eBook - ePub
Risk Management in Organisations
An Integrated Case Study Approach
Margaret Woods
This is a test
Share book
- 228 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Risk Management in Organisations
An Integrated Case Study Approach
Margaret Woods
Book details
Book preview
Table of contents
Citations
About This Book
Risk management is vital to organisational success, from government down to small businesses, and the discipline has developed rapidly over the last decade. Learning lessons from the good and bad practice of others is a key feature of this book, which includes multiple illustrative examples of risk management practice, in addition to detailed case studies.
Combining both theory and practice, the early chapters compare the ISO 31000 and COSO Enterprise Risk Management frameworks and the relevant regulatory regimes in both Europe and the United States. The core of the book is three highly detailed case studies of risk management in the manufacturing (Akzo Nobel), retail (Tesco), and public sectors (Birmingham City Council). Using the lessons learned from the case studies, together with material from elsewhere, the author then outlines four lessons for risk managers that can be used in any organisation seeking to develop a truly enterprise-wide risk management system.
This completely revised edition contains updates on regulations and practice, together with new chapters covering technology risk and COVID-19, which are major risks faced by all organisations today. As such the book is essential reading for risk management professionals and postgraduate and executive learners.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Risk Management in Organisations an online PDF/ePUB?
Yes, you can access Risk Management in Organisations by Margaret Woods in PDF and/or ePUB format, as well as other popular books in Commerce & Comptabilité de gestion. We have over one million books available in our catalogue for you to explore.
Information
1 Introduction to This Book
DOI: 10.4324/9781315208336-1
Why This Book Is Important
Sometimes it’s the things you don’t see that have the biggest impact.
(Enron advertisement, 2001 Media Guide for the Houston Astros baseball team)
Enron’s Chief Executive and its Chairman were both jailed for accounting fraud following the company’s collapse in 2001, and the company’s auditors. Arthur Anderson, lost their license to undertake public accounting. Clearly things not seen in the organisation had a catastrophic impact. Furthermore, the lesson from the quote is one that has been hard learned by the many businesses that have failed as a result of the COVID-19 pandemic. The World Economic Forum (2021) has commented on the way in which “most countries,” let alone businesses, have struggled with aspects of crisis management during the pandemic. The forum suggests that the pandemic has provided great opportunities to improve the governance of risk by encouraging more holistic approaches to the understanding of risk impacts and a greater demand for better risk information leading to increased organisational resilience.
The post-COVID world thus offers huge potential for risk management to develop further as a profession. This book is intended as a learning tool for both current and future risk managers who seek to enable their organisations to be better prepared and resilient in the face of a crisis. Whilst recognising that it is impossible to eliminate uncertainty, the chapters in this book demonstrate how having plans about how to respond to surprises – from a ransom attack by hackers to a global pandemic – can significantly reduce their impact. The text combines detailed information on international governance and risk regulations, together with unique longitudinal case studies of risk management practice in major organisations. Learning from both the successes and failures of others across a range of sectors can help to nurture best practice in the profession.
Contents and Use
This book is aimed at risk practitioners studying for ERM (or similar) qualifications. University students, particularly those taking MBA or executive development courses, will also find it useful. The book is intended for use by a wide range of readers, who may be looking for anything from a complete introductory course in risk management to simply filling specific “knowledge gaps” and gaining greater insights into risk management practice. More broadly, the book can be used within organisations as a training tool, with staff being asked to read particular chapters/sections as preparation for a training session or discussion group.
Chapters 2 and 3 detail the regulatory requirements on governance and risk management that provide the framework around which most organisations construct their risk management systems. They outline the ground rules for how to draft an internal governance and risk management framework (as described in Chapter 4), as well as providing a point of reference to ensure compliance. Chapters 2 through 4 all include “Key Learning Points,” which highlight particularly important features that are critical for readers to understand. Chapter 4 marks the transition into a discussion of risk management practice rather than theory, and so also includes brief snapshots of risk events and their impact across a wide range of large and small organisations.
This is the second edition of the book, and the types of risks faced by organisations have evolved and will continue to do so. In recognition of this, Chapter 5 reviews the concept of technology risk and makes clear the important distinction between the broader technology risk and the more specific term cyber risk. An end-of-chapter glossary is provided to help readers struggling to understand the specialist terminology commonly used when discussing technology risks. The chapter includes a useful case study of the time frame and impact of a data breach at British Airways and a template that can be used to construct a governance and risk management structure for technology. Both of these features can be used for in-house training to increase general staff awareness of technology-related risks. Whilst writing the book, the world was hit by the COVID-19 pandemic, and so additional content, Chapter 10, was added to address this new risk and how it was or was not managed at the organisational level.
