is aimed at the audit committee, business risk managers, department heads and risk management practitioners.
Part IV, “External Influences – Macro Factors”, describes the six sources of risk considered to be uncontrollable by businesses labelled in this text as economic, environmental, legal, political, market and social. This part is aimed at all audiences, from the chief executive through to the student. These chapters describe the complex world we live in, its changing nature, and those aspects of the environment, in its fullest sense, that may pose threats and upside opportunities to business performance. It is aimed at all those wishing to understand the external influences on businesses today.
Part V, “The Appointment”, is composed of four chapters. Chapter describes a consultant selection process on behalf of clients who want to go through a formal auditable process where price is of particular importance. Chapters 28, 29 and 30 describe, from a consultant's perspective, the interview process with a prospective sponsor, the preparation of a proposal and implementation of an assignment post-appointment, respectively. Hence Part V is largely for the benefit of risk practitioners.
HOW TO READ THIS BOOK
Time is precious. How much time do we ever have in any one day to reflect on how we do things and whether there is a better approach? Time between deadlines is commonly short, offering limited opportunity for quiet reflection. Hence this book is purposefully written in such a way that it is hoped that readers can quickly find and focus on the subjects that interest them, rather than having to carry out an extensive search for the instructive guidance they seek. The appropriate approach to reading this book will depend on your exposure to and experience of risk management and where your specific interests lie.
1. Taleb, N. N. (2010) The Black Swan: The impact of the highly improbable, Penguin Books, London.
2. The Institute and Faculty of Actuaries (the merged body formed in 2010 from the Institute of Actuaries and the Faculty of Actuaries) is the professional body representing actuaries in the United Kingdom. In March 2008, ERM was adopted as one of the six actuarial practice areas, reflecting increased recognition of its importance. A regular newsletter communicates the ongoing work that the profession performs in respect of ERM.
3. The Institute of Risk Management supported the development of ISO 31000, an international standard for risk management (published 13 November 2009) together with the accompanying standard, ISO 31010 – Risk Assessment Techniques, which followed and the updated Risk Management Vocabulary ISO Guide 73.
Acknowledgements
FIRST EDITION
In writing this book I owe a debt of gratitude to work colleagues past and present. In particular my thanks go to Peter Doig, Claire Love and Chris Johnson-Newell. My thanks go to Professor Chris Chapman of Southampton University and Dr David Hillson, for their comments and advice. I am grateful to Rachael Wilkie and Chris Swain of John Wiley and Sons Limited, who supported this project. I thank The Financial Times Limited, BBC NewsOnline, The Observer, Pearson Education Limited and the Financial Services Agency (FSA), for permission to include extracts from their publications/articles. At the request of the Financial Services Agency (FSA), I advise “use of FSA material does not indicate any endorsement by the FSA of this publication, or the material or views contained within it”.
SECOND EDITION
I thank the Chartered Institute of Management Accountants (CIMA), Commonwealth of Australia (Department of the Prime Minister and Cabinet), Financial Services Agency (FSA), Bank of England, HM Treasury, US Federal Reserve, House of Commons, National Audit Office, Home Office, Telegraph Media Group and the UK Institute of Directors for their kind permission to include extracts from their speeches, publications, articles, papers and reports. At the request of the Financial Services Agency, I advise that “use of FSA material does not indicate any endorsement by the FSA of this publication, or the material or views contained within it”. In addition at the request of the National Audit Office I advise that “use within this text of National Audit Office (NAO) material does not indicate any endorsement by the NAO of this publication, or the material or views contained within it”. In addition, I owe a debt of gratitude to my work colleague Chris Newman for his contribution to the chapter on health and safety.
