Paul Hopkin. Fundamentals of Risk Management

Подождите немного. Документ загружается.

Tolerate, treat, transfer

and terminate

The 4Ts of hazard response

Priority signiﬁ cant risks facing an organization are those that have:

high or very high impact in relation to the benchmark test for signiﬁ cance; •

high or very high likelihood of materializing at or above the benchmark level; •

high or very high scope for cost-effective improvement in control. •

Generally speaking, it is only priority signiﬁ

cant risks that require attention at the most senior

level of the organization. However, it is appropriate that regulatory risks also receive board-

room attention. In practice, the board will expect these regulatory risks to be properly managed

and the board will only receive routine/annual reports describing risk performance, or a special

report if a speciﬁ

c issue has arisen.

The benchmark test for signiﬁ cance should be set at a level that represents a signiﬁ cant impact

for the organization. Having identiﬁ ed the priority signiﬁ cant risks, the organization then

needs to review the controls in place and decide whether further actions are required. For

hazard risks, the range of responses available is often described as the 4Ts.

There is a broad range of terminology available to describe risk response options. In fact, both

British Standard BS 31100 and ISO 31000 use the term risk treatment as the more generic

description. For example, the British Standard deﬁ nes risk treatment as the ‘process of devel-

oping, selecting and implementing controls’. Likewise, ISO 31000 deﬁ nes risk treatment as

‘development and implementation of measures to modify risk’.

The terminology used in the Orange Book has been adopted for this text for the risk response

stage of the risk management process. The options for responding to risk can then be identi-

ﬁ ed as the 4Ts. Appendix A contains information on the alternative deﬁ nitions that are used

by different publications.

244

Tolerate, treat, transfer and terminate 245

More information and a brief description of each of the 4Ts is provided in Table 27.1. The 4Ts

of hazard risk management can be summarized as:

Tolerate; •

Treat; •

Transfer; •

Terminate. •

Figure 27.1 suggests that there is a dominant response in relation to each of the 4Ts, according

to the position of the risk on a risk matrix. For risks that are low likelihood/low impact, the

main response is tolerate. For risks that are high likelihood/low impact, the main response is

treat. For risks that are low likelihood/high impact, the main response is transfer, and for risks

that are high likelihood/high impact, the main response is terminate.

Table 27.1 Description of the 4Ts of hazard response

1. Tolerate

Accept/retain

The exposure may be tolerable without any further action

being taken. Even if it is not tolerable, the ability to do

anything about some risks may be limited, or the cost of

taking any action may be disproportionate to the

potential beneﬁ t gained.

2. Treat

Control/reduce

By far the greater number of risks will be addressed in

this way. The purpose of treatment is that, whilst

continuing within the organization with the activity

giving rise to the risk, action (control) is taken to

constrain the risk to an acceptable level.

3. Transfer

Insurance/contract

For some risks the best response may be to transfer them.

This might be done by conventional insurance, or it

might be done by paying a third party to take the risk in

another way. This option is particularly good for

mitigating ﬁ nancial risks or risks to assets.

4. Terminate

Avoid/eliminate

Some risks will only be treatable, or containable to

acceptable levels, by terminating the activity. It should be

noted that the option of termination of activities may be

severely limited in government when compared to the

private sector.

246 Risk response

Impact

Likelihood

Transfer

risk to another party

Dominant type of control will be

Directive

Tolerate

risk and its likely impact

Dominant type of control will be

Detective

Terminate

activity generating the risk

Dominant type of control will be

Preventive

Treat

risk to reduce the likely

impact/exposure

Dominant type of control will be

Corrective

Figure 27.1 Types of controls for hazard risks

In order to give some context to the range of risks that is being considered, Table 27.2 pro-

vides examples of the range of potentially signiﬁ cant risks associated with the headings of

the FIRM risk scorecard. Assessment of each of the risks will enable the organization to

place the risk on a risk matrix. The position of the risk on the risk matrix will then indicate

the most unlikely response to that risk. If the risk assessment is undertaken at the current

level of risk, the effect of the existing controls will already have been evaluated as part of the

risk assessment exercise.