The book’s title describes “an integrated case study approach,” and the three case studies (Chapters 6 to 8) are a key attribute of the text and great learning tools. Their value derives, in part, from the extended time frame covered in each case and the fact that whilst the systems are all developing over a similar time frame (2000–2020), they illustrate how organisationally specific risk management systems can be. Learning from the differences between the approaches of Tesco, Akzo Nobel, and Birmingham City Council, rather than their similarities, is particularly informative. Each case raises specific risk management issues that may be open to debate and interpretation, and these form the basis of end-of-chapter discussion topics, which can be used in universities or elsewhere as examination questions. Chapter 9 integrates the lessons learned from all three case studies and translates these into a list of factors influencing the effectiveness of risk management systems in practice. In so doing it highlights the massive challenge of introducing a system that straddles an entire organisation and embeds risk awareness into organisational culture. Chapter 9 concludes that the ideal scenario of an organisation where everybody, enterprise wide, is continuously aware of and talks about risk and the risk of surprise is minimised is extraordinarily difficult to achieve.
Warren Buffet’s view is that risk comes from not knowing what you are doing, and this book confirms that risk management is about preventing this problem arising in practice. I would suggest that this book demonstrates that whilst the profession has developed massively over the last twenty years, there is still a lot of work to be done.
Reference
- World Economic Forum (2021) The Global Risks Report 2021: 16th Edition. World Economic Forum, Geneva, Switzerland.
2 Risk and Governance
DOI: 10.4324/9781315208336-2
Aim
The aim of this chapter is to briefly review the recent history of risk management and governance regulation in order to illustrate:
- The link between risk management and corporate governance
- The history of governance regulations and alternative forms of regulation
- The need to recognise that regulatory compliance can create an illusion that risks are under control
The conclusion that compliance with governance regulations does not necessarily translate into good risk management provides a backdrop for the case studies which follow. The cases illustrate that risk management practices within companies are widely variable in both style and effectiveness, reflecting different organisational cultures and management styles. Such variations offer huge opportunities for the rapidly growing risk management profession.
What Is Corporate Governance?
The UK Corporate Governance Code (FRC, 2010, p. 1) describes the purpose of corporate governance as being “to facilitate effective, entrepreneurial and prudent management that can deliver the long-term success of the company.” The code takes the view that a company’s board of directors is “collectively responsible for the long-term success of the company” (FRC, 2010, p. 6) and includes responsibility for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives and overseeing the maintenance of “sound risk management and internal control systems.”
Regulators therefore see risk management as a core component of corporate governance, and this is also widely recognised within the academic literature. Spira and Page (2003) suggest that risk management is central to corporate governance, as risks are managed through a framework of accountability which encompasses financial reporting, internal control, and audit. The emphasis on accountability is important because as we see in the next section of this chapter, demands for increased accountability have been the stimulus for the development of worldwide governance and risk management regulations, codes, and standards. We will also see that over the last twenty years, the term internal control has gradually been redefined as “risk management” and a new profession of risk managers has appeared. This issue is discussed in more depth in Chapter 3.
History of Corporate Governance Regulations
Phase One: 1990–2010
The late 1980s and early 1990s saw the emergence of regulatory concerns over corporate scandals, such as the savings and loans crises in the United States and BCCI and Polly Peck in the UK, and a resulting decline in confidence in the quality of financial reporting in both countries. Concerns were expressed about the consequences of poor controls over the behaviour of company staff and members of the board of directors, and clearer specification of the responsibilities of companies and their boards were seen as essential. This consciousness marked the start of the first decade of governance initiatives across the world.
UK History
In 1991, a research report by Coopers and Lybrand Deloitte in the UK highlighted a lack of legislation that would help ensure companies were being managed “honestly and competently.” The report claimed there was an urgent need to codify the responsibilities of those involved in corporate governance and identify best practice in the field (Coopers and Lybrand, 1991, p. 1). The following year “The Financial Aspects of Corporate Governance” (more usually known as the Cadbury Report) defined corporate governance as “the systems by which a company is directed and controlled” and laid the foundations for the current UK code of corporate governance and principles of best practice. In retrospect, what is commonly referred to as the Cadbury Code can be viewed as a landmark development in changing the governance landscape. The report placed directors centre stage by recognising that “all directors, whether or not they have executive responsibilities, have a monitoring role and are responsible for ensuring that the necessary controls over the activities of their companies are in place – and working” (Cadbury Report, p. 11, 1992).
Its key recommendations included:
- An implicit requirement on directors to ensure that a proper system of internal control is in place
- Publication in the report and accounts of a statement by directors on whether they comply with the code and identifying and giving reasons for any non-compliance
- The encouragement of directors to make a statement in the annual report on the effectiveness of their system of internal control, with such statements subject to review by the auditors before publication
- Separation of the role of the chief executive officer (CEO) and chairman
- The appointment of sufficient non-executive directors to ensure they can exercise influence in decision making
- The establishment of an audit committee made up of non-executive directors
- A committee made up of a majority of non-executive directors should b...