eBook - ePub

The Risk Management Handbook

Name: The Risk Management Handbook
Author: David Hillson, David Hillson

A Practical Guide to Managing the Multiple Dimensions of Risk

David Hillson, David Hillson

Share book

English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

The Risk Management Handbook

A Practical Guide to Managing the Multiple Dimensions of Risk

David Hillson, David Hillson

Book details

Book preview

Table of contents

Citations

About This Book

Risk management is dynamic, with new risks continually being identified and risk management techniques adapting to new challenges. The Risk Management Handbook gives a clear snapshot of the current state of play in the risk management landscape and a look ahead to the key emerging issues in the field. Drawing together leading voices from the major risk management application areas - from GRC to supply chain risk, operational risk to cyber risk - this edited collection showcases best practice in each discipline and provides a succinct and coherent picture of the field as a whole. Part One surveys these crucial application areas and provides a broad integrative framework for the differing contexts within which risk management is undertaken. Part Two explores emerging issues and techniques, from risk-based thinking to communicating uncertainty. The Risk Management Handbook offers readers knowledge of current best practice and a cutting-edge insight into new developments within risk management. Whether you are a risk professional wanting to stay abreast of your field, a student seeking a broad and up-to-date introduction to risk, or a business leader wanting to get to grips with the risks that face your business, this book will provide expert guidance.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is The Risk Management Handbook an online PDF/ePUB?

Yes, you can access The Risk Management Handbook by David Hillson, David Hillson in PDF and/or ePUB format, as well as other popular books in Business & Insurance. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Kogan Page

Year

2016

ISBN

9780749478834

Edition

Topic

Business

Subtopic

Insurance

Index

Business

PART ONE

Multidimensional risk management

DR DAVID HILLSON

Chapter 1 emphasized the common features of both risk as a concept, and risk management as a process. There is something attractive about this ‘pure’ view, reducing the apparent complexity of the topic to a few simple principles. And it is surely important for anyone facing the challenge of risk in their organization or business to have a firm grasp of these basics.

But risk management is actually a complex subject, driven by the complexity of the nature of risk. Having laid a foundation, it is time to explore the matter in more detail. The remainder of this book acts like a prism to examine risk management in practice. Anyone looking at a shaft of sunlight will see a single beam of white radiance. But place a prism in the path of the beam and something amazing happens. The pure white light is split into multiple colours, each strong and vibrant, different from all the others yet coming from the same source.

The same is true for our pure concept of risk and our generic process for managing it. Seen through the prism of experience and application, we discover a wide range of specific interpretations of risk, matched by a set of tailored risk management processes. Although there is indeed a unitary view of risk management, the reality is multidimensional. Each dimension has its origin in the pure foundational concepts and principles outlined in Chapter 1, yet each is suited to a distinct part of the risk challenge.

The following chapters each explore a single dimension of risk management in detail. Like the spectrum produced by the prism, each type of risk management has its own attraction and value. But also like refracted light, there are many specific types of risk management. Part One of this book addresses the main application areas that will be encountered by many business readers, and in Part Two we look at some new and emerging dimensions of risk management that are still being discovered and explored.

The growing nature of risk management as a discipline and profession makes it impossible to include every established and emerging risk speciality in this book, and some may argue over whether a specific topic belongs in Part One or Part Two, but the topics we have chosen to cover in this opening part address applications of risk management that most will encounter in the context of their business or organization, namely:

Enterprise Risk Management (ERM);
Governance, Risk and Compliance (GRC);
Operational Risk Management (ORM);
project, programme and portfolio risk management;
political risk management;
reputation risk management;
supply chain risk management;
Business Continuity Management (BCM);
stakeholder risk management;
ethics in risk management;
cyber risk management.

02 Enterprise Risk Management

LIZ TAYLOR

Why does Enterprise Risk Management matter?

