Paul Hopkin. Fundamentals of Risk Management

Подождите немного. Документ загружается.

144 Risk assessment

It is possible to illustrate the 4Ts of risk response on a simple risk matrix and this is done in

Figure 15.2 (page 141). This diagram suggests that in each of the four quadrants of the risk

matrix, one of the 4Ts will be dominant. Tolerate will be the main response for the low likeli-

hood/low impact risks. Treat will be the dominant response for high likelihood/low impact

risks. Transfer will be the dominant response for high impact/low likelihood risks and termi-

nate will be the dominant response for high impact/high likelihood risks.

Figure 15.2 provides a simple graphical representation of the dominant risk response in each

of the four quadrants of a simple risk matrix. The corresponding responses for control and

opportunity risks will be considered in a later part of this book as the 4As and 4Es respectively.

It is important to note that these responses are represented as the dominant or most likely

response in each quadrant.

Different and/or additional responses may be appropriate, depending on the circumstances.

For example, if high impact/high likelihood risks are embedded within mission-critical activi-

ties, they may be unavoidable. In this case, it will not be possible for the organization to termi-

nate those risks.

A difﬁ culty in presenting such a simple risk map showing the 4Ts of risk response is that they

meet in the centre. Clearly, it cannot be as simple as suggested, because a small change in the

likelihood and impact of a risk could take it from the terminate quadrant into the tolerate

quadrant. A slightly modiﬁ ed approach that makes this analysis somewhat more realistic is

considered in a later part.

Risk signiﬁ cance

When undertaking a risk assessment, it is quite common to identify a hundred or more risks

that could impact the objective, core process or key dependency that is being considered. This

is an unmanageable number of risks and so a means is required to reduce the number that will

be considered to be priority issues for management.

So that an organization can concentrate on signiﬁ cant risks, a test for risk signiﬁ cance is

required. Table 15.1 provides suggestions on the nature of the benchmark tests that could be

used to decide whether a risk is signiﬁ cant. For risks that will have a ﬁ nancial or commercial

impact, the benchmark test is likely to be based on monetary value. For risks that could disrupt

the infrastructure or routine operations of the organization, a benchmark test based on the

impact, cost and duration of disruption is appropriate. For reputational risks, the most likely

benchmark will be based on the adverse publicity that would result if the risk materializes.

This may vary according to the nature of the risk and whether it is a ﬁ nancial or non-ﬁ nancial

one. For large organizations, identifying a ﬁ nancial test for signiﬁ cance can be undertaken in

a number of ways. Many organizations will have authorization procedures for spending

Risk likelihood and impact 145

Table 15.1 Benchmark tests for risk signiﬁ cance

FIRM risk scorecard Typical benchmark test for signiﬁ cance

Financial Impact on balance sheet of 0.25%

•

Proﬁ t and loss impact of 2.5% annual proﬁ t •

Infrastructure Disruption to normal operations of ½ day •

Increased cost of operation exceeds 10% budget •

Reputational Share price falls by 10% •

Event is on national TV, radio or newspapers •

Marketplace Impact on balance sheet of 0.5% turnover •

Proﬁ t and loss impact of 1% annual proﬁ t •

money, and so the test for risk signiﬁ cance should be compatible with the authorization levels

that are often set out in a formal document referred to as a ‘delegation of authority’.

For a large organization, it may be the case that full board approval is required for expenditure

in excess of a particular ﬁ nancial threshold. This is an indication of the sum of money that is

considered signiﬁ cant by the organization. Other tests include a percentage of the proﬁ t or a

percentage of the value of the balance sheet (or reserves) of the organization. Typically, 2.5 per

cent of the annual proﬁ t or 0.25 per cent of Balance Sheet or 0.5 per cent of annual turnover

are appropriate tests for signiﬁ cance.