About the Author
Robert Chapman is currently the Director of Risk Management in the Middle East for AECOM, a publicly traded company on the New York Stock Exchange and listed by Fortune 500 as one of America's largest companies. Prior to this appointment he was a Director of Risk Management at Hornagold & Hills, Capro Consulting and Osprey Project Management and the Programme Lead for risk management on the HMG joint venture in South Africa, supporting the Paristatal Transnet. He has provided risk management services in Holland, Ireland, South Africa, Qatar, England and the UAE to companies within the pharmaceutical, aviation, marine, rail, broadcast, heritage, water, sport, oil and gas, property development, construction and transportation industries as well to local authorities in the public sector. Dr Chapman has had articles published by Enterprise Risk (South Africa), ExtraProtect (translated into French and German), IT Adviser, Yorkshire Post, Strategic Risk, PLC Strategies, Project, the Architects’ Journal and PropertyWeek and refereed papers published by the Journal of International Project Management and Construction Management & Economics. He was made a Fellow of both the Institute of Risk Management (UK) and the Association for Project Management (UK) for his contribution to the development of the discipline of risk management. Dr Chapman has been recognised by both Transnet in South Africa and the Association for Project Management in the UK as having exceptional risk management skills. He was awarded a PhD in risk management from Reading University in 1998 for research into the impact of changes in personnel on the delivery of objectives for investment projects. Additionally he has completed research on the subject of risk management on behalf of the Architects Registration Council of the United Kingdom (ARCUK). His book entitled Retaining Design Team Members, a Risk Management Approach was published by RIBA Enterprises Ltd, London, in 2002 and examines the causes behind employee turnover, the impact it can have and the risk mitigation actions that can be implemented to reduce the likelihood of occurrence. Dr Chapman was a contributory author of the Office of Government Commerce's 2007 publication Management of Risk, Guidance for Practitioners, which supports the Prince2 project management methodology. Subsequent to passing the Management of Risk Practitioner exam he became an accredited M_o_R¯ (Management of Risk) trainer, providing risk management training to a number of diverse companies. Prior to its publication he reviewed and commented upon international risk management standard ISO 31000 on behalf of the British Standards Institute. In addition, he has provided IT risk management guidance to the Chartered Institute of Accountants England and Wales in the form of a risk management handbook.
Part I
Enterprise Risk Management in Context
1
Introduction
A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.
(Winston Churchill)
Risk management has taken centre stage. It is now the most compelling business issue of our time. Shareholders have repeatedly suffered from erratic business performance. Recent history has shown that risk exposure has not been fully understood and risk management practice has been inadequate. Looking back, while economists have cited many reasons for the Asian financial crisis of 1997–1998, clearly foreign exchange risk was a major contributor. After the New York World Trade Center and Pentagon terrorist attack on 11 September 2001, enterprise risk management was found to be wanting. Business continuity planning had been inadequate. In particular, it was found that greater emphasis needed to be placed on IT disaster recovery, human resource management and communication. After the bankruptcies of Enron in December 2001 and WorldCom in July 2002, inadequate corporate governance and the “soft underbelly” of risk management were exposed, arising primarily from the lack of integrity of financial reporting, a lack of compliance with regulations and operational failures. In late August 2005 Hurricane Katrina struck, reportedly the costliest natural disaster in US history. Oil production, importation and refining were interrupted.1 Businesses were suddenly exposed to a surge in energy prices, continuity failures and shipping disruption. Costs of production rose and sales fell. More recently, failure to properly understand and manage risk has been cited as the root cause for the global financial crisis of 2007–2010. So severe was this financial tsunami that many economists have described it as the worst financial disaster since the Great Depression of the 1930s. Boards in the financial sector were accused of being greedy, reckless2 and dysfunctional and in some cases “sheep”, falling into the trap of “group think” due to an apparent absence of independent thinking. In addition, there had been a lack of appreciation of risk at both a business and a macro or industry level. Systemic risk in the financial industry had not been recognised, understood or addressed. Regulators on both sides of the Atlantic and the banks themselves failed to recognise the interconnectedness of banks and the potential domino effect of bank failure. If the financial crisis was not excitement enough, the media have had a field day with a number of high-profile and very damaging business ethics failures relating to bribery, insider trading, invasion of privacy and sexual harassment.
