Why This Book Is Important
Sometimes it’s the things you don’t see that have the biggest impact.
(Enron advertisement, 2001 Media Guide for the Houston Astros baseball team)
Enron’s Chief Executive and its Chairman were both jailed for accounting fraud following the company’s collapse in 2001, and the company’s auditors. Arthur Anderson, lost their license to undertake public accounting. Clearly things not seen in the organisation had a catastrophic impact. Furthermore, the lesson from the quote is one that has been hard learned by the many businesses that have failed as a result of the COVID-19 pandemic. The World Economic Forum (2021) has commented on the way in which “most countries,” let alone businesses, have struggled with aspects of crisis management during the pandemic. The forum suggests that the pandemic has provided great opportunities to improve the governance of risk by encouraging more holistic approaches to the understanding of risk impacts and a greater demand for better risk information leading to increased organisational resilience.
The post-COVID world thus offers huge potential for risk management to develop further as a profession. This book is intended as a learning tool for both current and future risk managers who seek to enable their organisations to be better prepared and resilient in the face of a crisis. Whilst recognising that it is impossible to eliminate uncertainty, the chapters in this book demonstrate how having plans about how to respond to surprises – from a ransom attack by hackers to a global pandemic – can significantly reduce their impact. The text combines detailed information on international governance and risk regulations, together with unique longitudinal case studies of risk management practice in major organisations. Learning from both the successes and failures of others across a range of sectors can help to nurture best practice in the profession.
Contents and Use
This book is aimed at risk practitioners studying for ERM (or similar) qualifications. University students, particularly those taking MBA or executive development courses, will also find it useful. The book is intended for use by a wide range of readers, who may be looking for anything from a complete introductory course in risk management to simply filling specific “knowledge gaps” and gaining greater insights into risk management practice. More broadly, the book can be used within organisations as a training tool, with staff being asked to read particular chapters/sections as preparation for a training session or discussion group.
Chapters 2 and 3 detail the regulatory requirements on governance and risk management that provide the framework around which most organisations construct their risk management systems. They outline the ground rules for how to draft an internal governance and risk management framework (as described in Chapter 4), as well as providing a point of reference to ensure compliance. Chapters 2 through 4 all include “Key Learning Points,” which highlight particularly important features that are critical for readers to understand. Chapter 4 marks the transition into a discussion of risk management practice rather than theory, and so also includes brief snapshots of risk events and their impact across a wide range of large and small organisations.
This is the second edition of the book, and the types of risks faced by organisations have evolved and will continue to do so. In recognition of this, Chapter 5 reviews the concept of technology risk and makes clear the important distinction between the broader technology risk and the more specific term cyber risk. An end-of-chapter glossary is provided to help readers struggling to understand the specialist terminology commonly used when discussing technology risks. The chapter includes a useful case study of the time frame and impact of a data breach at British Airways and a template that can be used to construct a governance and risk management structure for technology. Both of these features can be used for in-house training to increase general staff awareness of technology-related risks. Whilst writing the book, the world was hit by the COVID-19 pandemic, and so additional content, Chapter 10, was added to address this new risk and how it was or was not managed at the organisational level.
The book’s title describes “an integrated case study approach,” and the three case studies (Chapters 6 to 8) are a key attribute of the text and great learning tools. Their value derives, in part, from the extended time frame covered in each case and the fact that whilst the systems are all developing over a similar time frame (2000–2020), they illustrate how organisationally specific risk management systems can be. Learning from the differences between the approaches of Tesco, Akzo Nobel, and Birmingham City Council, rather than their similarities, is particularly informative. Each case raises specific risk management issues that may be open to debate and interpretation, and these form the basis of end-of-chapter discussion topics, which can be used in universities or elsewhere as examination questions. Chapter 9 integrates the lessons learned from all three case studies and translates these into a list of factors influencing the effectiveness of risk management systems in practice. In so doing it highlights the massive challenge of introducing a system that straddles an entire organisation and embeds risk awareness into organisational culture. Chapter 9 concludes that the ideal scenario of an organisation where everybody, enterprise wide, is continuously aware of and talks about risk and the risk of surprise is minimised is extraordinarily difficult to achieve.
Warren Buffet’s view is that risk comes from not knowing what you are doing, and this book confirms that risk management is about preventing this problem arising in practice. I would suggest that this book demonstrates that whilst the profession has developed massively over the last twenty years, there is still a lot of work to be done.