Paul Hopkin. Fundamentals of Risk Management
Подождите немного. Документ загружается.
264 Risk response
Historical liabilities
One of the most diffi cult fi nancial risk areas for organizations is related to their exposure to his-
torical liabilities. These liabilities arise from previous activities of an organization, or acquired
parts of the organization that were purchased together with their historical liabilities.
An area that is very diffi cult to quantify for industrial organizations is the previous exposure
to agents that may give rise to delayed industrial diseases. The most obvious example is expo-
sure to asbestos and the potential for the development of mesothelioma, a malignant cancer of
the pleura or lining of the lungs. For many organizations, claims related to mesothelioma arise
30 or 40 years after the alleged exposure. Exposure will have occurred at a time when insur-
ance arrangements may be diffi cult to confi rm and the evidence of the exact working condi-
tions will no longer be available.
Another area of exposure to historical liabilities relates to pension funds. Previously, many
pension funds offered pension arrangements related to the fi nal salary that the employee was
earning. These are often referred to as defi ned benefi t pension plans. Risks associated with the
value of the pension fund and the level of pension that the available fund will purchase rest
entirely with the employer in a defi ned benefi ts pension plan.
There has been a strong recent trend towards pension arrangements that build up a sum of
money that is available to the employees to purchase a pension at the time of retirement. The
member of staff is required to contribute money to his or her pension fund, and this arrange-
ment is usually referred to as defi ned contribution pension plan. In this arrangement, the risks
attached to the value of the fund have been much reduced and the risk associated with the
value of pension that the fund will purchase has been transferred to the employee.
The particular risk control issue of concern to employers is related to the defi ned benefi t
pension plan and the liability to persons who are no longer employed by the company but
have pension entitlements within the defi ned benefi t pension plan. These are often referred to
as deferred benefi ts. The organization will need to look at the risk control options for dealing
with these deferred benefi ts. Options available include encouraging former staff members
with deferred benefi ts to opt out of the scheme by paying them a sum of money, transferring
the deferred benefi ts arrangements to an insurance company on payment of an annuity
premium or seeking to transfer the deferred benefi ts into a captive insurance company.
Historical liabilities of this type are, by defi nition, more of an issue for organizations that have
been in existence for some time. This means that the organization will have a long history and
third parties will be able to pursue liabilities that arose some considerable time ago. These his-
torical liabilities may be more severe if the organization has changed in nature over time, espe-
cially if it is a much smaller organization than it had been previously. Also, organizations that
have undergone a good deal of acquisition and merger activity will be more at risk.
Control of selected hazard risks 265
Control of infrastructure risks
Health and safety at work
One of the major areas of concern in relation to infrastructure risks for organizations is health
and safety at work. This is a highly regulated topic that should be a priority concern for all
organizations. This is a well-established discipline within risk management, although it is
often managed as an independent function.
The health and safety risks faced by an organization include prosecution by a regulatory
authority, being sued by an injured employee and disruption caused by accidents and danger-
ous occurrences. Many health and safety tools and techniques are applied in broader risk man-
agement activities and there is no doubt that the full co-operation of health and safety
specialists is vital to the success of any risk management initiative.
Undertaking risk assessments in relation to health and safety has been established for a long
time. These risk assessments can be generic when the risks are relatively low. For high-risk
activities, specifi c written detailed risk assessment will usually be required.
The features of a risk assessment include identifi cation of the hazard, identifi cation of who
might be injured by the hazard and analysis of how serious it would be if an injury occurred.
Details of the controls and precautions in place, together with the information on further
actions that are required should also be included as part of the risk assessment. The only
purpose in undertaking a risk assessment is to ensure that controls are adequate and that
people are not inappropriately at risk.
There is a hierarchy of controls that is well-established in relation to health and safety risks and
this hierarchy is set out in Table 28.2 (page 255). The overall generic control categories of pre-
ventive, corrective, directive and detective controls also apply to fraud risks, and Table 28.2
shows the equivalent categories of fraud control in comparison with the well-established ter-
minology for the hierarchy of health and safety at work controls.
Having undertaken a risk assessment of the health and safety risks, organizations need to
introduce controls that will include strategies for minimizing the risks (preventive controls),
strategies for controlling the hazard (corrective controls), together with strategies for control-
ling staff and exposure (directive controls). Finally, health and safety controls that are intended
to detect the early signs of ill-health may also be required in certain circumstances (detective
controls). Management of stress at work is an example where detective controls may be appro-
priate to identify early warning signs that stress is affecting staff.