1.1 RISK DIVERSITY
Providing strategic direction for a business means understanding what drives the creation of value and what destroys it. This in turn means that the pursuit of opportunities must entail comprehension of the risks to take and the risks to avoid. Hence, to grow any business entails risk judgement and risk acceptance. A business's ability to prosper in the face of risk, at the same time as responding to unplanned events, good or bad, is a prime indicator of its ability to compete. However, risk exposure continues to grow greater, more complex, diverse and dynamic. This has arisen in no small part from rapid changes in the globalisation of business, speed of communication, the rate of change within markets and technology. Businesses now operate in an entirely different environment compared with just three years ago. Recent experience has shown that as businesses strive for growth, internal risks generated by a business itself can be as large as (or greater than) external risks. The adoption of expansion strategies, such as investment in emerging markets, developing significant new products, acquisition, major organisational restructuring, outsourcing key processes and major capital investment projects can all increase a business's risk exposure.3
A review of risk management practices in 14 large global corporations revealed that by the end of the 1990s the range of risks that companies felt they needed to manage had vastly expanded, and was continuing to grow in number (Hunt 2001). There are widespread concerns over e-commerce, which has become accepted and embedded in society with startling speed. According to the Economist Intelligence Unit (2001):
Many companies perceive a rise in the number and severity of the risks they face. Some industries confront unfamiliar risks stemming from deregulation. Others worry about increasing dependence on business-to-business information systems and just-in-time supply/inventory systems. And everyone is concerned about emerging risks of e-business – from online security to customer privacy.
As a consequence of the diversity of risk, risk management requires a broader approach. This sentiment was echoed by Rod Eddington, former chief executive officer (CEO) of British Airways, who remarked that businesses now require a broader perspective of risk management. He went to say that:
If you talked to people in the airline industry in the recent past, they very quickly got on to operational risk. Of course, today we think of risk as the whole of business. We think about risk across the full spectrum of the things we do, not just operational things. We think of risk in the context of business risks, whether they are risks around the systems we use, whether they are risks around fuel hedging, whether they're risks around customer service values. If you ask any senior airline person today about risk, I would hope they would move to risk in the true, broader sense of the term. (McCarthy and Flynn 2004)
All stakeholders and regulators are pressing boards of directors to manage risk more comprehensively, rigorously and systematically. Companies that treat risk management as just a compliance issue expose themselves to nursing a damaged balance sheet.
1.2 APPROACH TO RISK MANAGEMENT
This evolving nature of risk and expectations about its management have now put pressure on previous working practices. Historically, within both private and public organisations, risk management has traditionally been segmented and carried out in “silos”. This has arisen for a number of reasons such as the way our mind works in problem solving, the structure of business organisations and the evolution of risk management practice. There is clearly the tendency to want to compartmentalise risks into distinct, mutually exclusive categories, and this would appear to be a result of the way we subdivide problems to manage them, the need to allocate tasks within an existing organisational structure and the underlying assumption that the consequences of an unforeseen event will more or less be confined to one given area. In actuality, the fallout from unforeseen events tends to affect multiple business areas and the interrelationships between risks under the categories of operational, financial and technical risk have been overlooked, often with adverse outcomes. Patricia Dunn, former CEO of Barclays Global Investors and former non-executive chairwoman of the board of Hewlett-Packard (HP),4 has previously identified a failing in approach:
I think what Boards tend to miss and what management tends to overlook is the need to address risk holistically. They overlook the areas that connect the dots because risk is defined so “atomistically” and we don't have the perspective and the instrument panel that allows us to see risk in a 360 degree way. (McCarthy and Flynn 2004)
Enterprise risk management (ERM) is a response to the sense of inadequacy in using a silo-based approach to manage increasingly interdependent risks. The discipline of ERM, sometimes referred to as strategic business risk management, is seen as a more robust method of managing risk and opportunity and an answer to these business pressures. ERM is designed to improve business performance. While not in its infancy, it is a slowly maturing approach, where risks are managed in a coordinated and integrated way across an entire business. The approach is less to do with any bold breakthrough in thinking, and more to do with the maturing, continuing growth and evolution of the profession of risk management and its application in a structured and disciplined way (McCarthy and Flynn 2004). ERM is about understanding the interdependencies between the risks, how the materialisation of a risk in one business area may increase the impact of risks in another business area. In consequence, it is also about how risk mitigation action can address multiple risks spanning multiple business sectors. It is the illustration of this integrated approach which is the focus of this book.
1.3 BUSINESS GROWTH THROUGH RISK TAKING
Risk is inescapable in business activity. As Peter Drucker explained as far back as the 1970s, economic activity by definition commits present resources to an uncertain future. The one thing that is certain about the future is its uncertainty, its risks. Hence, to take risks is the essence of economic activity. He considers that history has shown that businesses yield greater economic performance only through greater uncertainty – or in other words, through greater risk taking (Drucker 1979).
