Simple tools and techniques for enterprise risk management second edition by robert j chapman phd

Written in a clear and concisemanner, the content should be of tremendous value to anyone involved in risk, audit or corporategovernance whether as an analyst or board member.Robin Paris

Simple Tools and Techniques for Enterprise Risk Management

Enterprise Risk Management is a necessary and valuable tool for indentifying, quantifying andmitigating risks across an organization but it is also a significant undertaking in terms of knowledgeand application In these days of fiscal, regulatory and political correctness this book addressesERM in its broadest sense, providing useful reference and examples Written in a clear and concisemanner, the content should be of tremendous value to anyone involved in risk, audit or corporategovernance whether as an analyst or board member.

(Robin Paris, Director, Group Risk, Nestl´e)This book provides an excellent introduction to enterprise risk management set in the context

of strong corporate governance The writing is clear and direct, combining a comprehensiveunderstanding of enterprise risk with a practical and straightforward guide to tools and techniquesfrom strategic to operational level As a result I have no doubt that it will find its way onto theshelves of the more experienced risk managers

(Caroline Donaldson, Director, Head of Risk, Network Rail)Robert Chapman has distilled years of experience and produced a book which is easy to readand full of practical/useful information Having devised and implemented an enterprise riskmanagement process, I found much of the material instantly recognizable and relevant My oneregret is that this book was not available earlier!

(Matt Smith, Group Risk Manager, Tate & Lyle plc)This book will be of benefit to all levels of risk practitioner and sets ERM in the context of corporategovernance and internal control requirements It provides a particularly clear description of a riskmanagement process defined by IDEFO diagrams with a useful discussion of internal and externalrisk factors

(Andrew Wood, Director, Risk Management, Serco Group plc)

Simple Tools and Techniques for Enterprise Risk Management

Second Edition

Robert J Chapman PhD

Recommended by the Institute of Risk Management

A John Wiley & Sons, Ltd., Publication

Copyright © 2011 John Wiley & Sons, Ltd

Registered Office

John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com.

The right of the author to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988.

All rights reserved No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.

Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with standard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com For more information about Wiley products, visit www.wiley.com.

Designations used by companies to distinguish their products are often claimed as trademarks All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners The publisher is not associated with any product or vendor mentioned in this book This publication is designed to provide accurate and authoritative information in regard to the subject matter covered It is sold on the understanding that the publisher is not engaged in rendering professional services If professional advice

or other expert assistance is required, the services of a competent professional should be sought.

Library of Congress Cataloging-in-Publication Data

Chapman, Robert J.

Simple tools and techniques for enterprise risk management / Robert J Chapman – 2nd ed.

p cm.

ISBN 978-1-119-98997-4 (hbk) – ISBN 978-1-119-99065-9 (ebk) – ISBN 978-1-119-99064-2 (ebk)

HD61.C494 2011

2011042252 ISBN: 978-1-119-98997-4 (hbk) ISBN: 978-1-119-96321-9 (ebk)

ISBN: 978-1-119-99065-9 (ebk) ISBN: 978-1-119-99064-2 (ebk)

A catalogue record for this book is available from the British Library.