The range of workplace hazards that should be considered when undertaking risk assessments
will depend on the exact nature of the organization. Detailed guidance is available on the man-
agement of specifi c health and safety risks, including;
dangerous machinery;
•
266 Risk response
pressure systems; •
noise and vibration; •
electrical safety; •
hazardous substances; •
lifting and manual handling; •
slips, trips and falls; •
display screen equipment; •
human factors and repetitive strain injury; •
radiation; •
vehicles and driving risks; •
fi re
safety; •
stress at work. •
Property fi re protection
One of the most common causes of loss and disruption for manufacturing, warehousing and
leisure and retail businesses is fi re. More than half the organizations that suffer a major fi re fail
to fully recover from the event. Fire is a particularly serious event for manufacturing, transport/
distribution, retail and especially for residential, hospitality and leisure occupancies. There is also
a strong link between the level of building security in place and the prevention of arson attacks.
When designing a fi re risk strategy, it is important for the organization to evaluate the fi re risks
in relation to the common causes of fi re at places of work. Most fi res at work are caused by one
or more of the following:
electrical hazards; •
hot work; •
machinery; •
smoking materials; •
fl ammable
liquids; •
bad housekeeping; •
arson. •
The most important reason for having fi
re precautions in place is to protect the safety of
people who may be affected by the fi
re. Careful attention should be paid to the adequacy of fi re
Control of selected hazard risks 267
exits and the provision of emergency evacuation signs. Also, buildings should be of proper
construction and fi re escape routes should be adequately protected, possibly by the use of
sprinklers, if necessary.
Although the safety of people is the most important consideration in relation to fi re safety,
organizations should also evaluate the potential for serious fi re and the disruption that could
result. The application of loss-control techniques to fi re prevention is very well established. Ade-
quate attention should be paid to loss prevention, damage limitation and cost containment.
Property loss prevention involves the application of preventive controls to the avoidance of a
fi re. These preventive controls will include maintenance of the electrical installation, the avoid-
ance of sources of ignition and the correct storage of fl ammable and combustible materials.
Corrective controls will include the installation of sprinkler systems and the provision of fi re
separation arrangements.
The use of directive controls will reduce the impact of a fi re and the amount of damage that
the fi re causes. Directive controls include directions and information for employees on actions
to be taken in the event of a fi re. These will include early notifi cation to the fi re authorities, as
well as the use of the portable fi re extinguishers by employees if this can be done safely. Finally,
detective controls include the provision of fi re and heat detectors as well as routine patrols by
fi re and security offi cers to detect any fi re at an early stage.
IT security
One of the key dependencies for most organizations is the information technology (IT) infra-
structure. The failure of a computer system can be a very disruptive event for many organiza-
tions. One of the best-established examples of disaster recovery planning (DRP) is in relation
to the information technology infrastructure.
Loss of computer data can be very serious for an organization, and it is more likely to be asso-
ciated with hardware problems than other issues such as software problems, electrical failure
or human error. The consequences of IT failure can include:
loss of business or customers; •
loss of credibility or goodwill; •
cash-fl ow
problems; •
reduced quality of service; •
inability to pay staff; •
backlog of work or loss of production; •
loss of data; •
fi nancial
loss; •
268 Risk response
loss of customer account information; •
loss of fi nancial controls. •
With increasing dependency on computer systems, it is important for organizations to iden-
tify the losses that could occur and take actions to manage the associated risks. It is generally
considered that the main causes of loss associated with the IT systems are as follows:
theft of computers and other hardware; •
unauthorized access into IT systems; •
introduction of viruses into the system; •
hardware or software faults and failures; •
user error, including loss or deletion of information; •
IT project failure. •
Most organizations will need to set up an IT policy that is designed to ensure correct use of
data as well as protecting the IT infrastructure of the organization. The policy should include
information on responsibility for IT systems, details of backup procedures, anti-virus and
spyware procedures, use of personal data, personal use of the internet and restrictions on per-
sonal e-mails.
Most organizations will allow a certain amount of personal use of computer systems by
employees. However, this should not be allowed to become excessive and specifi c
restrictions
should be placed on internet access to inappropriate websites. Another area of concern to
organizations is data protection and the use or disclosure of personal information by the
organization. Most countries have extensive legal requirements in place related to the protec-
tion of personal data held on computer.
Computer and IT failures will occur from time to time and the organization should ensure
adequate backup arrangements, so that only limited data is lost. Organizations with a very
high dependency on their IT infrastructure should have detailed DRP in place. In many cir-
cumstances, these will extend to arrangements for an emergency duplicate backup computer
facility, either available in a mobile trailer driven to the existing offi
ce location of the organiza-
tion or at an alternative location.
The emergency backup facilities can range from a complete duplicate facility with fully
up-to-date information (often referred to as a hot start facility) to an alternative compu-
ter system that has no data preloaded (referred to as a cold start facility). There are a range
of options for backup systems that are a combination of these two approaches, and these
are usually referred to as warm start facilities.
Control of selected hazard risks 269
HR risks
All organizations require a workforce of employed staff/contractors and/or volunteers. There-
fore, there will always be human resources risks attached to the operation of every organiza-
tion, regardless of its size, nature and the range of activities undertaken by the organization.
