Paul Hopkin. Fundamentals of Risk Management

Подождите немного. Документ загружается.

114 Risk strategy

Table 12.2 Risk management information system (RMIS)

The following types of information may be handled, stored, managed,

distributed and communicated using a risk management information system

(RMIS):

Risk management policy and protocols

•

Risk proﬁ le data, values and information •

Emergency contact arrangements and contact details •

Insurance values and cost of risk data •

Insurance claims handling and management protocols •

Historical loss/claims experience/information •

Insurance policy coverage and other information •

Risk management action plans (risk register) •

Risk improvement plans and implementation •

Business continuity plans and responsibilities •

Disaster recovery plans and responsibilities •

Corporate governance arrangements and reports •

It is generally accepted that the application of a RMIS software tool to an enterprise risk man-

agement (ERM) initiative can be very helpful. However, the disadvantage that is often encoun-

tered is that entering a substantial amount of risk data onto a computer database can be very

time consuming. However, the beneﬁ ts of having the data available for detailed analysis can

make the effort worthwhile.

Risk information needs to be shared throughout an organization to enhance risk awareness

and ensure improved risk performance. It is almost always the case that individuals within an

organization will have the best understanding of the risks, as well as detailed practical knowl-

edge of the actions that should be taken to mitigate risk events. Communication is also impor-

tant to share information about incidents that have occurred, including lessons that were

learnt and the actions that were taken to ensure that the event is not repeated.

An analysis of the advantages and disadvantages of RMIS are set out in the box below. In

general, RMIS become more valuable when the risks are complex or the amount of data that

needs to be recorded is substantial.

Risk training and communication 115

Risk management information system (RMIS)

Without more advanced RMIS technology, risk managers are limited to recording the

exposure data and loss experience of the company relevant to the ERM initiative, using

techniques like modelling and Monte Carlo simulations.

It is possible that the cost of developing a robust, ERM-supportive RMIS will exceed

the beneﬁ ts. The costs are immediate and tangible; the beneﬁ t is difﬁ cult to estimate or

demonstrate. Risk managers already struggle with how to explain the value of a loss

that is prevented or ﬁ nanced. Even if the risk reduction is signiﬁ cant, it is a potential

future beneﬁ t, not an assured, immediate expense reduction.

Whether the risk assessments from RMIS are likely to lead to enough marginal beneﬁ ts

to offset the cost of data tracking and analysis depends on the risk proﬁ le of the

company. Large ﬁ rms stand to gain the most from RMIS, but as the cost of the

computing tools needed to collect data and perform the sophisticated modelling

continue to decrease, the beneﬁ ts grow for all organizations.

Ultimately, RMIS may pay for itself by enabling an organization to avoid or effectively

ﬁ nance that one catastrophic loss that would otherwise slash the ﬁ nancial results of the

company.

Consistent response to risk

One of the main reasons for communicating risk information and providing risk training is to

ensure that a consistent response to similar risk events is always achieved. This can only be

ensured by sharing information and experience. A consistent response is required in relation

to hazard, control and opportunity risks. When an organization has an intranet, this is an ideal

way of achieving a consistent response to risk by ensuring that appropriate information is

readily available.

As well as a consistent response to individual risks, consistent risk protocols also need to be

deﬁ ned and communicated. Part of ensuring a consistent response to risk is to identify risks in

advance and conﬁ rm the controls that will be in place for them. This approach is relevant to

strategic, project and operational risks, and training and communication protocols should be

introduced to increase the consistency of response to risk across the organization.

It should be a requirement of every organization that a risk assessment is attached to each

capital expenditure request. This risk assessment should include both the risks that the project

is seeking to manage and the risks within the project itself. The risks within the project may

affect the ability to deliver the project on time, within budget and to speciﬁ cation.

116 Risk strategy

Risk assessment attached to strategic analysis is also a vitally important issue and is part of

ensuring a consistent response to risk. Production of an ‘issues manual’ as a means of com-

municating risk across the organization and ensuring a consistent response to risks may also

be valuable. The issues manual will identify risks, circumstances and other events where a

response is required. The provision of adequate information, supervision and training will

ensure that consistent and appropriate risk management procedures are more likely to be

followed.