Set in 10/12pt Times by Aptara Inc., New Delhi, India

Printed and bound by CPI Group (UK) Ltd, Croydon, CR0 4YY

To Kay, Dominic and Gemma

Contents

viii Contents

2.12 Sir David Walker’s Review of Corporate Governance, July 2009

2.13 Sir David Walker’s Review of Corporate Governance, November 2009 (Final

4 The Global Financial Crisis of 2007–2009: A US Perspective 59

5 Developments in Corporate Governance in Australia and Canada 85

x Contents

6.6 Embedding Internal Control and

7.1 Responsibility for Risk Management

7.12 The Green Book 126

11.7 Process Mechanisms (Enablers) 200

16 Operational Risk Management 267

18.5.13 No Clear Demonstration of How Risk Management Adds Value

18.5.14 Overcomplicated Implementation from an Unclear Risk Policy,

18.5.15 Lack of Alignment between the Business Strategy, Business

18.5.16 Lack of the Integration of Risk Management Activities into the

18.6 Project Risk Management Process 342

18.11 Software Tools Used to Support Project

xviii Contents

20.5 The European Agency for Safety and

20.6 Implementation of Health and Safety

21.7.2 Monetary Policy 397

23.11.2 Unauthorised Access with Intent to Commit or Facilitate

24.3 Benefits of Political Risk Management 455

xxii Contents

27.2.10 Prepare Tender Documents 520

Appendix 4: Risk: Improving Government’s Capability to Handle

Appendix 13: Industry Breakpoints 599

List of Figures

Figure 11.1 Structure of Chapter 11 198

List of Figures xxix

Preface to the Second Edition

Since the publication of the first edition in 2006 the landscape of enterprise risk management(ERM) has changed dramatically Clearly the single most prominent event has been the finan-cial and economic “earthquake”, whose epicentre lay in the United States The “aftershocks”continue to be felt around the globe I think it is safe to say that never before have governments,regulators, businesses and the public been so preoccupied with risk exposure Never before hasrisk management been written about, spoken of or debated with the same intensity The “man

on the street”, particularly in Europe and the United States, is now only too acutely aware of therisks to his nation’s economy, his employer, his employment and his standard of living Poorrisk management was cited time and time again in the aftermath of the global financial crisis.Clearly, making predictions solely on observations and experience and adopting “bell curve”

was found wanting and the ramifications of a lack of forewarning have been devastating Asdescribed in 2009 by Angel Gurr´ıa, Secretary-General of the Organisation for Economic Co-operation and Development (OECD), “the current global economic crisis is costing the worldtrillions of dollars, a protracted recession, millions of lost jobs, a huge loss of confidence infinancial markets and a reversal in our efforts to curb global poverty” Bank executives havebeen pilloried for their risk-seeking behaviour, which at times has been described as reckless.Hector Sants, the chief executive of the UK Financial Services Authority (FSA) at the time ofwriting, remarked after the crisis: “Remuneration practices – bonuses – have been a symbol;

a lightening rod of society’s lack of trust in bankers and to address the trust issue this state ofaffairs has to be recognised and resolved” While a minority of board directors exhibited all

of the destructive “d’s”, from being deceitful, delinquent, devious, dictatorial and dishonestthrough to disreputable, they kept the media spotlight on board behaviour Surveys completed

by the large accounting firms post the financial crisis lead to the common conclusion thatthe UK is still not there yet in terms of fully embedding ERM into board behaviour ClearlyERM (which embraces both corporate governance and ethics) still has a long journey to travelbefore it is ingrained in the culture of businesses and can be seen to be contributing to businesslongevity and profitability

The changes included in this revision reflect world events, national initiatives to addresscorporate governance failings and the growing importance of project risk management, busi-ness ethics, and health and safety management These last three subjects have been included

1

xxxii Preface to the Second Edition

in the business risk taxonomy described in Chapter 9 as additional internal processes, as it isconsidered they warrant specific attention

The major differences between the first and second edition are summarised below

New chapters:

Significantly modified chapters:

New appendices:

BOOK OVERVIEW

The book is composed of five parts The target audience is different for each part

Part I, “Enterprise Risk Management in Context”, sets out the impetus behind ERM anddescribes corporate governance in the UK and overseas It provides a detailed description of

2 The Institute and Faculty of Actuaries (the merged body formed in 2010 from the Institute of Actuaries and the Faculty of Actuaries) is the professional body representing actuaries in the United Kingdom In March 2008, ERM was adopted as one of the six actuarial practice areas, reflecting increased recognition of its importance A regular newsletter communicates the ongoing work that the profession performs in respect of ERM.

3 The Institute of Risk Management supported the development of ISO 31000, an international standard for risk management (published 13 November 2009) together with the accompanying standard, ISO 31010 – Risk Assessment Techniques, which followed

the global financial crisis of 2007–2009, the effects of which are still very evident in 2011 inEurope, North America and elsewhere It explains the relationship between corporate gover-nance, internal control and risk management, and reviews the development of risk management

in the private sector It is aimed at all audiences to set the scene and is particularly focusedtowards the chief executive, non-executive directors and the board in general

Part II, “The Risk Management Process”, is composed of seven chapters, each of whichdescribes a stage within the overall risk management process The process stages are based onthe stages described within ISO 31000, published in 2009 by the International Organizationfor Standardization Part II explains the activities to perform risk management using a stan-dard process definition notation Process goals, inputs, outputs, mechanisms and controls arefully explained for each stage Simple tools and techniques are described to accomplish theindividual stages This part is specifically aimed at risk practitioners, chief risk officers, auditcommittees and business risk managers

