| Date post: | 04-Jun-2018 |
| Category: |
Documents |
| Upload: | fernando-ksp |
| View: | 227 times |
| Download: | 0 times |
of 52
8/13/2019 RMPsum13 Web 0
1/52
Building upfor the futureArea focus:Malaysia
Out ofthis world
Is a manned mission toMars worth the risk?
IRM Risk LeadersConference 2013
Insights, guidanceand expert advice
Memberprofile
Malaysian memberZalina Jaflus
Faking it?Is your business taking risk seriously
www.rmprofessional.com|Summer 201The official magazine of the Institute of Risk Management
8/13/2019 RMPsum13 Web 0
2/52
SunGard and the SunGard logo are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries.All other trade names are trademarks or registered trademarks of their respective holders.
AVAILABILITY SERVICES
MAKE A RECOVERY, NOT WAR
If getting the resources you need is a constant battle, we can help.
Having completed more than 100,000 recovery tests, we found that some businesses just have a plan, while others
continuously test and sync it with the rest of the business. But time and again, resource is the main issue. Its impossible to
test, or recover, without technical support from colleagues outside your department, but they will already be battling with
their own priorities.
At SunGard Availability Services, we can manage your entire testing and recovery environment, including the process, tasks
and the recovery itself. Our experts work side-by-side with you to review and develop your plans and define procedures.
Together, we make sure the plan is in line with your production environment from design to testing to change control.
And we are ready to perform the test and carry out the recovery for your business 24/7/365.
SunGards Managed Recovery Programme can help you focus your energy on building your business, rather than fighting
over how to get up and running following a disaster.
Discover a less stressful route to recovery and request a free consultation by calling 0800 143413or find out more at www.sungard.co.uk/MRP
Fed up with the fight?
8/13/2019 RMPsum13 Web 0
3/52|Summer 2013 |www.rmprofessional.com |3
IRM CHAIRMAN:
Richard Anderson FIRM
CHIEF EXECUTIVE OFFICER:
Steve Fowler FIRM
DEPUTY CHIEF EXECUTIVE:
Sophie Williams MIRM
HEAD OF MARKETING:
Fiona Duhig
Tel: +44 (0)20 7709 9808
MANAGING EDITOR:
Tom Bovingdon
Tel: +44 (0)20 7709 9808
EDITOR:Phil Lattimore
phil.lattimore@
rmprofessional.com
Tel: +44 (0)7802 870008
DESIGN AND PRODUCTION:
CPL (Cambridge Publishers Ltd)
275 Newmarket Road
Cambridge CB5 8JE
Tel: 01223 477411
Web: www.cpl.co.uk
ADVERTISING MANAGER:
Richard Walters
Tel: +44 (0) 1223 477 428
richard.walters@
rmprofessional.com
Risk Management Professionalis the
official publication of the Institute of Risk
Management (IRM). ISSN 2042-4078IRM is the worlds leading enterprise-
wide risk education institute. We are
independent, well-respected advocates of
the risk profession, owned by practising risk
professionals and operate internationally,
with members and students in more than
100 countries.
INSTITUTE OF RISK MANAGEMENT
6 Lloyds Avenue, London EC3N 3AX
Tel: +44 (0)20 7709 9808
Fax +44(0)20 7709 0716
www.theirm.org
Copyright 2013 Institute of Risk
Management. All rights reserved.
Reproduction without written permission
is strictly forbidden. The views of outside
contributors are not necessarily the views of
IRM, its editor or its staff.
How many of us are pretending to be something were not?
Can you, hand on heart, say you practise everything you believe in? Can you
faithfully attest that you stay true to your convictions? Will you draw your last
breath without any regrets? Do you always speak out when something is wrong?
The overwhelming reaction to Edward Snowden, the whistleblower who exposed US
government-agency snooping on an unprecedented scale, has been to laud him as a hero.
Be it ex-Olympus CEO Michael Woodford, who spoke at last years IRMs Risk Leaders
Conference, or ex-HBOS head of group regulatory risk Paul Moore, who will speak at this
years event on 4 November, our reaction is to shake their hand, congratulate them on their
courage and admire their bravery.
Is this because they do what we would not, or because they have acted as we would?
Snowden exposed the US National Security Agencys state surveillance and is now
seeking refuge in Hong Kong. But how many other organisations have secrets to hide?
How about your firm? Does it take risk management seriously or is its interest
counterfeit, a sham and fabrication? One risk professional wants to find out if your firm is
faking it (p12-14).