Case study

Tesco – risk management responsibilities

Accepting that risk is an inherent part of doing business, our risk management systems are

designed both to encourage entrepreneurial spirit and also provide assurance that risk is fully

understood and managed. The Board has overall responsibility for risk management and

internal control within the context of achieving the Group’s objectives. Executive manage-

ment is responsible for implementing and maintaining the necessary control systems. The role

of Internal Audit is to monitor the overall internal control systems and report on their effec-

tiveness to Executive management, as well as to the Audit Committee.

Key to delivering effective risk management is ensuring our people have a good understanding

of the Group’s strategy and our policies, procedures, values and expected performance. We

have a structured internal communications programme that provides employees with a clear

deﬁ nition of the Group’s purpose and goals, accountabilities and the scope of permitted activ-

ities for each business unit, as well as individual line managers and other employees.

We operate a balanced scorecard approach that is known within the Group as our Steering

Wheel. This unites the Group’s resources around our customers, people, operations, commu-

nity and ﬁ nance. The scorecard operates at every level within the Group, from ground level

business units, through to country level operations. It enables the business to be operated and

monitored on a balanced basis with due regard for all stakeholders.

The Group maintains a Key Risk Register. The Register contains the key risks faced by the

Group including their impact and likelihood as well as the controls and procedures imple-

mented to mitigate these risks. The content of the Register is determined through regular dis-

cussions with senior management and review by the Executive Committee and the full

Board.

The risk management process is cascaded through the Group with every international CEO

and local Boards maintaining their own risk registers and assessing their control systems.

117

118 Risk strategy

The same process also applies functionally in those parts of the Group requiring greater

overview. For example, the Audit Committee’s Terms of Reference require it to oversee the

Finance Risk Register. We also have a Corporate Responsibility Risk Register which speciﬁ -

cally considers Social, Ethical and Environmental (SEE) risks. Oversight of these risks is the

responsibility of the Corporate Responsibility Committee.

Annual Report and Financial Statements 2009

Part 3

Risk assessment

Learning outcomes for Part 3

describe the importance of risk assessment as a critically important stage in the risk •

management process;

outline the range of risk assessment techniques that are available and the advantages/ •

disadvantages of each technique;

describe the importance of risk classiﬁ cation systems and describe the key features of •

the best-established systems;

provide examples of the use of a risk matrix, including using it to indicate the domi- •

nant risk response in each quadrant;

use a risk matrix to indicate the risk appetite of an organization and whether the organ- •

ization is risk averse or risk aggressive;

describe the main components of loss control as loss prevention, damage limitation •

and cost containment and provide practical examples;

demonstrate the use of loss-control actions to reduce the impact of an event that has a •

large magnitude before mitigation;

119

120 Risk assessment

outline the alternative approaches to deﬁ ning upside of risk and the practical applica- •

tion of these approaches for strategy, projects and operations;

outline the importance of business continuity planning and disaster recovery planning •

and provide practical examples;

describe the approach taken during a business impact analysis and how the analysis •

supports business continuity planning;

describe the key features of a business continuity plan, as set out in established business •

continuity standards, such as BS 25999.

Part 3 Further reading

British Standard BS 25999–1 (2006) Business continuity management Code of practice,

www.standardsuk.com.

HM Treasury (2004) Orange Book: Management of risk – principles and concepts, www.hm-treasury.gov.uk.

International Standard IEC/FDIS 31010 (2009) Risk Management – Risk assessment techniques,

www.iso.org.

Management Consultancies Association (2007) The upside of risk, www.mca.org.uk.

United States Government (2004) Every business should have a plan, www.ready.gov.

Risk assessment considerations

Importance of risk assessment

Risk recognition and risk rating together form the risk assessment component of the risk man-

agement process. Risk assessment involves the recognition of risks and the rating of them to

determine the signiﬁ cant risks facing the organization, project or strategy. It is deﬁ ned in

British Standard BS 31100 as the overall process of risk identiﬁ cation, risk analysis and risk

evaluation. Because the risk management input into strategy focuses on improved decision

making, risk assessment is the main risk management input into strategy formulation.

Risks may be attached to corporate objectives, stakeholder expectations, core processes and

key dependencies. Whichever of these features is selected as the starting point, risk assessment

can be undertaken. The purpose of risk assessment is to identify the signiﬁ cant risks that could

impact the selected feature.

Although risk assessment is vitally important, it is only useful if the conclusions of the assess-

ment are used to inform decisions and/or to identify the appropriate risk responses for the

type of risk under consideration. It should be considered as the starting point of the risk man-

agement process and it is certainly not an end in itself.