Part III, “Internal Influences – Micro Factors”, describes the five sources of risk considered

to be controllable (to a degree) by businesses, labelled in this text as financial, operational,technological, project and business ethics This part is aimed at the audit committee, businessrisk managers, department heads and risk management practitioners

Part IV, “External Influences – Macro Factors”, describes the six sources of risk considered

to be uncontrollable by businesses labelled in this text as economic, environmental, legal,political, market and social This part is aimed at all audiences, from the chief executivethrough to the student These chapters describe the complex world we live in, its changingnature, and those aspects of the environment, in its fullest sense, that may pose threats andupside opportunities to business performance It is aimed at all those wishing to understandthe external influences on businesses today

Part V, “The Appointment”, is composed of four chapters Chapter 27 describes a consultantselection process on behalf of clients who want to go through a formal auditable processwhere price is of particular importance Chapters 28, 29 and 30 describe, from a consultant’sperspective, the interview process with a prospective sponsor, the preparation of a proposaland implementation of an assignment post-appointment, respectively Hence Part V is largelyfor the benefit of risk practitioners

HOW TO READ THIS BOOK

Time is precious How much time do we ever have in any one day to reflect on how we dothings and whether there is a better approach? Time between deadlines is commonly short,offering limited opportunity for quiet reflection Hence this book is purposefully written insuch a way that it is hoped that readers can quickly find and focus on the subjects that interestthem, rather than having to carry out an extensive search for the instructive guidance they seek.The appropriate approach to reading this book will depend on your exposure to and experience

of risk management and where your specific interests lie

FIRST EDITION

In writing this book I owe a debt of gratitude to work colleagues past and present In particular

my thanks go to Peter Doig, Claire Love and Chris Johnson-Newell My thanks go to ProfessorChris Chapman of Southampton University and Dr David Hillson, for their comments andadvice I am grateful to Rachael Wilkie and Chris Swain of John Wiley and Sons Limited, who

supported this project I thank The Financial Times Limited, BBC NewsOnline, The Observer,

Pearson Education Limited and the Financial Services Agency (FSA), for permission to includeextracts from their publications/articles At the request of the Financial Services Agency (FSA),

I advise “use of FSA material does not indicate any endorsement by the FSA of this publication,

or the material or views contained within it”

SECOND EDITION

I thank the Chartered Institute of Management Accountants (CIMA), Commonwealth ofAustralia (Department of the Prime Minister and Cabinet), Financial Services Agency (FSA),Bank of England, HM Treasury, US Federal Reserve, House of Commons, National AuditOffice, Home Office, Telegraph Media Group and the UK Institute of Directors for their kindpermission to include extracts from their speeches, publications, articles, papers and reports

At the request of the Financial Services Agency, I advise that “use of FSA material does notindicate any endorsement by the FSA of this publication, or the material or views containedwithin it” In addition at the request of the National Audit Office I advise that “use within thistext of National Audit Office (NAO) material does not indicate any endorsement by the NAO

of this publication, or the material or views contained within it” In addition, I owe a debt ofgratitude to my work colleague Chris Newman for his contribution to the chapter on healthand safety

About the Author

Robert Chapman is currently the Director of Risk Management in the Middle East for AECOM,

a publicly traded company on the New York Stock Exchange and listed by Fortune 500 as

one of America’s largest companies Prior to this appointment he was a Director of RiskManagement at Hornagold & Hills, Capro Consulting and Osprey Project Management and theProgramme Lead for risk management on the HMG joint venture in South Africa, supportingthe Paristatal Transnet He has provided risk management services in Holland, Ireland, SouthAfrica, Qatar, England and the UAE to companies within the pharmaceutical, aviation, marine,rail, broadcast, heritage, water, sport, oil and gas, property development, construction andtransportation industries as well to local authorities in the public sector Dr Chapman has had

articles published by Enterprise Risk (South Africa), ExtraProtect (translated into French and German), IT Adviser, Yorkshire Post, Strategic Risk, PLC Strategies, Project, the Architects’