Nearly all operational tasks and processes are now viewed through the prism of risk (Hunt 2001). Indeed, the term “risk” has become shorthand for any corporate activity. It is thought not possible to “create a business that doesn't take risks” (Boulton et al. 2000). The end result of successful strategic direction setting must be capacity to take a greater risk, for this is the only way to improve entrepreneurial performance. However, to extend this capacity, businesses must understand the risks that they take. While in many instances it is futile to try to eliminate risk, and commonly only possible to reduce it, it is essential that the risks taken are the right risks. Businesses must be able to choose rationally among risk-taking courses of action, rather than plunge into uncertainty, on the basis of a hunch, gut feeling, hearsay or experience, no matter how carefully quantified. Quite apart from the arguments for risk management being a good thing in its own right, it is becoming increasingly rare to find an organisation of any size whose stakeholders are not demanding that its management exhibit risk management awareness. This is now a firmly held view supported by the findings of the Economist Intelligence Unit's enterprise risk management survey, referred to earlier. It discovered that 84% of the executives who responded considered that ERM could improve their price/earnings ratio and cost of capital. Organisations that are more risk conscious have for a long time known that actively managing risk and opportunity provides them with a decisive competitive advantage. Taking and managing risk is the essence of business survival and growth.
1.4 RISK AND OPPORTUNITY
There should not be a preoccupation with downside risk. Risk management of both upside risks (opportunities) and downside risks (threats) is at the heart of business growth and wealth creation. Once a board has determined its vision, mission and values, it must set its corporate strategy, its method of delivering the business's vision. Strategy setting is about strategic thinking. Setting the strategy is about directing, showing the way ahead and giving leadership. It is being thoughtful and reflective. Whatever this strategy is, however, the board must decide what opportunities, present and future, it wants to pursue and what risks it is willing to take in developing the opportunities selected. Hence the discipline of risk management should support both the selection and setting of the strategy. However, risk and opportunity management must receive equal attention and it is important for boards to choose the right balance. This is succinctly expressed by the National Audit Office: “a business risk management approach offers the possibility for striking a judicious and systematically argued balance between risk and opportunity in the form of the contradictory pressures for greater entrepreneurialism on the one hand and limitation of downside risks on the other” (National Audit Office 2000). An overemphasis on downside risks and their management can be harmful to any business.
Knight and Petty (2001) stress that risk management is about seeking out the upside risks or opportunities, that getting rid of risk stifles the source of value creation and upside potential. Any behaviour that attempts to escape risk altogether will lead to the least rational decision of all, doing nothing. While risks are important, as all businesses face risk from inception, they are not grounds for inaction but restraints on action. Hence risk management is about controlling risk as far as possible to enable a business to maximise its opportunities. Development of a risk policy should be a creative initiative, exposing exciting opportunities for value growth and innovative handling of risk, not a depressing task, full of reticence, warning and pessimism (Knight and Petty 2001). ERM, then, is about managing both opportunities and risks.
1.5 THE ROLE OF THE BOARD
Even before the global financial crisis, George “Jay” Keyworth, former member of Hewlett-Packard's board, stated that the most important lesson of the last few years is that board members can no longer claim impunity from a lack of knowledge about business risk. The message here is that when something goes wrong, as inevitably it does, board members will be held accountable. The solution is for board members to learn of the potential for adverse events and be sufficiently aware of the sources of risk within the area of business that they are operating in, to be afforded the opportunity to take pre-emptive action (McCarthy and Flynn 2004). The business of risk management is undergoing a fundamental sea change with the discipline of risk management converging at the top of the organisation and being more openly discussed in the same breath as strategy and protection of shareholders. Greater risk taking requires more control. Risk control is viewed as essential to maintaining stability and continuity in the running of businesses. However, in the aftermath of a series of unexpected risk management failures leading to company collapses and other corporate scandals in the UK, investors have expressed concerns about the low level of confidence in financial reporting, board oversight of corporate operations, the safeguards provided by external auditors and the degree of risk management control. These early concerns led to a cry for greater corporate governance, which led to a series of reports on governance and internal control culminating in the Combined Code of Corporate Governance (2003). The incremental development of corporate governance leading up to and beyond the 2003 Code is discussed in Chapter 2. Clearly risk exposure has been growing in an increasingly chaotic and turbulent world, and time has shown that this turbulence has not abated.
