But risk management is actually a complex subject, driven by the complexity of the nature of risk. Having laid a foundation, it is time to explore the matter in more detail. The remainder of this book acts like a prism to examine risk management in practice. Anyone looking at a shaft of sunlight will see a single beam of white radiance. But place a prism in the path of the beam and something amazing happens. The pure white light is split into multiple colours, each strong and vibrant, different from all the others yet coming from the same source.
The same is true for our pure concept of risk and our generic process for managing it. Seen through the prism of experience and application, we discover a wide range of specific interpretations of risk, matched by a set of tailored risk management processes. Although there is indeed a unitary view of risk management, the reality is multidimensional. Each dimension has its origin in the pure foundational concepts and principles outlined in Chapter 1, yet each is suited to a distinct part of the risk challenge.
The growing nature of risk management as a discipline and profession makes it impossible to include every established and emerging risk speciality in this book, and some may argue over whether a specific topic belongs in Part One or Part Two, but the topics we have chosen to cover in this opening part address applications of risk management that most will encounter in the context of their business or organization, namely:
Why does Enterprise Risk Management matter?
The world of business and enterprise is going through an increasingly tumultuous state of uncertainty. This uncertainty brings risks of widening ranges of frequency and magnitude. Enterprise Risk Management (ERM) is an essential tool in helping to bring more understanding of those risks; it enables the organization to be more prepared, more resilient to change and more ready to minimize threats and to seize opportunities.
Survival and uncertainty
The primary objective for most organizations is survival. This might be couched in many different terms such as profit, earnings, shareholder value and so on, but it boils down to just one thing – long-term sustainability for the business; in other words, survival.
Yet survival of businesses is increasingly becoming more affected by uncertainty; today’s global economy has been proven to be vulnerable to the interconnected globalization that joins businesses and service providers from one end of the world to another. Goods and services are more and more interdependent; reputations and brands can be destroyed in minutes; our reliance on technology opens businesses to greater dependence and vulnerability on the net; the addiction to diminishing supplies of fossil fuels and other vanishing finite natural resources causes unlikely friends and foes across the globe (Blackman and Baumol, 2008); climate change and resultant lack of land, food and water drive heavier burdens on the most vulnerable; and uncertain times for some economies cause disenfranchised people to form into cohesive and focused groups seeking to force their own ideology onto others using terrorism tactics.
ISO 31000, the international standard for risk management, says ‘The effect this uncertainty has on an organization’s objectives is “risk”.’ Each of these uncertainties can bring with them threats as well as opportunities; threats where the organization is unprepared for the changes that may come about and opportunities for those who can predict and exploit the results of the uncertainties.
For organizations across the world, strategic decision making in the context of all this turmoil is about making risk decisions – to expand or to contract, to sell or to buy, to engage or to release, to change or to stay the same. These decisions all need an understanding of a wide range of risks and of the capacity of the organization to sustain risk over time.
Level at which risk is managed
Despite a wide awareness of uncertainty, ‘risk management’ often happens so far down the organization that the business leaders rarely understand it; they do not think it applies to them, nor do they have mastery over the powerful risk management skills that they could apply to their everyday jobs. Many of the great failures in business and public services have happened and continue to happen because of a failure in senior management and boards to engage in and commit to risk management.
The NCSU 2015 report on the current state of ERM states: ‘While 59 per cent believe that the volume and complexity of risks have changed “extensively” or “mostly” in the last five years, only 25 per cent believe their organization has a “complete formal enterprise risk management process in place”.’ (Beasley, Branson and Hancock, 2015).
Enterprise Risk Management needs to be a top-level concern with top management having ERM skills and risk professionals who are hard-wired into strategic decision making and planning, advising on the threats and opportunities to which the business is exposed and alerting top management when the aggregate or individual risk areas might be outside the stated risk appetite.
Senior management and board engagement requires very little in terms of time and effort once it is understood and embedded into the ethos of the organizational culture (the understanding, practice and assimilation, however, do require effort and time).
The practice of Enterprise Risk Management gives the organization a unique perspective of risks and opportunities and of the capacity of the organization to take more or less managed risk.
Yet risk management practitioners, in whatever guise, are rarely taught the skills and ability to excite and engage top-level business leaders in the powerful array of ERM techniques. This power is often only unleashed when organizations embrace the concept that risk is about threats and opportunities and linked to the appetite for managed risk taking in the entity. After all, if a CEO were to be given a technique by which he or she could make an opportunity twice as attractive using Enterprise Risk Management techniques, he or she would most certainly sit up and listen.