And, in an age of villains and heroes, we look ahead to IRMs Risk Leaders Conference,
where Paul Moore is joined by Sharon Shoesmith, the former head of childrens services at
Haringey Council (p42-43), to discuss integrity and doing the right thing.
Our features also include a report on operational risk (p16-17), a discussion around the
Mars One mission (p18-21), an examination of the semantics of risk (p22-25) and an area
focus on Malaysia (p26-29).
Enjoy the magazine.
Tom Bovingdon
Managing editor
RMProfessional
EDITORIAL
Real deal?
8/13/2019 RMPsum13 Web 0
4/52
6 News The latest risk management news and
views, from cyber risks and telecomssecurity to climate change impactstudies and food shortage forecasts
11 Chairmans column
IRM chairman Richard AndersonFIRM explains how risk managementprofessionals can help organisationsprepare for the future
34Book reviews Featuring Enterprise risk management:
straight to the point an implementationguide function by function by Al Deckerand Donna Galer, and Risk managementby Paul Hopkin FIRM
IRM Focus35CEOs message IRMs chief executive, Steve Fowler FIRM,
asks what the future may bring for therisk profession
36News IRM updates, including the launch
of the Pan-Asian Risk & InsuranceManagement Association (PARIMA);developments in the Gulf; calls formember involvement; plus the latestnews from IRMs special interest and
regional groups
41Learning evolution Exploring the shifting educational
landscape for the risk professionand outlining IRM's aims for thefuture
42Do the right thing Preview of IRM's Risk Leaders
Conference 2013 an event thatpromises insights on risk and integrityand access to key risk experts
44Forward thinking The latest issues, ideas and initiatives
from IRMs thought leadershipactivities
46Brand and deliver We report on the recent IRM Forum,
which saw hundreds of leading riskprofessionals gather to discuss reputation,brand management and survival
48Appointments/careers
Members taking on new roles, plus aQ&A with businesswoman and authorMargaret Heffernan a keynote speakerat IRM's Risk Leaders Conference
49Welcome to IRM The latest additions and changes to the
IRM membership
50Member profile:Zalina Jaflus
The Malaysia-based senior risk managertalks to RMProfessional
12
4|www.rmprofessional.com |Summer 2013 |
Regulars
18STEPHENGIRIMONT/SHUTTERSTOCK
SYDAPRODUCTIONS/SHUTTERSTOCK
8/13/2019 RMPsum13 Web 0
5/52
CONTENTSSUMMER 2013
Features
26
12 Is your firm faking it? Many organisations and their leaders
talk about the importance of riskmanagement, but for some it is afaade. So how do you tell the fakersfrom those that really care?
16Lessons learned? Organisations must question theircultures and learn lessons from riskevents to reduce their operational losses,according to a study from ORIC
18One small step, onegiant risk
As Mars One starts acceptingapplications for a one-way trip tothe Red Planet, we consider whetherthe dangers posed by the missionare outweighed by the threat ofglobal catastrophe
22Tower of Babel Modern risk professionals must
understand other definitions of risk,
rather than simply focusing on theirown interpretation
26Building up This issue, our regular regional
overview spotlights Malaysia andexplores how risk management culture
is becoming increasingly important toits buoyant economy
30Keeping it simple IRM chief executive Steve Fowler FIRM
outlines his vision for developing acomprehensive risk managementcertification framework
31Euro vision IRM board member Dr Marie Gemma
Dequae discusses the institute's workwith continental Europe
33Breaking barriers How risk managers can address
employee resistance to implementing anew ERM culture
22
The first
sign that all may
not be as it seems
is an inconsistentapproach to
risk
Page 12
|Summer 2013 |www.rmprofessional.com |5
VLADGRIN/SHUTTERSTOCK
EMRAN/SHUTTERSTOCK
8/13/2019 RMPsum13 Web 0
6/52
Organisations are getting better at addressing
wrongdoing but are still shooting the messenger
when staff raise concerns, according to a study by
Public Concern at Work (PCaW) and the University
of Greenwich.
Entitled Whistleblowing: the inside story a
study of the experience of 1,000 whistleblowers,
the study found that the vast majority of
individuals only ever raise their concern internally
and that 85 per cent still either do not receive
feedback, are unhappy with the investigation,continue to receive detrimental treatment at work
or lose their jobs.
We remain at risk of a culture of silence
existing in too many workplaces where only
the tenacious few will be willing to pursue their
concern to a degree that stops or prevents harm,
the report said. It found that organisations have
limited opportunities to listen to their staff, as
a concern will only be raised once or twice at most.