There are a number of risk areas associated with the employment of staff and the utilization of
the human resource within the organization:
employee engagement and termination; •
legislative and regulatory compliance; •
recruitment, retention and skills availability; •
pension arrangements; •
performance and absence management; •
health and safety. •
Large organizations usually have personnel and/or human resources expertise available in an
HR department. There has been a general feeling that large organizations are more exposed to
HR risks than smaller ones. This belief has been based on the thought that people know each
other better in small organizations and there are fewer individuals involved, so closer working
relationships exist across the whole organization. It has been assumed that these closer working
relationships mean that the organization is less vulnerable to legal action or other disruption
caused by personnel issues.
In recent times, however, it has become obvious that smaller organizations are also exposed to
signifi
cant HR risks. In response to this realization, most small organizations now produce a
staff handbook that sets out the terms and conditions of employment, including arrangements
for sickness absence, maternity leave, appraisals and annual leave, behaviour at work and roles
and responsibilities.
Organizations need to set down arrangements that will ensure full compliance with the rele-
vant employment legislation, including diversity arrangements to ensure that there is no dis-
crimination on the basis of ethnic origins or physical ability. When building on these basic
legal requirements, organizations should look at the opportunities that will arise from having
supportive, clear and benefi
cial recruitment, retention and employment practices.
270 Risk response
Control of reputational risks
Brand protection
One of the most valuable assets of any organization is its brand name, and it is important to
avoid damage to the organization or any of its brands. Damage to brand can occur for a
number of reasons, including:
changes in government policy; •
changes in the marketplace; •
new entrants into the marketplace; •
price and specifi cation
competition; •
counterfeiting and fake goods; •
inappropriate franchisee behaviour; •
failure of sponsor or joint-venture partner. •
A trend in recent times has been the use of established brands to sell goods or services that
have no obvious link to the brand itself. For example, supermarkets now sell insurance and
other fi
nancial products, as well as selling petrol from forecourt garages. Extending or stretch-
ing the brand in this way represents a huge opportunity for many organizations, but the brand
extensions have to be appropriate and credible as well as successful.
Most organizations recognize the value of their brands and have procedures in place to iden-
tify opportunities for brand extension. However, ownership of the brand within many large
organizations is sometimes not well defi
ned. Successful use of the brand to extend into new
product areas and new business sectors should only be undertaken where there is clear respon-
sibility within the organization for managing the brand.
As well as brand extensions, there has been a trend in recent times towards allowing branded
concessions to be established within other organizations. It is now commonplace to see high-
profi le catering brands running the restaurant and cafe facilities in large department stores.
This trend has developed at the same time as the increase in high-profi le sponsorship deals.
For example, many sports clubs have a new stadium that is actually called by the name of their
main sponsor.
Many organizations operate on a franchise basis, whereby the brand is franchised to an individ-
ual or other business. These developments in branding enable maximum benefi t to be gained
from a high-profi le brand. However, there are signifi cant risks attached to these opportunities,
and brand use and extension continues to be an issue that requires careful management.
Successful management of a franchise brand has many challenges. The expectations and
requirements of the franchise or brand owner would be set out in a detailed contract in most
Control of selected hazard risks 271
cases, although some franchise organizations have been in existence for a long time and the
early franchisees may not have the same rigid contact conditions. Most franchise owners
provide extensive training for franchisees, including training on the quality of products. A sig-
nifi cant issue for many franchise owners is arrangements for procurement of supplies. Often,
the franchise owner will prohibit procurement of supplies locally, so that the product deliv-
ered by the franchisee is always consistent.
Environment
One of the most rapidly developing concerns in society is global warming and how the activi-
ties of individuals and organizations might have an impact. Environmental concerns can range
from issues to do with historical land contamination, contamination of water supplies, indus-
trial emissions to atmosphere and the desire of organizations to be seen as green.
Disposal of waste is an issue of concern to all organizations. For organizations producing
industrial waste, the legislation is extremely detailed on how the waste must be treated and the
arrangements for discarding it. For commercial organizations that do not produce industrial
waste or by-products, there are still issues of concern. The disposal of commercial waste can
be costly and most countries require or (at least) encourage a large degree of recycling.
The concerns for many organizations therefore relate to minimizing the amount of commer-
cial waste that they produce, as well as adopting other green policies. For many organizations
in the public sector, recycling arrangements are detailed and recycling targets are important
because of the greater scrutiny of the performance of public bodies.
Arrangements that may be investigated will include the procurement of supplies or raw mate-
rials that have less impact on the environment and/or are easier to recycle. Organizations may
also wish to introduce a recycling policy and make specifi c arrangements for the collection of
recyclable waste materials. For some organizations, there is also scope to look at travel arrange-
ments and encourage employees to use public transport where this is feasible, as well as reduc-
ing the amount of travel that employees undertake.