Journal and PropertyWeek and refereed papers published by the Journal of International Project Management and Construction Management & Economics He was made a Fellow of

both the Institute of Risk Management (UK) and the Association for Project Management (UK)for his contribution to the development of the discipline of risk management Dr Chapman hasbeen recognised by both Transnet in South Africa and the Association for Project Management

in the UK as having exceptional risk management skills He was awarded a PhD in riskmanagement from Reading University in 1998 for research into the impact of changes inpersonnel on the delivery of objectives for investment projects Additionally he has completedresearch on the subject of risk management on behalf of the Architects Registration Council

of the United Kingdom (ARCUK) His book entitled Retaining Design Team Members, a Risk

Management Approach was published by RIBA Enterprises Ltd, London, in 2002 and examines

the causes behind employee turnover, the impact it can have and the risk mitigation actions thatcan be implemented to reduce the likelihood of occurrence Dr Chapman was a contributory

author of the Office of Government Commerce’s 2007 publication Management of Risk,

Guidance for Practitioners, which supports the Prince2 project management methodology.

Subsequent to passing the Management of Risk Practitioner exam he became an accredited

diverse companies Prior to its publication he reviewed and commented upon international riskmanagement standard ISO 31000 on behalf of the British Standards Institute In addition, hehas provided IT risk management guidance to the Chartered Institute of Accountants Englandand Wales in the form of a risk management handbook

Part I Enterprise Risk Management in Context

Simple Tools and Techniques for Enterprise Risk Management, Second Edition

by Robert J ChapmanCopyright © 2011, John Wiley & Sons, Ltd

in December 2001 and WorldCom in July 2002, inadequate corporate governance and the “softunderbelly” of risk management were exposed, arising primarily from the lack of integrity

of financial reporting, a lack of compliance with regulations and operational failures In lateAugust 2005 Hurricane Katrina struck, reportedly the costliest natural disaster in US history

to a surge in energy prices, continuity failures and shipping disruption Costs of productionrose and sales fell More recently, failure to properly understand and manage risk has beencited as the root cause for the global financial crisis of 2007–2010 So severe was this financialtsunami that many economists have described it as the worst financial disaster since theGreat Depression of the 1930s Boards in the financial sector were accused of being greedy,

due to an apparent absence of independent thinking In addition, there had been a lack ofappreciation of risk at both a business and a macro or industry level Systemic risk in thefinancial industry had not been recognised, understood or addressed Regulators on both sides

of the Atlantic and the banks themselves failed to recognise the interconnectedness of banksand the potential domino effect of bank failure If the financial crisis was not excitementenough, the media have had a field day with a number of high-profile and very damagingbusiness ethics failures relating to bribery, insider trading, invasion of privacy and sexualharassment

1 As a result of Hurrricane Katrina, at least 20 offshore oil platforms went missing, sunk or adrift.

2 In an economy where certain businesses are considered “too important to fail” and the taxpayer is called upon to underwrite the risks of banks in the private sector, banks were severely criticised for gambling with taxpayers’ money Banks in the UK had a pivotal role in the global financial crisis and caused economic instability and erosion of national prosperity The need to nationalise the banks’ losses resulted in unemployment particularly in the public sector and left those in employment facing a significant drop in

1

by Robert J ChapmanCopyright © 2011, John Wiley & Sons, Ltd

4 Simple Tools and Techniques for Enterprise Risk Management

1.1 RISK DIVERSITY

Providing strategic direction for a business means understanding what drives the creation ofvalue and what destroys it This in turn means that the pursuit of opportunities must entailcomprehension of the risks to take and the risks to avoid Hence, to grow any business entailsrisk judgement and risk acceptance A business’s ability to prosper in the face of risk, at thesame time as responding to unplanned events, good or bad, is a prime indicator of its ability

to compete However, risk exposure continues to grow greater, more complex, diverse anddynamic This has arisen in no small part from rapid changes in the globalisation of business,speed of communication, the rate of change within markets and technology Businesses nowoperate in an entirely different environment compared with just three years ago Recentexperience has shown that as businesses strive for growth, internal risks generated by a businessitself can be as large as (or greater than) external risks The adoption of expansion strategies,such as investment in emerging markets, developing significant new products, acquisition,major organisational restructuring, outsourcing key processes and major capital investmentprojects can all increase a business’s risk exposure.3