Cathy James, chief executive of PCaW, said
that a whistleblowers journey is often fraught
with threats, fears and contradictions, and can be
incredibly stressful for the individual involved.
The study found that the top five concerns of
1,000 surveyed whistleblowers are: ethical (19 per
cent); financial malpractice (19 per cent); work
safety (16 per cent); public safety (11 per cent);
and patient safety (eight per cent).
Health, care, education, charities, local
government, and financial services were the top six
industries for those raising concerns.A typical whistleblower was found to be a
skilled worker or professional working for the
organisation for less than two years, who is
concerned about a wrongdoing that is ongoing,
affects wider society and has been occurring for
less than six months.
The study called on organisations to train
frontline managers on how to be proactive,
identify whistleblowing concerns, handle problems
well and support whistleblowers.
Brussels says the wide-ranging US surveillancelaw that has allowedthe British governmentto gather informationfrom internet firms posesa grave risk to dataprotection and citizensrights.
A European Parliamentcoordinating body issued areport last year saying thata section of the ForeignIntelligence SurveillanceAmendments Act (Fisaa)grants the US governmentwhat it describes asheavy-calibre masssurveillance firepowerthat could be brought tobear against individuals inEurope and elsewhere.
The report says the
2008 Act has very strongimplications on EU datasovereignty and protectionof its citizens rights.
Despite the warning,foreign secretary WilliamHague dismissed asbaseless the idea thatthe intelligence services
listening post GCHQ
in Cheltenham hadsomehow got roundUK law in its dealingswith the US intelligenceagency.
Prime Minister DavidCameron also said the UKagencies operated withinthe law and within a legal
framework.
US LAW A GRAVERISK TO UK CITIZENS
6|www.rmprofessional.com |Summer 2013 |
C-suite advised toleave ivory towerSenior managers must eliminate internal barriersand earn their staffs respect in order to becomemore resilient, a report produced by CranfieldBusiness School on behalf of the Association ofInsurance and Risk Managers (Airmic) has claimed.
Roads to resilience the follow-on report from2011s Roads to ruin study found that resilient firmsexist where everyone is risk-aware because barriersbetween senior managers and their staff are reducedto a minimum. It advised the C-suite to escape fromyour ivory towers and engage with your staff.
The analysis of eight firms recommended thatfirms create cultures where all staff feel able topass their views including bad news to seniormanagement, with the role of the risk function toguide and educate colleagues, rather than create arisk management silo.
John Hurrell, Airmic chief executive, saidthe findings were a great opportunity for riskmanagers, adding: They [risk professionals] areideally placed to facilitate the development of acorporate culture where everyone owns the riskmanagement process.
The findings were revealed as part of a briefingahead of the full launch of the report this summer.
Still shooting the messenger
APP/GETTY
STEPHENDOREY/GETTY
8/13/2019 RMPsum13 Web 0
7/52
Cyber attacks are
costing the UKeconomy up to 27bn
a year and staff to
combat the growing
threat are in shortsupply, says the
National Audit Office
(NAO).It warns that it
could take 20 years to address a skills gap, because
the number of IT and cyber security professionalshas not risen in line with the growth of the
online economy.
BAE Systems says that nearly half of all graduates
and trainees hired this year will go into its cyber and
security services business.The NAO also warned that there was a
skills shortage among psychologists and risk
managers, as well as specialist police, lawyers and
accountants needed to manage and mitigatethreats.
In a bid to increase staff numbers, the
government, in 2010, boosted spending onits National Cyber Security programme by
650m over four years. It also plans to make
cyber security part of the GCSE computer sciencesyllabus.
IRM is hosting a series of high-level roundtablesduring 2013 to discuss cyber risk.
|Summer 2013 |www.rmprofessional.com |7
Cyber attack warning
INDUSTRY FOCUSNEWS ROUND-UP
Risk management reporting by UK
companies can be opaque, lacking
in detail and detached from overall
corporate strategy, a joint report
by the Association of Insurance
and Risk Managers (Airmic)
and the Institute of Chartered
Secretaries and Administrators
(ICSA) has found.Finding a wide disparity in
the quality of risk reporting by
companies on the London Stock
Exchange, the two bodies will urge
the Financial Reporting Council
(FRC) to tighten risk reporting
when it updates the UK Corporate
Governance Code later this year.
If youre good at risk then why
hide the fact? said Airmic technical
director Paul Hopkin FIRM.
The impression is that many
firms with strong stories to tell see
risk reporting as little more than
a compliance exercise. Yet theexercise can underpin confidence in
the company.