The world of business and enterprise is going through an increasingly tumultuous state of uncertainty. This uncertainty brings risks of widening ranges of frequency and magnitude. Enterprise Risk Management (ERM) is an essential tool in helping to bring more understanding of those risks; it enables the organization to be more prepared, more resilient to change and more ready to minimize threats and to seize opportunities.

Survival and uncertainty

The primary objective for most organizations is survival. This might be couched in many different terms such as profit, earnings, shareholder value and so on, but it boils down to just one thing – long-term sustainability for the business; in other words, survival.

Yet survival of businesses is increasingly becoming more affected by uncertainty; today’s global economy has been proven to be vulnerable to the interconnected globalization that joins businesses and service providers from one end of the world to another. Goods and services are more and more interdependent; reputations and brands can be destroyed in minutes; our reliance on technology opens businesses to greater dependence and vulnerability on the net; the addiction to diminishing supplies of fossil fuels and other vanishing finite natural resources causes unlikely friends and foes across the globe (Blackman and Baumol, 2008); climate change and resultant lack of land, food and water drive heavier burdens on the most vulnerable; and uncertain times for some economies cause disenfranchised people to form into cohesive and focused groups seeking to force their own ideology onto others using terrorism tactics.

ISO 31000, the international standard for risk management, says ‘The effect this uncertainty has on an organization’s objectives is “risk”.’ Each of these uncertainties can bring with them threats as well as opportunities; threats where the organization is unprepared for the changes that may come about and opportunities for those who can predict and exploit the results of the uncertainties.

For organizations across the world, strategic decision making in the context of all this turmoil is about making risk decisions – to expand or to contract, to sell or to buy, to engage or to release, to change or to stay the same. These decisions all need an understanding of a wide range of risks and of the capacity of the organization to sustain risk over time.

Level at which risk is managed

Despite a wide awareness of uncertainty, ‘risk management’ often happens so far down the organization that the business leaders rarely understand it; they do not think it applies to them, nor do they have mastery over the powerful risk management skills that they could apply to their everyday jobs. Many of the great failures in business and public services have happened and continue to happen because of a failure in senior management and boards to engage in and commit to risk management.

The NCSU 2015 report on the current state of ERM states: ‘While 59 per cent believe that the volume and complexity of risks have changed “extensively” or “mostly” in the last five years, only 25 per cent believe their organization has a “complete formal enterprise risk management process in place”.’ (Beasley, Branson and Hancock, 2015).

Enterprise Risk Management needs to be a top-level concern with top management having ERM skills and risk professionals who are hard-wired into strategic decision making and planning, advising on the threats and opportunities to which the business is exposed and alerting top management when the aggregate or individual risk areas might be outside the stated risk appetite.

Senior management and board engagement requires very little in terms of time and effort once it is understood and embedded into the ethos of the organizational culture (the understanding, practice and assimilation, however, do require effort and time).

The practice of Enterprise Risk Management gives the organization a unique perspective of risks and opportunities and of the capacity of the organization to take more or less managed risk.

Yet risk management practitioners, in whatever guise, are rarely taught the skills and ability to excite and engage top-level business leaders in the powerful array of ERM techniques. This power is often only unleashed when organizations embrace the concept that risk is about threats and opportunities and linked to the appetite for managed risk taking in the entity. After all, if a CEO were to be given a technique by which he or she could make an opportunity twice as attractive using Enterprise Risk Management techniques, he or she would most certainly sit up and listen.

Beyond overview – risk management skills for top-level management

The usual definition of risk management, and indeed Enterprise Risk Management, calls for top-level management overview of the process and framework. It is now clear, from all the corporate failures, that this is no longer adequate.

Let’s just look at one of the things that will cause turmoil and uncertainty in the years to come; diminishing natural resources. The case with fossil fuels is well known, but how aware are we that there are only a few years of silver left in reserves and in unmined resources (Vince, 2012; Silver Institute, 2014)? We are only just discovering the wonderful uses of silver in technology and in medicine.