A review of risk management practices in 14 large global corporations revealed that bythe end of the 1990s the range of risks that companies felt they needed to manage had vastlyexpanded, and was continuing to grow in number (Hunt 2001) There are widespread concernsover e-commerce, which has become accepted and embedded in society with startling speed.According to the Economist Intelligence Unit (2001):

Many companies perceive a rise in the number and severity of the risks they face Some industriesconfront unfamiliar risks stemming from deregulation Others worry about increasing depen-dence on business-to-business information systems and just-in-time supply/inventory systems.And everyone is concerned about emerging risks of e-business – from online security to customerprivacy

As a consequence of the diversity of risk, risk management requires a broader approach.This sentiment was echoed by Rod Eddington, former chief executive officer (CEO) of BritishAirways, who remarked that businesses now require a broader perspective of risk management

He went to say that:

If you talked to people in the airline industry in the recent past, they very quickly got on tooperational risk Of course, today we think of risk as the whole of business We think about riskacross the full spectrum of the things we do, not just operational things We think of risk in thecontext of business risks, whether they are risks around the systems we use, whether they are risksaround fuel hedging, whether they’re risks around customer service values If you ask any seniorairline person today about risk, I would hope they would move to risk in the true, broader sense

of the term (McCarthy and Flynn 2004)

All stakeholders and regulators are pressing boards of directors to manage risk more prehensively, rigorously and systematically Companies that treat risk management as just acompliance issue expose themselves to nursing a damaged balance sheet

com-3 Conventional risk management focused on avoiding risks to the business strategy as opposed to managing the risks of the strategy

1.2 APPROACH TO RISK MANAGEMENT

This evolving nature of risk and expectations about its management have now put pressure

on previous working practices Historically, within both private and public organisations, riskmanagement has traditionally been segmented and carried out in “silos” This has arisenfor a number of reasons such as the way our mind works in problem solving, the structure

of business organisations and the evolution of risk management practice There is clearlythe tendency to want to compartmentalise risks into distinct, mutually exclusive categories,and this would appear to be a result of the way we subdivide problems to manage them, theneed to allocate tasks within an existing organisational structure and the underlying assumptionthat the consequences of an unforeseen event will more or less be confined to one given area

In actuality, the fallout from unforeseen events tends to affect multiple business areas and theinterrelationships between risks under the categories of operational, financial and technical riskhave been overlooked, often with adverse outcomes Patricia Dunn, former CEO of BarclaysGlobal Investors and former non-executive chairwoman of the board of Hewlett-Packard(HP),4has previously identified a failing in approach:

I think what Boards tend to miss and what management tends to overlook is the need to address riskholistically They overlook the areas that connect the dots because risk is defined so “atomistically”and we don’t have the perspective and the instrument panel that allows us to see risk in a

360 degree way (McCarthy and Flynn 2004)

Enterprise risk management (ERM) is a response to the sense of inadequacy in using asilo-based approach to manage increasingly interdependent risks The discipline of ERM,sometimes referred to as strategic business risk management, is seen as a more robust method

of managing risk and opportunity and an answer to these business pressures ERM is designed

to improve business performance While not in its infancy, it is a slowly maturing approach,where risks are managed in a coordinated and integrated way across an entire business Theapproach is less to do with any bold breakthrough in thinking, and more to do with the maturing,continuing growth and evolution of the profession of risk management and its application in

a structured and disciplined way (McCarthy and Flynn 2004) ERM is about understandingthe interdependencies between the risks, how the materialisation of a risk in one business areamay increase the impact of risks in another business area In consequence, it is also about howrisk mitigation action can address multiple risks spanning multiple business sectors It is theillustration of this integrated approach which is the focus of this book

1.3 BUSINESS GROWTH THROUGH RISK TAKING

Risk is inescapable in business activity As Peter Drucker explained as far back as the 1970s,economic activity by definition commits present resources to an uncertain future The onething that is certain about the future is its uncertainty, its risks Hence, to take risks is theessence of economic activity He considers that history has shown that businesses yield greatereconomic performance only through greater uncertainty – or in other words, through greaterrisk taking (Drucker 1979)