Financial limits can be used to test whether a risk is signiﬁ cant in relation to ﬁ nancial and mar-

ketplace risk segments of the FIRM Risk Scorecard. For infrastructure and reputational seg-

ments, identifying a benchmark test for signiﬁ cance may be more difﬁ cult. One test of

signiﬁ cance for infrastructure risks is to ask whether the risk would disrupt normal operations

for more than (say) half a day. For reputational risks, the test for signiﬁ cance may be to deter-

mine how the event would be reported. A report on the front page of the local newspaper or

in the national press may be an indication that a risk should be considered to be signiﬁ cant.

For an organization, it is possible that the external auditors might indicate that a sum of

£1m/$1m would be considered to be a material sum when compiling the accounts of the

organization. This would offer a benchmark to the management of the company to use that

amount as the benchmark test of signiﬁ cance. Applying this test during a risk assessment

workshop could reduce the number of risks for further consideration to about 20. The next

stage would be to identify how likely each of the 20 potentially signiﬁ cant risks would be to

materialize at or above the ﬁ nancial threshold level. A risk matrix could be used to record and

display the results.

146 Risk assessment

Risk capacity

There are several aspects that are important when an organization is deciding how much risk to

take. Different approaches will be taken for different types of risks. Hazard risks will give rise to

a hazard tolerance, control risks will give rise to a control acceptance and opportunity risks will

give rise to an investment appetite. Overall, the organization will have a total risk exposure. This

is the sum of the total risk that the organization has taken in these three categories.

Risk exposure is the actual risk that the organization is taking and this may not be the same as

the risk appetite that the board believes is appropriate for the organization. There is also

another important measure of risk, and that is the risk capacity of the organization. This is a

measure of how much risk the organization should take or can afford to take.

In simple terms, the risk appetite of the board should be within the risk capacity of the organ-

ization and greater than or equal to the actual risk exposure that the organization faces. A con-

tributing factor to the global ﬁ nancial crisis was that certain ﬁ nancial institutions were exposed

to a level of risk beyond the risk-bearing capacity of that organization.

It would be inappropriate for an organization to embark on a project that could exhaust all of the

resources of the organization. The capacity of the organization to accept risk will depend on the

ﬁ nancial strength of the organization, the robustness of its infrastructure, the strength of its rep-

utation and brands and the competitive nature of the marketplace in which it operates.

The more rapidly the marketplace is changing, the greater capacity for risk the organization

is required to have available. For example, if an organization is facing a signiﬁ cant change in

technology, the strategic options may be limited. Consider an organization that is involved

in the manufacture of CD players when it becomes obvious that MP3 technology is taking

over. The organization will be faced with a signiﬁ cant risk related to the change in technol-

ogy and will need to develop a new business model. It will have to acquire new production

equipment, new skills and new distribution patterns. It may be that the transfer to the new

technology and the risks that it involves are outside the resources and risk capacity of the

organization. If that is the case, the organization may need to explore strategic options,

including seeking a joint-venture partner, locating a buyer for the business or simply with-

drawing from the marketplace.

The box below provides a real example of the consequences of the global ﬁ nancial crisis. This

ﬁ nancial institution discovered that the risk exposure faced by the organization was greater

than its risk capacity. Having acknowledged that situation, the ﬁ nancial institution then

released a statement to shareholders.

Risk likelihood and impact 147

Risk capacity

Risk capacity is the level of risk the bank considers itself capable of absorbing, based on

its earnings power, without damage to its dividend paying ability, its strategic plans

and, ultimately, its reputation and ongoing business viability. It is based on a

combination of budgeted, forecast and historical revenues and costs, adjusted for

variable compensation, dividends and related taxes.

Risk exposure is an estimate of potential loss based on current and prospective risk

positions across major risk categories – primary risks, operational risk and business

risk. It builds as far as possible on the statistical loss measures used in the day-to-day

operating controls. Correlations are taken into account when aggregating potential

losses from risk positions in various risk categories to obtain an overall estimate of the

risk exposure. The risk exposure is assessed against a severe but plausible constellation

of events over a one-year time horizon to a 95 per cent conﬁ dence level or a ‘once in 20

years’ event.