Where precious silver was used mainly in coins and jewellery (and later in photography), its industrial uses now outstrip the decorative market. Silver has the highest electrical (and thermal) conductivity of any metal, so it is used in a range of electronics – including sensitive radio frequency antennae such as those found in televisions and mobile phones, and in radio frequency identification (RFID) devices. Silver is also found in many printed circuit boards, in hearing aids and in batteries.

The medicinal properties of silver bullets have been known since at least the times of Hippocrates and rely on its toxic effects on pathogens, including bacteria and fungi. Silver ions kill pathogens by binding to proteins in their cells, making silver compounds ideal for use in antiseptics and wound dressings. Nanoparticles of silver are even woven into socks and other clothing to reduce bacterial and fungal growth – and the odours that arise. Silver is also used in heart valves and catheters, and researchers are now investigating silver’s potential in killing cancer cells.

What’s happening to the balance of supply versus demand for silver is just one example of uncertainty that can affect a wide range of enterprises. As a commodity it has low value compared to gold, but if economically viable new sources of gold ran out completely the world would just continue as it was. If we ran out of new (economically viable) sources of silver, there would have to be a major rethink about electrical components such as circuitry, the use of silver in photovoltaic cells, in batteries and the new antibacterial uses for silver in an age where no new antibiotic has been produced for thirty years against the fact that antibiotics are becoming less and less effective (Washington Post, 2014).

The relevance of all this to Enterprise Risk Management is about ensuring business sustainability in the light of uncertainty. Business leaders and risk practitioners need to look into the short- and long-term threats and opportunities that the organization is faced with and engage with risk-based strategic decision making that will ensure the longevity of the business. If business is dependent on computers, or on people being well, or on batteries or on radio waves, then the mismatch between supply and demand for silver (or any other natural resource that has finite availability) over the next two decades will be important.

Enterprise risk appetite, capacity and tolerance

Risk has a different meaning to each organization or individual because each has a different perception of the opportunity and the threat depending on their propensity to take risk or to avoid it. Enterprise Risk Management will not be seen as an essential part of releasing innovation unless there is an overarching risk appetite framework that is scalable for each part of the organization, understood in the context of each business unit’s goals and framed in a common language.

Within a risk appetite framework, an organization needs to take into consideration aspects of risk seeking versus risk avoidance, the broad principles of risk appetite frameworks and, critically, how risk appetite frameworks need to be linked to compensation and reward programmes. Risk appetite must be owned and driven by the board and senior management in order to be real, practical and pertinent to the business of taking managed threats and opportunities. Risk practitioners are responsible for implementing the process and enabling the decisions on risk appetite to be made by the board and senior management.

Innovation cannot be successfully undertaken unless there are two things in place: first, there needs to be a clear understanding of risk appetite, and second, performance against risk appetite metrics should be measured and responded to.

There also needs to be a clear distinction between capacity and tolerance – the former is about fact, the ultimate ability of the organization to bear risk, and the latter is about preference, the risks that an organization is prepared to take in order to pursue its goals.

What is Enterprise Risk Management?

Rather than sitting aside from other areas of risk management, ERM should be an overarching methodology that pulls together and creates intelligence for the organization in order to aid in strategic decision making.

All encompassing

Enterprise Risk Management is an all-encompassing methodology that allows the organization to pull together intelligence from all its various risk management practices as well as tackling those top-level strategic or enterprise-wide risks. It should include a process to evaluate and respond to the aggregate of risks against the capacity or tolerance of the organization to bear those risks.

Recently, the Association for Federal Enterprise Risk Management (AFERM) defined ERM as ‘a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view. ERM contributes to improved decision making and supports the achievement of an organization’s mission, goals and objectives.’

Through ERM, the organization can gain an overarching vision of the risks and exposures to which it is exposed as well as the opportunities and capacity of the organization to engage in managed risk-taking activities.

COSO (the Committee of Sponsoring Organizations of the Treadway Commission) describes ERM as:

a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Regulation

In the case of banks (through the Basel accords) and European insurance and reinsura...