An important feature of undertaking a risk assessment is to decide whether the identiﬁ ed risk

is going to be evaluated at the inherent level or at the current (or residual) level. Assessment of

inherent risk is undertaken without taking account of the controls that are currently in place.

This is the approach recommended by internal auditors, and ISO 31000 states that risk assess-

ment should be undertaken at inherent and at residual level.

The beneﬁ t of undertaking assessment of inherent risk is that the difference between the

current level and the inherent level can be identiﬁ ed. This will give an indication of the impor-

tance of the existing control measures and information is used by internal auditors to help

identify critical controls and set audit priorities. Although this may be a useful approach, there

can be considerable difﬁ culties in identifying the value of the inherent level of risk.

121

122 Risk assessment

Health and safety practitioners, for example, prefer to undertake risk assessment with the

current controls in place. This can be a simpler process, although it relies on the assumption

that the current controls will always work to the assumed effectiveness. For example, if an

assessment of an x-ray machine is being undertaken, the safety person will assume that the

enclosure or cabinet is in good order and the risk should be assessed on that basis. The internal

auditor will more easily recognize that the enclosure or cabinet is a vitally important control

factor that has to be subject to a routine inspection.

Approaches to risk assessment

There are several approaches that can be taken when planning how to undertake risk assess-

ment. One of the key decisions will be who to involve in the risk assessment exercise. Some-

times risk assessments are undertaken by the board of directors as a top-down exercise. Risk

assessments can also be undertaken by involving individual members of staff and local depart-

mental management. This bottom-up approach is also valuable.

The opinion of the chief executive ofﬁ cer (CEO) is critically important, especially as it helps to

deﬁ ne the overall attitude of the organization to risk. There is no doubt that the CEO will be

able to provide a well-structured view of the signiﬁ cant risks faced by the organization. The

disadvantage in relying on the opinion of the CEO is that the focus is likely to be on external

risks. Although CEOs will be concerned about the ﬁ nancial management and infrastructure

risks, these internal risks may not be their major concern or area of interest.

In general, the overall approach by the organization to risk assessments will be heavily inﬂ u-

enced by the risk assessment techniques that are selected. Certain techniques require the

involvement of speciﬁ c individuals and require a particular approach to undertaking risk

assessments. It is important that the approach that is adopted is consistent with the culture of

the organization.

For example, if an organization does not normally hold meetings and workshops, then a work-

shop may not be the most appropriate approach to risk assessments. Likewise, if the culture of

the organization relies heavily on reports and written papers, this may be the best way of con-

ducting the risk assessments.

The use of voting software has become popular in recent times. For organizations such as

media companies familiar with this technology, this may be a very appropriate way of under-

taking risk assessments. However, for organizations that are not keen on technology, then the

use of such tools may be seen as gimmicks that detract from the value of the workshop.

The use of the voting software can provide additional information in the risk assessment work-

shop. Not only is it possible to identify the majority position in relation to the likelihood and

impact of a risk materializing, but it is also possible to identify the spread of opinions. If there

Risk assessment considerations 123

is a broad spread of opinions, this needs to be explored, because it could represent a possible

misunderstanding of the nature of the risk being discussed.

Risk assessment techniques

There are a wide range of risk assessment techniques available and a Final Draft Interna-

tional Standard (FDIS) has recently been published providing detailed information on the

full range of risk assessments techniques that can be used. Table 13.1 lists the main risk

assessment techniques that are in common use and also provides a brief description of each

of these techniques. Probably the most common risk assessment approaches are the use of

checklists/questionnaires and the use of brainstorming sessions, normally during risk assess-

ment workshops.

Table 13.1 Techniques for risk assessment

Technique Brief description

Questionnaires and checklists Use of structured questionnaires and checklists to collect

information that will assist with the recognition of the

signiﬁ cant risks

Workshops and brainstorming

Collection and sharing of ideas at workshops to discuss

the events that could impact the objectives, core processes

or key dependencies

Inspections and audits Physical inspections of premises and activities and audits

of compliance with established systems and procedures

Flowcharts and dependency

analysis

Analysis of the processes and operations within the

organization to identify critical components that are key

to success

HAZOP and FMEA

approaches

Hazard and operability studies and failure modes effects

analysis are quantitative technical failure analysis

techniques

SWOT and PESTLE analysis Strengths, weaknesses, opportunities, threats (SWOT)

and political, economic, social, technological, legal,

environmental (PESTLE) analyses offer structured

approaches to risk identiﬁ cation