Beyond overview – risk management skills for top-level management
The usual definition of risk management, and indeed Enterprise Risk Management, calls for top-level management overview of the process and framework. It is now clear, from all the corporate failures, that this is no longer adequate.
Let’s just look at one of the things that will cause turmoil and uncertainty in the years to come; diminishing natural resources. The case with fossil fuels is well known, but how aware are we that there are only a few years of silver left in reserves and in unmined resources (Vince, 2012; Silver Institute, 2014)? We are only just discovering the wonderful uses of silver in technology and in medicine.
Where precious silver was used mainly in coins and jewellery (and later in photography), its industrial uses now outstrip the decorative market. Silver has the highest electrical (and thermal) conductivity of any metal, so it is used in a range of electronics – including sensitive radio frequency antennae such as those found in televisions and mobile phones, and in radio frequency identification (RFID) devices. Silver is also found in many printed circuit boards, in hearing aids and in batteries.
The medicinal properties of silver bullets have been known since at least the times of Hippocrates and rely on its toxic effects on pathogens, including bacteria and fungi. Silver ions kill pathogens by binding to proteins in their cells, making silver compounds ideal for use in antiseptics and wound dressings. Nanoparticles of silver are even woven into socks and other clothing to reduce bacterial and fungal growth – and the odours that arise. Silver is also used in heart valves and catheters, and researchers are now investigating silver’s potential in killing cancer cells.
What’s happening to the balance of supply versus demand for silver is just one example of uncertainty that can affect a wide range of enterprises. As a commodity it has low value compared to gold, but if economically viable new sources of gold ran out completely the world would just continue as it was. If we ran out of new (economically viable) sources of silver, there would have to be a major rethink about electrical components such as circuitry, the use of silver in photovoltaic cells, in batteries and the new antibacterial uses for silver in an age where no new antibiotic has been produced for thirty years against the fact that antibiotics are becoming less and less effective (Washington Post, 2014).
The relevance of all this to Enterprise Risk Management is about ensuring business sustainability in the light of uncertainty. Business leaders and risk practitioners need to look into the short- and long-term threats and opportunities that the organization is faced with and engage with risk-based strategic decision making that will ensure the longevity of the business. If business is dependent on computers, or on people being well, or on batteries or on radio waves, then the mismatch between supply and demand for silver (or any other natural resource that has finite availability) over the next two decades will be important.
Enterprise risk appetite, capacity and tolerance
Risk has a different meaning to each organization or individual because each has a different perception of the opportunity and the threat depending on their propensity to take risk or to avoid it. Enterprise Risk Management will not be seen as an essential part of releasing innovation unless there is an overarching risk appetite framework that is scalable for each part of the organization, understood in the context of each business unit’s goals and framed in a common language.
Within a risk appetite framework, an organization needs to take into consideration aspects of risk seeking versus risk avoidance, the broad principles of risk appetite frameworks and, critically, how risk appetite frameworks need to be linked to compensation and reward programmes. Risk appetite must be owned and driven by the board and senior management in order to be real, practical and pertinent to the business of taking managed threats and opportunities. Risk practitioners are responsible for implementing the process and enabling the decisions on risk appetite to be made by the board and senior management.
Innovation cannot be successfully undertaken unless there are two things in place: first, there needs to be a clear understanding of risk appetite, and second, performance against risk appetite metrics should be measured and responded to.
There also needs to be a clear distinction between capacity and tolerance – the former is about fact, the ultimate ability of the organization to bear risk, and the latter is about preference, the risks that an organization is prepared to take in order to pursue its goals.
What is Enterprise Risk Management?
Rather than sitting aside from other areas of risk management, ERM should be an overarching methodology that pulls together and creates intelligence for the organization in order to aid in strategic decision making.
All encompassing
Enterprise Risk Management is an all-encompassing methodology that allows the organization to pull together intelligence from all its various risk management practices as well as tackling those top-level strategic or enterprise-wide risks. It should include a process to evaluate and respond to the aggregate of risks against the capacity or tolerance of the organization to bear those risks.
Recently, the Association for Federal Enterprise Risk Management (AFERM) defined ERM as ‘a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view. ERM contributes to improved decision making and supports the achievement of an organization’s mission, goals and objectives.’
Through ERM, the organization can gain an overarching vision of the risks and exposures to which it is exposed as well as the opportunities and capacity of the organization to engage in managed risk-taking activities.
COSO (the Committee of Sponsoring Organizations of the Treadway Commission) describes ERM as:
a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Regulation
In the case of banks (through the Basel accords) and European insurance and reinsura...