4

6 Simple Tools and Techniques for Enterprise Risk Management

Nearly all operational tasks and processes are now viewed through the prism of risk (Hunt2001) Indeed, the term “risk” has become shorthand for any corporate activity It is thought

not possible to “create a business that doesn’t take risks” (Boulton et al 2000) The end

result of successful strategic direction setting must be capacity to take a greater risk, for this

is the only way to improve entrepreneurial performance However, to extend this capacity,businesses must understand the risks that they take While in many instances it is futile to try

to eliminate risk, and commonly only possible to reduce it, it is essential that the risks takenare the right risks Businesses must be able to choose rationally among risk-taking courses

of action, rather than plunge into uncertainty, on the basis of a hunch, gut feeling, hearsay

or experience, no matter how carefully quantified Quite apart from the arguments for riskmanagement being a good thing in its own right, it is becoming increasingly rare to find anorganisation of any size whose stakeholders are not demanding that its management exhibitrisk management awareness This is now a firmly held view supported by the findings ofthe Economist Intelligence Unit’s enterprise risk management survey, referred to earlier Itdiscovered that 84% of the executives who responded considered that ERM could improvetheir price/earnings ratio and cost of capital Organisations that are more risk conscious havefor a long time known that actively managing risk and opportunity provides them with adecisive competitive advantage Taking and managing risk is the essence of business survivaland growth

1.4 RISK AND OPPORTUNITY

There should not be a preoccupation with downside risk Risk management of both upsiderisks (opportunities) and downside risks (threats) is at the heart of business growth and wealthcreation Once a board has determined its vision, mission and values, it must set its corpo-rate strategy, its method of delivering the business’s vision Strategy setting is about strategicthinking Setting the strategy is about directing, showing the way ahead and giving leader-ship It is being thoughtful and reflective Whatever this strategy is, however, the board mustdecide what opportunities, present and future, it wants to pursue and what risks it is willing

to take in developing the opportunities selected Hence the discipline of risk managementshould support both the selection and setting of the strategy However, risk and opportunitymanagement must receive equal attention and it is important for boards to choose the rightbalance This is succinctly expressed by the National Audit Office: “a business risk man-agement approach offers the possibility for striking a judicious and systematically arguedbalance between risk and opportunity in the form of the contradictory pressures for greater en-trepreneurialism on the one hand and limitation of downside risks on the other” (National AuditOffice 2000) An overemphasis on downside risks and their management can be harmful to anybusiness

Knight and Petty (2001) stress that risk management is about seeking out the upsiderisks or opportunities, that getting rid of risk stifles the source of value creation and upsidepotential Any behaviour that attempts to escape risk altogether will lead to the least rationaldecision of all, doing nothing While risks are important, as all businesses face risk frominception, they are not grounds for inaction but restraints on action Hence risk management

is about controlling risk as far as possible to enable a business to maximise its opportunities.Development of a risk policy should be a creative initiative, exposing exciting opportunities forvalue growth and innovative handling of risk, not a depressing task, full of reticence, warning

and pessimism (Knight and Petty 2001) ERM, then, is about managing both opportunitiesand risks.

1.5 THE ROLE OF THE BOARD

Even before the global financial crisis, George “Jay” Keyworth, former member of Packard’s board, stated that the most important lesson of the last few years is that boardmembers can no longer claim impunity from a lack of knowledge about business risk Themessage here is that when something goes wrong, as inevitably it does, board members will

Hewlett-be held accountable The solution is for board memHewlett-bers to learn of the potential for adverseevents and be sufficiently aware of the sources of risk within the area of business that theyare operating in, to be afforded the opportunity to take pre-emptive action (McCarthy andFlynn 2004) The business of risk management is undergoing a fundamental sea change withthe discipline of risk management converging at the top of the organisation and being moreopenly discussed in the same breath as strategy and protection of shareholders Greater risktaking requires more control Risk control is viewed as essential to maintaining stability andcontinuity in the running of businesses However, in the aftermath of a series of unexpectedrisk management failures leading to company collapses and other corporate scandals in the

UK, investors have expressed concerns about the low level of confidence in financial reporting,board oversight of corporate operations, the safeguards provided by external auditors and thedegree of risk management control These early concerns led to a cry for greater corporategovernance, which led to a series of reports on governance and internal control culminating

in the Combined Code of Corporate Governance (2003) The incremental development ofcorporate governance leading up to and beyond the 2003 Code is discussed in Chapter 2.Clearly risk exposure has been growing in an increasingly chaotic and turbulent world, andtime has shown that this turbulence has not abated