Consider the case of a theatre that needs to respond to the increasing use of agents who require

payment at the time of the booking, rather than after the performance. Also, a recent failure of

an actor to arrive on the night of the performance caused the theatre considerable ﬁ nancial

loss. This has resulted in the theatre reviewing the booking and appearance arrangements for

actors and decided that responses are appropriate in relation to all 4Ts.

The theatre might decide that it has to tolerate the new booking fee arrangements. It has also

decided that in order to treat/reduce the risk, it will only deal with established agents in future

and terminate existing arrangements with an agency that has proved unreliable in the past.

The theatre might also investigate the possibility of buying insurance, so that the theatre can

transfer the cost of a performance cancelled because the actor fails to arrive on the night.

Tolerate, treat, transfer and terminate 247

Table 27.2 Key dependencies and signiﬁ cant risks

FIRM risk

scorecard

Example dependencies Example of a signiﬁ cant risk

Financial Availability of funds Insufﬁ cient funds available from parent

company

Correct allocation of funds Inadequate proﬁ t because of incorrect

capital expenditure decisions

Internal control Fraud occurs because of inadequate internal

controls

Liabilities under control Higher than expected liabilities arise in the

pension fund

Infrastructure People Failure to achieve/maintain health and

safety standards

Premises/plant and

equipment

Damage to key location caused by insurance

peril

IT IT systems not available because of virus or

hacker activity

Communications and

transport

Transport networks closed because of severe

weather conditions

Reputational Brand Product recall causes damage to product

image and brand

Public opinion Lost sales or revenue because of change in

public tastes

Regulators Regulator enforcement action causes loss of

public conﬁ dence

CSR Allegations of unethical product-sourcing

causes loss of sales

Marketplace Regulatory environment Change in tax regime results in unbudgeted

tax demands

Economic health Decline in world or national economy

reduces consumer spending

Product development Changes in technology reduce product

appeal and sales

Competitor behaviour Competitor substantially reduces prices to

win market share

248 Risk response

Risk tolerance

Risk tolerance is deﬁ ned in British Standard BS 31100 as the ‘organization’s readiness to bear

the risk after risk treatments in order to achieve its objectives’. An organization may have to

tolerate risks that have a current level beyond its comfort zone and its risk appetite. On occa-

sions, an organization may even have to tolerate risks that are beyond its actual risk capacity.

However, this situation would not be sustainable and the organization would be vulnerable

during this period.

When the hazard risk is considered to be within the risk appetite of the organization, the

organization will tolerate that risk. Risk tolerance is shown as the approach that will be adopted

in relation to low-likelihood risks with low impact. However, an organization may decide to

tolerate risk levels that are high because they are associated with a potentially proﬁ table activ-

ity or relate to a process that is fundamental to the nature of the organization.

It is unusual for a hazard risk to be accepted or tolerated before any risk control measures

have been applied. Generally speaking, a risk only becomes tolerable when all cost-effective

control measures have been put in place, so that the organization is accepting or tolerating

the risk at its current level. Certain control measures may have been applied because the

inherent level of the risk may have been unacceptable. Control effort seeks to move the risk

to the low-likelihood/low-impact quadrant of the risk matrix, as illustrated in Figure 27.1.

Sometimes risks are only accepted as part of an arrangement whereby one risk is balanced

against another. This is a simple description of neutralizing or hedging risks, but on a business

level this may represent a fundamentally important strategic decision. For example, an elec-

tricity company operating independently in the northern states of the United States may have

to accept the impact of variation in temperature on electricity sales.

By merging (or setting up a joint venture) with an electricity company in the southern states,

the north/south combined operation will be able to smooth the temperature-related variation

in electricity sales. The combined operation will then sell more electricity in the northern

states during cold weather, when demand in the southern states is low. Conversely, the com-

bined operation will sell more electricity for air-conditioning units in the southern states in

the summer, when demand for electricity in the northern states may be lower.

Risk treatment

When the level of risk exposure (likelihood) associated with a particular hazard is high but

the potential loss (impact) associated with it is low, the organization will wish to treat the

risk. Risk treatment will often be undertaken with the risk at the inherent and/or current

level, so that when the risk has been treated, the new current level or target level may become

tolerable.