Risk appetite is established by the board that set an upper boundary on aggregate risk

exposure. A comparison of risk exposure with risk capacity serves as a basis for

determining if current or proposed risk limits are appropriate. It is one of the tools

available to management to guide decisions on adjustments to the risk proﬁ le.

The risk exposure should not normally exceed risk capacity but in the recent extremely

difﬁ cult market conditions, this relationship has not held. The bank recorded a large

net loss, showing that the risk exposures remained greater than its risk capacity. Risk

exposure remained high as a result of a lack of liquidity in the markets for securitized

assets and due to signiﬁ cantly increased volatility levels in global markets. The

reduction in risk exposure that was achieved through sales in addition to the

signiﬁ cant writedowns incurred on risk positions was offset by a simultaneous decrease

of risk capacity due to downward revisions of earnings expectations as a consequence

of the deteriorating economic outlook.

Loss control

Risk likelihood

Risk likelihood can also be described as risk frequency. However, using the phrase risk fre-

quency assumes that the risk occurs on a regular basis. The more general term risk likelihood

is used throughout this book. Risk likelihood can be determined on an inherent basis for any

particular risk, or can be determined at the current level of risk, paying regard to the control

measures that are in place.

For hazard risks, previous history may be a good indication of how likely the risk is to occur.

For a ﬂ eet of motor vehicles, there is certain to be a history of vehicle accidents and break-

downs. Controls will be in place to reduce the likelihood of these events. A road haulage

company should assess the likelihood of vehicle breakdowns on an inherent basis and also on

the basis of current controls. There are, however, difﬁ culties in assessing the inherent likeli-

hood of vehicle accidents, because certain assumptions would have to be taken about what

effect the removal of controls would have on the likelihood of accidents.

Even if an assessment of the breakdown likelihood at the inherent level cannot be undertaken,

the company will still need to determine the importance of the vehicle maintenance pro-

gramme in preventing vehicle breakdowns and whether the maintenance activities provide

value for money. In relation to vehicle accidents, the company may have driver training proc-

esses in place and, again, the effectiveness of these processes can be determined by evaluating

inherent and current levels of risk. Whether levels of risk are evaluated at inherent or at current

level, there is no doubt that benchmarking the performance of the ﬂ eet against the average

performance of the industry will be a useful exercise.

An example of a control measure that has an effect on the magnitude of the risk but may have

no effect on its likelihood is the use of seat belts in cars. In simple terms, the driver wears a seat

belt to reduce the impact of an accident, because the seat belt has no effect on the likelihood of

an accident occurring. The driver wears the seat belt as a control measure for when the acci-

dent happens.

148

Loss control 149

A sports club will wish to reduce the chances of a key player being absent. The absence may

be caused by inappropriate behaviour by a player, resulting in the need for sanctions against

that person. Accordingly, the club may decide to introduce a ‘code of behaviour’ for senior

players, and this would include a commitment by each player to follow an appropriate

healthy lifestyle. Failure to comply with the code of behaviour would result in ﬁ nancial and

other punishments.

The club may also decide that additional controls were required to reduce player absence,

including ﬁ tness monitoring and social support for overseas players who had recently moved

to the country to join the team. It may also be agreed that an attempt should be made to place

contractual limits on the ability of national teams to call on its overseas players. These actions

will be taken in addition to other loss-control activities, such as excellent medical facilities to

provide immediate medical care and reduce the damage when an injury occurs. Also, the

company may purchase insurance to protect itself against the ﬁ nancial losses associated with

the absence of a player.

Risk magnitude

Reducing the magnitude of a hazard risk is very important. For hazard risks, magnitude is

often referred to as severity of the risk should it materialize. Reduction in hazard risk severity

will be achieved by reducing the overall impact or consequences when the adverse event

occurs. The seat belt in a car can reduce the consequences of an accident, but has no effect on

the likelihood of having an accident.