Seamus Gillen, director of policy
at ICSA, said that stakeholders and
shareholders need to clearly see
how risk management relates to
strategy and opportunity. We need
to see a more compelling, linked-up
narrative, he said.
The review of 24 companies
from the FTSE 100 and FTSE 250
found that firms in the leisure
industry have a higher standard
of risk reporting, while reports
emanating from the food anddrink sector were said to be
uninformative. Reporting from
chemical and pharmaceuticals
companies, along with mining and
energy firms, were found to be not
generally of a high standard.
RISK REPORTING CAN BEOPAQUE AND DETACHED
EMPLOYEE
MIGRATION
SET TO RISEThe number of workers movingjobs is set to rise to 4.3 million in2015, as turnover levels continueto rise sharply in line with agrowing economy.
The next five years will seeemployee migration grow from14.6 to 18 per cent, while by2015, 765,000 more staff than in2012 are forecast to depart fornew employment.
The figures have been
collated by Hay Group, inassociation with the Centrefor Economics and BusinessResearch, as part of a reportentitled Preparing for take off.
Worryingly, the researchhighlights the lack of skilledworkers in Britain, with 18 percent of manufacturing firmshaving difficulty finding skilledstaff. It also found that a quarterof new jobs created over thenext five years will need skilledscience and technology workers,but that there will be a shortage
of suitable employees.Hay Group consultant Chris
Smith said: People have beenreluctant to leave their currentrole due to the turbulentlabour market associatedwith the economic downturn,government spending austerityand the Eurozone crisis. Asconditions improve, dissatisfiedworkers provide a significant riskfor organisations of all shapesand sizes in the UK.
JP Morgans UK wealthmanagement business hasbeen fined more than 3mfor failing to keep files on itsclients up to date.
The Financial ConductAuthority said the lapse putthe banks customers at risk ofreceiving the wrong investment
advice. Failings persisted fortwo years until 2012, a timewhen the business was dealingwith $29bn in assets from some3,000 clients.
The regulator said that thebank had failed to retain andupdate information on clientobjectives and risk tolerance,
and that its computer systemwas inadequate.
JP Morgan has now agreedto review all its customer files.
A report in the FinancialTimessays that, so far, 1,500files have been scrutinised andonly one case with unsuitableinvestment has been found.
JP MORGAN FINED 3.1M
STOCKLITE/SHUTTERSTOCK
VOYAGER624/SHUTTERSTOCK
8/13/2019 RMPsum13 Web 0
8/52
Banks are failing to make the grade
when it comes to predicting loan
defaults, says a report by Barclays.
Some of the worlds biggestinstitutions are miscalculating the
riskiness of their balance sheets
by an average of 13 per cent, the
research shows.
Nineteen banks took part in
the study, which looked at data
on predicted against actual losses
on corporate, institutional and
mortgage loans over the past five
years. It found that banks missed
the mark by an average of 54
per cent.
Quoted in the Financial Times,
Simon Samuels, the bank analyst
who led the study, said: The good
news is that banks seem to beerring on the side of caution. The
bad news is that the forecasting
error is quite substantial.
The paper says that the research
highlights a problem for regulators
and investors because default
probabilities are critical when
working out risk-weighted assets,
which in turn are used to calculate
the basic measure of bank safety:
the core tier one capital ratio.
Risk calculationby banks wideof the mark
8|www.rmprofessional.com |Summer 2013 |
German brewers voice fracking fearsGermanys brewing industryis calling for a ban on fracking the controversial method ofgas extraction until the riskof water contamination can beruled out.
Chancellor Angela Merkelsgovernment is producing a legalframework to strictly regulatethe system, which involves thehorizontal pumping of water and
chemicals at high pressure intorocks to release trapped storesof gas.
However, the countrysbrewers believe that watercontamination is still an issue andfracking should not be alloweduntil more scientific research hasbeen carried out.
The industry relies heavilyon water drawn from private
wells, and a spokesman for theGerman Brewers Federation toldthe Financial Times: So long asfracking is not proven completelysafe, [we say] hands off.
In the US, fracking has helpedlower gas prices for industry,but in Germany and in otherEuropean countries, the UKincluded, there remains deeppublic scepticism.
Climate study: NewYork facing grim future
New York is facing a future of rising temperatures and more floods,according to Mayor Michael Bloomberg.
A report, commissioned by the mayor in the wake of HurricaneSandy last October, concluded that by the middle of this century,almost one million New Yorkers could be living in a flood zone andthe average daily temperature could be up to 7F hotter.
Quoted in the Daily Mail, Mr Bloomberg said: We have toanticipate threats, not only from hurricanes and other coastalstorms, but also from droughts, heavy downpours and heatwaves.