Tolerate, treat, transfer and terminate 249

Actions to improve the standard of risk control will always be under constant review in an

organization. On a personal level, wearing a seat belt when driving a car or ﬁ tting an intruder

alarm in a house are examples of risk reduction actions. Improvements to standards of risk

control in relation to physical (insurable) risks are well known. Fitting sprinklers to buildings,

providing enhanced building security arrangements and employee security vetting are all

examples of risk improvement actions designed to better manage hazard risks.

When identifying suitable risk treatment options, the organization will need to look at the

effect of the treatment on the likelihood of the risk materializing as well as looking at the

impact of the risk should it materialize. Cost-effective risk treatments will need to be selected

and the effect of different control measures can be shown on a risk matrix, as in Figure 27.1.

Risk transfer

When the likelihood of a risk materializing is low but the potential is high, the organization

will wish to transfer that risk. Insurance is a well-established mechanism for transferring the

ﬁ nancial consequences of losses arising from hazard risks and (to a lesser extent) control risks.

The issues associated with the use of insurance as a risk transfer mechanism are considered in

more detail in Chapter 30.

In some cases, risk transfer is closely related to the desire to eliminate or terminate the risk.

However, many risks cannot be transferred to the insurance market, either because of pro-

hibitively high insurance premiums or because the risks under consideration have (tradition-

ally) not been insurable.

Risk transfer can be achieved by conventional insurance and also by contractual agreement. It

may also be possible to ﬁ nd a joint-venture partner, or some other means of sharing the risk.

Risk hedging or neutralization may therefore be considered to be a risk transfer option, as well

as a risk treatment option.

The cost of risk transfer is a component of risk ﬁ nancing. Once again, there is variation in the

deﬁ nitions used. In relation to risk ﬁ nancing, both BS 31100 and ISO 31000 agree that risk

ﬁ nancing involves the cost of contingent arrangements for the provision of funds to meet the

ﬁ nancial consequences of a risk materializing. Such arrangements are usually provided by

insurance, and insurance is, therefore, ﬁ nance that is contingent upon certain insured events

taking place.

The difference in deﬁ nition between BS 31100 and ISO 31000 is that ISO 31000 also considers

that the cost of risk ﬁ nancing should include the provision of funds to meet the cost of risk

treatment. In this text, resourcing of controls is considered to be a separate step in the risk

management process. This is another example that illustrates that there is no universally

agreed or common language of risk.

250 Risk response

Risk termination

When a risk is both of high likelihood and high potential impact, the organization will wish to

terminate or eliminate the risk. It may be that the risks of trading in a certain part of the world

or the environmental risks associated with continuing to use certain chemicals are unaccept-

able to the organization and/or its stakeholders. In these circumstances, appropriate responses

would be elimination of the risk by stopping the process or activity, substituting an alternative

process or outsourcing the activity that is associated with the risk.

An organization may wish to terminate a risk, but it could be the case that the activity that

gives rise to it is fundamental to the ongoing operation of the organization. In such circum-

stances, the organization may not be able to terminate or eliminate the risk entirely and thus

will need to implement alternative control measures.

This is a particular issue for public services. There may be certain risks that are high likelihood

and high impact, but the organization is unable to terminate the activities giving rise to them.

This may be because the activity is a statutory requirement placed on a government agency or

public authority. The public service imperative may restrict the ability to cease the activity, so

the organization will need to introduce control measures, to the greatest extent that is cost-

effective.

It is likely that such control measures will be a combination of risk treatment and risk transfer.

As these control measures are applied, the level of risk will move to a level where the organiza-

tion will be able to tolerate the risk. Because of the variable nature of risks, it may not be pos-

sible to get all risks to a level that is within the risk appetite of the organization. The

organization may ﬁ nd that it has to tolerate risks beyond its empirical risk appetite in order to

continue to undertake a certain activity.

Project and strategic risk response

The overall approach to the management of control and opportunity risks is similar to the

approach adopted for the management of hazard risks. However, there are sufﬁ cient differ-

ences in the range of options available for these to be presented separately.

Figure 27.1 illustrates the 4Ts of hazard risk management and the type of controls that are

most likely to be associated with each type of hazard risk response. The types of controls are

considered below. This chapter has been concerned almost exclusively with responding to

hazard risks. However, there is a similar range of responses available for control risks and for

opportunity risks.