It is possible for a serious ﬁ re to occur that results in a considerable amount of property

damage and is considered to be very severe and expensive. However, in reducing the severity

of a serious ﬁ re, the requirement is to reduce the impact of the ﬁ re on the organization. Actions

to reduce impact will concentrate on damage limitation at the time of the ﬁ re and cost con-

tainment after the event.

Damage limitation is also an important feature of reputational risk management. When a

serious incident occurs that attracts public attention, an organization will need to be able to

protect its reputation by reassuring stakeholders that the organization responded appropri-

ately to the event. It is almost invariably the case that the CEO or chairman of the company

will arrive at the scene when there has been a serious train or plane crash.

There have been examples where a serious incident has occurred and the management of the

media by the organization has been very poor. In these cases, it is likely that inadequate atten-

tion was paid to pre-incident planning, so that the damage to the reputation of the organiza-

tion was not effectively minimized at the time the incident occurred.

150 Risk assessment

Organizations will also need to be concerned with cost containment. Cost containment fol-

lowing an event is usually based on the business continuity plan (BCP) or disaster recovery

plan (DRP) that the organization put in place before the incident occurred. The development

of effective BCP and DRP will put the organization in the best position to ensure that the

overall cost of the incident is kept as low as possible.

Hazard risks

The range of hazard risks where reducing the magnitude of the adverse event is important will

include fraud, health and safety, property protection and efﬁ cient operation of IT systems, as

well as incidents with the potential to cause damage to reputation. Table 16.1 provides a list of

the key dependencies, using the structure of the FIRM risk scorecard, which could give rise to

hazard risks. When hazard risks materialize, actions need to be taken to reduce the magnitude

of the event, as well as limit the impact.

Table 16.1 Generic key dependencies

FIRM risk scorecard Example dependencies

Financial Availability of funds/ﬁ nance

•

Correct allocation of funds/ﬁ nance •

Internal control (fraud) •

Liabilities under control (bad debts and pensions) •

Infrastructure People skills and experience •

Premises/plant and equipment •

IT hardware and software •

Communications and transport •

Reputational Brand and brand expansion •

Public opinion of sector •

Regulators enforcement action •

Corporate social responsibility •

Marketplace Regulatory requirements •

Health of world or national economy •

Product development (technology) •

Competitor behaviour •

Loss control 151

Although the main focus of managing hazard risks will be on loss prevention, successful man-

agement of hazard risks must also include consideration of damage limitation and cost con-

tainment. There is a developing trend in the insurance market towards settling claims in a

more efﬁ cient and cost-effective manner. This trend is partly based on encouraging organiza-

tions to get back to normal operation as soon as possible. Indeed, some insurance companies

refer to initiatives of this type as cost containment.

As mentioned previously, reducing the severity of an incident should be seen as part of an

overall attempt to implement loss control in an organization. An integrated approach to loss

control is important because it will enable the organization to control both the likelihood and

impact when a hazard risk materializes. In fact, loss control should be considered to be loss

prevention plus damage limitation plus cost containment.

Although the most important component of loss control is loss prevention, hazard risks can

materialize despite the best efforts of organizations. Adequate assessment of hazard risks is

vital, so that appropriate pre-planning of post-loss actions can be undertaken. Plans should be

in place to ensure that the damage caused by the incident is kept to a minimum and the cost

consequences of the event are also tightly controlled and contained.

Loss prevention

Loss prevention is concerned with preventing the losses occurring or, at least, reducing the

likelihood of losses occurring. Damage limitation is concerned with reducing the amount of

damage that occurs when the hazard event materializes. For example, if a ﬁ re occurs the ﬁ re

doors and ﬁ re shutters will reduce the extent of damage. Cost containment is concerned with

minimizing the impact of the loss on an organization by ensuring that costs associated with

the adverse hazard event are reduced to a minimum.