The lack of risk management control resides with the board. In 1995 in response to bad press about boards’ poor performance and the lack of adequate corporate governance, the Institute of Directors (IoD) published Standards for the Board. It proved to be a catalyst for debate on the roles and tasks of a board and on the need to link training and assessed competence with membership of directors’ professional bodies. The publication laid out four main objectives for directors. Within the IoD's 2010 factsheet entitled The role of the board, apart from one of the objectives being split into two, these objectives remain virtually unchanged as follows:
1. The board must simultaneously be entrepreneurial and drive the business forward while keeping it under prudent control.
2. The board is required to be sufficiently knowledgeable about the workings of the company and answerable for its actions, yet able to stand back from the day-to-day management of the company and retain an objective, longer-term view.
3. The board must be sensitive to the pressure of short-term issues and yet take account of broader, long-term trends.
4. The board must be knowledgeable about “local” issues and yet be aware of potential or actual wider competitive influences.
5. The board is expected to be focused on the commercial needs of the business, while acting responsibly towards its employees, business partners and society as a whole.
The task for boards of course is to ensure the effectiveness of their risk model. With this in mind, here are some action items for the strategic risk management agenda for boards and CEOs to consider:5
Appoint a C-level risk leader empowered not only with the responsibility, but also with the authority to act on all risk management matters.Ensure that this leader is independent and can work objectively with the company's external advisers (external audit, legal, etc.) and the governing decision maker and oversight function (the CEO and board).Be satisfied as to the adequacy of the depth of current risk analysis actions, from an identification, assessment and mitigation standpoint.Be confident that the risk management information that board members receive is accurate, timely, clear and relevant.Actively require and participate in regular dialogue with key stakeholders to understand if their objectives have been captured, debated and aligned, are being met and whether stakeholders may derail current initiatives.Strive to build a culture where risk management and strategic planning are intertwined.Ensure that risk management remains focused on the most serious issues.Ensure that risk management is embedded throughout the organisation.As illustrated in Figure 1.1, risk and opportunity impinge on the four main functions of boards: policy formulation, strategic thinking, supervisory management and accountability. Policy formulation involves setting the culture for the organisation, which should include risk management. Strategic thinking entails selecting markets to pursue and committing resources to those markets on the strength of the risk profile prepared. Supervisory management requires businesses to put in place oversight management and governance processes, including formal risk management. Accountability relates to ensuring that risk mitigation actions have clear owners who are charged with implementing pre-agreed actions to address the risks identified, report changes in risk profiles and engage in ongoing risk management.
Figure 1.1 The role of the board and the integration of risk management (Garratt 2003). Reproduced with permission from The Fish Rots from the Head, B. Garratt, Profile Books Ltd.
1.6 PRIMARY BUSINESS OBJECTIVE (OR GOAL)
The primary objective of a business is to maximise the wealth of its shareholders (owners). In a market economy, the shareholders will provide funds to a business in the expectation that they will receive the maximum possible increase in wealth for the level of risk which must be faced. When evaluating competing investment opportunities, therefore, the shareholders will weigh the returns from each investment against the potential risks involved. The use of the term “wealth” here refers to the market value of the ordinary shares. The market value of the shares will in turn reflect the future returns the shareholders will expect to receive over time from the shares and the level of risk involved. Shareholders are typically not concerned with returns over the short term, but are concerned with achieving the highest possible returns over the long term. Profit maximisation is often suggested as an alternative objective for a business. Profit maximisation is different from wealth maximisation. Profit maximisation is usually seen as a short-term objective, whereas wealth maximisation is a long-term objective. Wealth maximisation takes account of risks to long-term growth, whereas profit maximisation does not.