Figure 27.2 shows the range of responses that are available when managing uncertainty in

projects. The similarities with the 4Ts of hazard risk management are obvious. However, the

Tolerate, treat, transfer and terminate 251

emphasis in project risk management is to achieve progress in accordance with a project plan

with as little variation from the plan as possible. Project risk management is mainly concerned

with the management of uncertainty and is closely aligned to control management.

Chapter 22 considered project risk management in more detail and Figure 27.2 should be

viewed in the context of the information set out in that chapter. Low-uncertainty and low-

exposure risks in a project will be accepted. For low-uncertainty but high-exposure risks, the

project manager will introduce relevant controls and adapt appropriate procedures.

For low-exposure but high-uncertainty risks, the project manager will wish to transfer these

risks to a third party. However, the transfer risks embedded in a project will tend to be

achieved by contractual arrangements. Also, the project manager will wish to adopt appro-

priate contingency plans in order to manage the high-risk-exposure but high-uncertainty

risks. High-exposure and high-uncertainty risks will be avoided within the project, when-

ever this is feasible.

Figure 27.3 suggests that there are a range of responses available for the management of oppor-

tunity risks. Developing and implementing efﬁ cacious strategy will require the evaluation of

the level of risk associated with each available strategy and the level of reward that the strategy

will deliver.

The 4Es of opportunity management are set out as exist, explore, exploit and exit. There is

a close relationship between the 4Es and the status of the organization, as illustrated in

Figure 27.3. A start-up operation will face a higher level of risk and low potential rewards.

Increasing

uncertainty

Risk exposure

Adopt

appropriate

contingency plans

the uncertainty

attached to the risk

Avoid

the uncertainty

attached to the risk

Adapt

procedures and

introduce controls

Figure 27.2 Risk versus uncertainty in projects

252 Risk response

Potential

reward

Risk exposure

Exploit

opportunity until

competitors arrive

Exist

in mature/declining

markets

Exit

depending on risk

appetite and capacity

Explore

entrepreneurial

opportunities

Figure 27.3 Risk versus reward in strategy

Entrepreneurial opportunities will be explored at this time. As the organization grows, poten-

tial rewards will increase while the level of risk will remain high. The organization will seek to

achieve growth, but may feel that growth is too slow or the level of risk remains too high, and

if so it will exit from those operations.

After a period of growth, the organization should be achieving a high reward for a reduced

risk. This represents the phase where the organization will exploit opportunities until com-

petitors arrive. This is a mature operation. All mature operations are exposed to the possibility

of decline, although many organizations choose to exist in a mature, declining market, where

risk exposure is low and so are potential rewards.

Risk control techniques

Hazard risk zones

Although the 4Ts of hazard response can be illustrated on a simple risk matrix, such as Figure

27.1 (page 246), the options are not that clear cut. It can be seen that the tolerate and terminate

options meet at the centre of the risk matrix. It is not sensible to suggest that a small increase

in risk likelihood and potential impact would completely change the approach of the organi-

zation to that particular risk.

Figure 28.1 provides a slightly more realistic analysis by providing a diagram that builds on

Figure 13.1, the application of risk appetite matrix (page 128), as well as Figure 26.2, which

illustrates risk appetite, exposure and capacity (page 237). Figure 28.1 illustrates that there are

three zones on the risk matrix. The comfort zone is predominantly for low-likelihood and

low-potential-impact events. As can be seen, there is a level of potential impact that will always

be within the comfort zone. Likewise, there is a level of risk likelihood that is always consid-

ered to be so low that it will not happen.

However, as risk likelihood and potential impact increase, a point is reached, where judge-

ment is required as to whether the risk should be tolerated. Judgement is required within the

cautious zone and actions will usually be taken to treat and/or transfer the risks within that

zone.

As the risk likelihood and potential impact further increases, a critical line is reached. When

the risk gets above the critical line, the organization will be concerned about tolerating those

risks and will wish to terminate exposure to them. In certain circumstances, the organization

will not be able to terminate these risks, either because they may represent a business impera-

tive, or because they are associated with a high-risk–high-reward strategy that the board has

adopted.

253