For industrial operations, there are detailed standards, rules and regulations in place, with the
enforcement agencies having considerable powers. As well as paying regard to the legislative
requirements, these regulators will also pay regard to broader public opinion and seek to eval-
uate the following issues:
What impacts to the environment may occur? •
How harmful are these impacts to the environment? •
How likely is it that these impacts will occur? •
How frequently and where will these impacts occur? •
272 Risk response
Control of marketplace risks
Technology developments
One of the main challenges facing organizations is keeping up with customer expectations and
demands. This challenge is made more diffi cult by continuing developments in technology.
Organizations supplying consumer goods that are technology-based face a continuous chal-
lenge, which can be turned into a continuous set of opportunities.
Changes in the technology used to provide home and mobile communications and enter-
tainment have been considerable in recent times. Until relatively recently, home entertain-
ment and mobile entertainment was based on CDs. Organizations operating in this area
were confronted with the introduction of MP3 technology and had to make decisions
regarding which technology to pursue. The investment required to change technology was
considerable and the marketplace risks very signifi cant. For the organizations that correctly
identifi ed (and infl uenced) the developments, the rewards have proved to be enormous. In
a rapidly changing marketplace, technology advantages can be signifi cant but the challenge
of correctly identifying the most likely successful technology is always present and the
investment required is huge.
Consumer decisions regarding new technology are led by convenience, quality, price and
fashion. Another factor affecting consumer decisions and the availability of new technology is
that signifi cant developments in technology of this type occur on a worldwide basis. There-
fore, only a very limited number of organizations have the resources to undertake the research
required to develop products based on the new technology. Also, these are the same organiza-
tions that design, manufacture and supply goods that utilize the new technology.
In order to take advantage of these new technologies, many organizations have to enter into
joint-venture partnerships, share expertise and share the cost of developing the new technolo-
gies. Selection of joint-venture partners can be diffi cult and correct decisions are essential.
When developing a new entertainment technology that will be introduced across the world,
attempts are sometimes made by competitors to agree the technology that will be adopted.
This strategic approach has the advantage that research costs are shared and technology battles
are avoided. However, the disadvantage is that the scope for a huge future competitive advan-
tage is reduced.
Regulatory risks
One of the most diffi cult risk issues for many organizations is the regulatory risk. A key com-
ponent of the COSO framework is the achievement of compliance by the organization. Com-
pliance may appear to be a relatively straightforward issue, but there are often complexities
associated with the potential for changes to regulations, changes in the regulatory environ-
ment and different regulatory requirements in different territories.
Control of selected hazard risks 273
Different societies have different and changing views of certain commercial sectors. For
example, the sex industry has different standards and different regulatory frameworks in dif-
ferent parts of the world. Also, gambling faces different public attitudes, different regulatory
frameworks and variable restrictions on activities in different parts of the world. Ensuring
regulatory compliance and maintaining good working relationships with regulators can be
diffi cult, especially when public opinion is changing and/or regulatory frameworks are being
developed or modifi ed.
There has been a great deal of consideration recently of the diffi culties associated with ensur-
ing compliance in the purchase and delivery of multinational or global insurance programmes.
Two major issues have received considerable attention. These are the payment of insurance
premium tax in different territories and the acceptability of insurance provided in a country
by an insurance company that has no presence in that territory. (Insurance written by an
insurance company with no presence in a territory is referred to as non-admitted insurance.)
In relation to global insurance policies, the problems arise when a global policy is issued by a
large company based in one specifi c country, but with the insurance coverage applying across
all the operations of the organization and in several different countries. Each country will have
its regulations regarding the payment of insurance premium tax on that part of the insurance
premium that relates to the operations of the organization in that country. Also, many terri-
tories in the world do not allow non-admitted insurance policies.
The range of risk control options available to organizations seeking to achieve compliance is,
of course, restricted. Compliance is a basic requirement of all business and commercial activi-
ties. Ensuring compliance may require co-operation with third parties and detailed advice
from specialists with expertise in the discipline in that part of the world. In the example of
insurance, it may be necessary for a local insurance company to be involved in the insurance
programme in territories where non-admitted insurance is not allowed and this will add cost
to the insurance programmes. Also, arrangements for the payment of insurance premium tax
may need to be made through third-party fi scal representatives within the territory where the
taxes are due.
Learning from controls
The various examples considered in this chapter give an oversight of the wide range of hazard
risks that can be faced by an organization. There are many other examples of risks that have
been discussed throughout this book. A constant feature of all types of hazard risks is that
decisions have to be made on the most appropriate and cost-effective controls that should be
introduced.
The analysis that leads to the identifi cation of the most cost-effective level of control is illus-
trated in Figure 29.1. Figure 29.2 demonstrates the profi le of expected losses before and after