1.7 WHAT IS ENTERPRISE RISK MANAGEMENT?
ERM has to satisfy a series of parameters. It must be embedded in a business's system of internal control, while at the same time it must respect, reflect and respond to the other internal controls. ERM is about protecting and enhancing share value to satisfy the primary business objective of shareholder wealth maximisation. It must be multifaceted, addressing all aspects of the business plan from the strategic plan through to the business controls:
strategic planmarketing planoperations planresearch and developmentmanagement and organisationforecasts and financial datafinancingrisk management processesbusiness controlsEnterprises operating in today's environment are characterised by constant change and require a more integrated approach to manage their risk exposure. This has not always been the case, with risks being managed in “silos”. Economic, legal, commercial and personnel risks were treated separately and often addressed by different individuals within a company without any cross-referencing of the risks or an understanding of the impact of management actions adopted for one subject group on another subject group. Risks are, by their very nature, dynamic, fluid and highly interdependent. As such they cannot be evaluated or managed independently.
Largely reflecting the COSO (2004) definition, ERM may be defined as:
A systematic process embedded in a company's system of internal control (spanning all business activity), to satisfy policies effected by its board of directors, aimed at fulfilling its business objectives and safeguarding both the shareholder's investment and the company's assets. The purpose of this process is to manage and effectively control risk appropriately (without stifling entrepreneurial endeavour) within the company's overall risk appetite. The process reflects the nature of risk, which does not respect artificial departmental boundaries and manages the interdependencies between the risks. Additionally the process is accomplished through regular reviews, which are modified when necessary to reflect the continually evolving business environment.
Hence, in summary, ERM may be defined as “a comprehensive and integrated framework for managing company-wide risk in order to maximise a company's value”.
1.8 BENEFITS OF ENTERPRISE RISK MANAGEMENT
No risk management process can create a risk-free environment. Rather, ERM enables management to operate more effectively in a business environment where an organisation's risk exposure profile is never static. Enterprise risk management provides enhanced capability to:
Increase the likelihood of a business realising its objectives. ERM will equip organisations with techniques to identify, record and assess the opportunities they seek to proactively pursue and exploit. At the same time it will support the identification and conscious management of the risks associated with selected opportunities to ensure that bottom-line performance is enhanced rather than eroded. In this way it will enable organisations to mature and realise their stated objectives.Build confidence in stakeholders and the investment community. As a result of the global financial crisis institutional investors, rating agencies and regulators are more focused on and more eager to learn about an organisation's capabilities for understanding and managing risk. Investors in particular will wish to understand the degree of risk their investments will be exposed to and whether the returns will be adequate. Board members and managers may be called upon to explain the framework, policy and process they have in place for managing risk. ERM provides the rigour to establish, describe and demonstrate proactive risk management.Comply with relevant legal and regulatory requirements. ERM, through establishing (and subsequently monitoring) a risk management framework, requires an organisation to understand, record (and keep up to date) the business context including, but not limited to, the legal and regulatory requirements it has to comply with and, where appropriate, the implications of not doing so.Align risk appetite and strategy. Risk appetite is the degree of risk, on a broad-based level, that a business is willing to accept in pursuit of its objectives. ERM supports management's consideration of a business's risk appetite first in evaluating strategic alternatives, then in setting boundaries for downside risk.Improve organisational resilience. As the business environment continues to change and the pace of change accelerates, resilience is critical to business longevity. Organisational resilience is sometimes considered as the degree of flexibility (or capacity) of an organisation's culture to recover from and respond to change. ERM will support an organisation in understanding potential change and preparing for it through risk response planning or in deciding to be the change catalyst through opportunity exploitation.Enhance corporate governance. ERM and corporate governance augment each other. ERM strengthens governance through challenging potential excessive risk taking as occurred in the global financial crisis, encouraging board-level engagement in the high-level risk process and improving decision making on risk appetite and tolerance.Embed the risk process throughout the organisation. ERM, through the creation of a framework, policy, process, plans and training can embed risk management throughout the organisation from the board down to all elements of the organisational structure as risk exposure can emanate from any corner of the organisation (e.g. from a breach of ethics at board level to a breach of environmental legislation by production).Minimise operational surprises and losses. ERM supports businesses to enhance their capability to identify potential risk events, assess risks and establish responses, and thereby to reduce the occurrence of unpleasant surprises and associated costs or losses.Enhance risk response