The lack of risk management control resides with the board In 1995 in response to bad pressabout boards’ poor performance and the lack of adequate corporate governance, the Institute

of Directors (IoD) published Standards for the Board It proved to be a catalyst for debate on

the roles and tasks of a board and on the need to link training and assessed competence withmembership of directors’ professional bodies The publication laid out four main objectives

for directors Within the IoD’s 2010 factsheet entitled The role of the board, apart from

one of the objectives being split into two, these objectives remain virtually unchanged asfollows:

1 The board must simultaneously be entrepreneurial and drive the business forward whilekeeping it under prudent control

2 The board is required to be sufficiently knowledgeable about the workings of the companyand answerable for its actions, yet able to stand back from the day-to-day management ofthe company and retain an objective, longer-term view

3 The board must be sensitive to the pressure of short-term issues and yet take account ofbroader, long-term trends

4 The board must be knowledgeable about “local” issues and yet be aware of potential oractual wider competitive influences

5 The board is expected to be focused on the commercial needs of the business, while actingresponsibly towards its employees, business partners and society as a whole

8 Simple Tools and Techniques for Enterprise Risk Management

The task for boards of course is to ensure the effectiveness of their risk model With this inmind, here are some action items for the strategic risk management agenda for boards and

• Be satisfied as to the adequacy of the depth of current risk analysis actions, from anidentification, assessment and mitigation standpoint

• Be confident that the risk management information that board members receive is accurate,timely, clear and relevant

• Actively require and participate in regular dialogue with key stakeholders to understand

if their objectives have been captured, debated and aligned, are being met and whetherstakeholders may derail current initiatives

• Strive to build a culture where risk management and strategic planning are intertwined

• Ensure that risk management remains focused on the most serious issues

• Ensure that risk management is embedded throughout the organisation

As illustrated in Figure 1.1, risk and opportunity impinge on the four main functions ofboards: policy formulation, strategic thinking, supervisory management and accountability.Policy formulation involves setting the culture for the organisation, which should include riskmanagement Strategic thinking entails selecting markets to pursue and committing resources

to those markets on the strength of the risk profile prepared Supervisory management requiresbusinesses to put in place oversight management and governance processes, including formalrisk management Accountability relates to ensuring that risk mitigation actions have clearowners who are charged with implementing pre-agreed actions to address the risks identified,report changes in risk profiles and engage in ongoing risk management

1.6 PRIMARY BUSINESS OBJECTIVE (OR GOAL)

The primary objective of a business is to maximise the wealth of its shareholders (owners) In

a market economy, the shareholders will provide funds to a business in the expectation thatthey will receive the maximum possible increase in wealth for the level of risk which must

be faced When evaluating competing investment opportunities, therefore, the shareholderswill weigh the returns from each investment against the potential risks involved The use ofthe term “wealth” here refers to the market value of the ordinary shares The market value ofthe shares will in turn reflect the future returns the shareholders will expect to receive overtime from the shares and the level of risk involved Shareholders are typically not concernedwith returns over the short term, but are concerned with achieving the highest possible returnsover the long term Profit maximisation is often suggested as an alternative objective for abusiness Profit maximisation is different from wealth maximisation Profit maximisation isusually seen as a short-term objective, whereas wealth maximisation is a long-term objective

5 These recommendations were made in the first edition of this text published in 2006, prior to the global financial crisis and the

Policy formulation

- creating the vision

- creating the mission

- creating values

- developing culture

- monitoring the environment

- setting corporate direction

- reviewing and deciding key resources

- deciding the implementation process

Policy review cycle

Operations review cycle

Figure 1.1 The role of the board and the integration of risk management (Garratt 2003) Reproduced

with permission from The Fish Rots from the Head, B Garratt, Profile Books Ltd.

Wealth maximisation takes account of risks to long-term growth, whereas profit maximisationdoes not

1.7 WHAT IS ENTERPRISE RISK MANAGEMENT?

ERM has to satisfy a series of parameters It must be embedded in a business’s system ofinternal control, while at the same time it must respect, reflect and respond to the other internalcontrols ERM is about protecting and enhancing share value to satisfy the primary businessobjective of shareholder wealth maximisation It must be multifaceted, addressing all aspects

of the business plan from the strategic plan through to the business controls:

• strategic plan

• marketing plan

• operations plan