Techniques for loss prevention will vary according to the type of hazard risk that is being con-

sidered. For health and safety risks, loss prevention is related to eliminating the activity com-

pletely or ensuring that, for example, hazardous chemicals are not used in processes.

For risks to buildings, loss-prevention techniques involve such controls as the elimination of

sources of ignition and the control, containment and segregation of ﬂ ammable or combusti-

ble materials. Loss-prevention techniques will also include restrictions on smoking and other

actions taken to reduce hazardous behaviours by persons using the buildings.

For fraud and theft risks, loss-prevention techniques will include separation of responsibilities

and security tagging of expensive items. Fraud prevention techniques may also involve pre-

employment screening. A more detailed consideration of fraud prevention is set out in a later

Part of this book.

152 Risk assessment

Damage limitation

Damage limitation in relation to ﬁ re hazards is well established. Although sprinkler systems

are often considered to be a loss-prevention measure, they are, in fact, the major control

measure for ensuring that only limited damage occurs when a ﬁ re breaks out. Other damage-

limitation factors related to ﬁ re include the use of ﬁ re segregation within buildings, the use of

ﬁ re shutters and well-rehearsed arrangements in place to remove, segregate or otherwise

protect valuable items.

Accidents at work still occur, despite the considerable attention paid to health and safety

standards and other loss-prevention activities. Provision of adequate ﬁ rst aid arrangements is

an obvious damage-limitation activity and suitable ﬁ rst aid facilities are provided by most

organizations. For some high-risk factory occupancies, medical facilities are provided on site.

In some cases, these medical facilities will include specialist treatment facilities related to the

particular hazards on site. An example is the provision of cyanide antidotes in factories where

chromium plating activities take place using cyanide plating solutions. A simpler example is

the provision of emergency eye wash bottles in locations where hazardous chemicals are

handled.

Cost containment

When a hazard risk materializes, despite the efforts put into loss prevention and the efforts

that have been put into damage limitation, there may well still be a need to contain the cost of

the event. For example, among the activities for minimizing costs associated with serious ﬁ res

are detailed arrangements for salvage and arrangements for decontamination of specialist

items that have suffered water or smoke damage.

Cost containment in relation to a ﬁ re will also include arrangements for specialist recovery

services. The actions that will be taken to ensure that post-incident costs are minimized should

all be set out in a business continuity plan. The topics of business continuity planning and dis-

aster recovery planning are considered in more detail in another Part of this book.

A further consideration relevant to cost containment after an incident is what insurance

companies referred to as ‘increased cost of operation’. Most material damage/business inter-

ruption insurance policies will allow for payment of increased cost of operation. This may

arise when an organization has to sub-contract certain production activities, or has to

undertake manufacturing work at another one of its factories, which may be located some

distance away.

If a manufacturer discovers that faulty goods have been released into the marketplace, a

number of actions become necessary. The organization should have developed plans in

Loss control 153

advance of the event occurring for notifying customers of the fact that faulty goods are in the

marketplace and how to identify them. The box below considers the importance of product

recall in these circumstances.

Product recall risk management

Any company or organization that manufactures, assembles, processes, wholesales, or

retails products could be ﬁ nancially impacted by the direct or indirect costs of a

product recall. Direct costs can include wages for staff who have to implement the

recall plan. Other direct costs include communications and this could entail

purchasing air time on radio and television and notices in newspapers or industry

publications.

Indirect costs can include lost production time for staff who must focus on the recall

process, as well as the hiring of temporary employees to assure continued production.

However, the greatest indirect cost is the impact that adverse publicity could have on

market share of the market. A product recall should be designed to:

protect the customer from bodily injury or property damage; •

remove the product from the market and from production; •

comply with speciﬁ

c regulatory requirements; •

protect the assets of the company. •