decisions. ERM provides the rigour to identify and select among alternative risk responses – risk removal, reduction, transfer or retention.Optimise allocation of resources. A clear understanding of the risks facing a business can enhance the effective direction and use of management time and the business's resources to manage risk.Identify and manage cross-enterprise risks. Every business faces a myriad of risks affecting different parts of the organisation. The benefits of enterprise risk management are only optimised when an enterprise-wide approach is adopted, integrating the disparate approaches to risk management within a company. Integration has to be effected in three ways: centralised risk reporting, the integration of risk transfer strategies and the integration of risk management into the business processes of a business. Rather than being purely a defensive mechanism, it can be used as a tool to maximise opportunities.Link growth, risk and return. Businesses accept risk as part of wealth creation and preser-vation and they expect returns commensurate with risk. ERM provides an enhanced ability to identify and assess risks and establish acceptable levels of risk relative to potential growth and achievement of objectives.Rationalise capital. More robust information on risk exposure allows management to more effectively assess overall capital needs and improve capital allocation.Seize opportunities. The very process of identifying risks can stimulate thinking and generate opportunities as well as threats. Reponses need to be developed to seize these opportunities in the same way that responses are required to address identified threats to a business.Improve organisational learning. ERM can enhance organisational learning through the use of lessons learnt prior to embarking on new change projects and the maintenance of records of successful risk treatment plans that effectively removed risks prior to realisation.There are three major benefits of ERM: improved business performance, increased organisational effectiveness and better risk reporting.
1.9 STRUCTURE
A structure for understanding ERM is included in Figure 1.2 and is composed of seven elements:
1. Corporate governance is required to ensure that the board of directors and management have established the appropriate organisational processes and corporate controls to measure and manage risk across the business.
2. The creation and maintenance of a sound system of internal control is required to safeguard shareholders’ investment and the business's assets.
3. A specific resource must be identified to implement the internal controls with sufficient knowledge and experience to derive the maximum benefit from the process.
4. A risk management framework is required that will provide the foundations and arrangements for embedding risk management throughout the organisation at all levels.
5. A policy should be prepared describing the importance of risk management to the achievement of the organisation's corporate goals.
6. A clear risk management process is required which sets out the individual processes, their inputs, outputs, constraints and enablers.
7. The value of a risk management process is reduced without a clear understanding of the sources of risk and how they should be responded to. The framework breaks the source of risk down into two key elements labelled internal processes and the business operating environment.
Figure 1.2 ERM structure
1.9.1 Corporate Governance
Examination of recent developments in corporate governance reveals that they form catalysts for and contribute to the current pressures on ERM. It explains the expectations that shareholders have of boards of directors. It explains the approaches companies have adopted to risk management and the extent of disclosure of risk management practice. Corporate governance now forms an essential component of ERM because it provides the top-down monitoring and management of risk management. It places responsibility on the board for ensuring that appropriate systems and policies for risk management are in place. Good board practices and corporate governance are crucial for effective ERM. The section that follows addresses internal control, which is a subset of corporate governance (and risk management is a subset of internal control).
1.9.2 Internal Control
Examination of internal controls provides an understanding of what should be controlled and how. There is more of a focus on formal approaches. Internal controls are a subset of corporate governance. Risk management is a subset of internal controls. Risk management is aimed at facilitating the effective and efficient operation of a business, improving internal and external reporting and assisting with compliance with laws and regulations. The aim is to accomplish this through the identification and assessment of risks facing the business and responding to them by either removing or reducing them or, where it is economic to do so, to transfer them to a third party.
1.9.3 Implementation
Implementation of risk management (forming part of a business's internal control processes) can be resourced from within a business or be supported by external consultants. Both are clearly acceptable approaches. Whichever route is selected, the parameters of any planned actions have to be mapped, communicated and agreed so that the timeframe, resources, costs, inputs and deliverables are understood.
1.9.4 Risk Management Framework
The purpose of the risk management framework is to assist an organisation in integrating risk management into its management processes so that it becomes a routine activity. The framework is aimed at ensuring that information about risk derived from the risk management process is adequately reported and is used as a basis for informed decision making. The framework is composed of five steps: mandate and commitment, design framework, implement framework, monitor framework and improve framework, as illustrated in Figure 1.2