The report said extreme weather in the region could becomethe norm, affecting the eight million people who live and work inthe city.
CSP/SHUTTERSTOCK
The goodnews is thatbanks seem tobe erring onthe side ofcaution
S.BORISOV/SHUTTERSTOCK
PATRICKWANG/SHUTTERSTOCK
8/13/2019 RMPsum13 Web 0
9/52
8/13/2019 RMPsum13 Web 0
10/52
Presented by
Grand Connaught Rooms, London, UKAwards entry open Monday 17 June 2013Awards deadline Monday 4 October 2013Shortlist announced Monday 18 November 2013Awards dinner Thursday 27 February 2014
The Institute of Risk Managementleading the risk profession through delivery of education and lifelong learning
Savethedate
27February20
14
8/13/2019 RMPsum13 Web 0
11/52
As I was stepping on to thetrain the other day, I had asense of dj vu, which isof course a well-trodden
path for filmgoers familiar with themovie Sliding Doors.But putting romantic comedies
aside, we all have just one past,whereas we face multiple possiblefutures each of which depends ona vast number of imponderables,many of which are beyond ourcontrol or even imagination. And thatbewildering complexity is exactly whatwe face in our organisations as well.So, what does that have to do withrisk management professionals?
It seems to me that one of thereally important competencies forrisk management professionals isto be among those that help theorganisation deal with the multiplecomplexities of the future.
Breaking the chainsOf course we must learn from thepast, but by learning from the pastwe do not need to be relentlessly tiedto our history. That frees us to explorethe options that are open to us.
While the media talks about signs
of growth in the economy (fingerscrossed and touching wood while Iwrite that, like a good risk manager),there is a risk that organisations many of which have been relentlesslyhit by gloom and doom since theonset of the global financial crisisall those years ago will facethis new future with a less-than-confident spring in their step, withthe consequence that they mightnot grasp the new and emergingopportunities.
In the heady days prior to theglobal financial crisis, risk managerswere ignored when they asked doom-laden questions implying that house
prices might one day fall rather thancontinue to increase, or were sacked(as in the case of Paul Moore, aspeaker at our Risk Leaders conferencein London, UK, in November) fordoubting the sustainability of the paceof growth at HBOS.
And yet, that is the biggest singlecontribution risk management canmake to society: to ask the questionsthat make us reflect on the benefits(or otherwise) of running with thecrowd. I have described this elsewhereas being the disruptive intelligencethat pierces perfect-place arrogance. Ithink that makes a good motto for theprofession, and it dovetails neatly intothe exhortation from Ren Carayolat our recent IRM Forum that we,as risk management professionals,should be focused on deliveringleadership. That gives us an importantrole in all organisations; we should beinfluencing at boardroom level, as wellas in the engine room.
Walking tallSome people tell me that I am talkingtoo much about the boardroom andnot enough about our day job. Thatis because I think we have alreadyproved, without a doubt, that we aretechnical masters of the day job.
Very few people say to me thattheir risk managers are not up their
job from a technical viewpoint, butI still get negative comments aboutour ability to influence the leadershipof our organisations. And yet, whenyou talk strategy with your board and
you can influence the debate, thenthe whole remit of the professionis enhanced.
Our aim at IRM is to help people
walk tall in their organisations. We areproud to be in risk management, andwe are proud to be the organisationthat provides the underpinnings forthe profession: training, competenceand ongoing leadership. That is whywe are focused on the boardroomdebate, focused on ensuring that ourprofession has global recognitionand focused on providing the besttraining available.
This is your profession. Please comealong and support us. We welcomeyour help in a multitude of ways, andwe always value your opinions.
SHUTTERSTOCK/ALPHASPIRIT
IRMCHAIRMANS COLUMN
SLIDINGDOORSIRM CHAIRMAN RICHARD ANDERSONFIRMEXPLAINS HOW RISK MANAGEMENTPROFESSIONALS CAN HELP ORGANISATIONS PREPARE FOR THE FUTURE
|Summer 2013 |www.rmprofessional.com |11
Our aim at IRM is tohelp people walk tall in their
organisations
8/13/2019 RMPsum13 Web 0
12/5212|www.rmprofessional.com|Summer 2013|
The first sign thatall may not be as itseems is an inconsistentapproach to risk
8/13/2019 RMPsum13 Web 0
13/52
ANALYSISCULTURE
|Summer 2013 |www.rmprofessional.com |13
MOST ORGANISATIONS AND THEIR LEADERS EXCEL AT TALKINGABOUT THE IMPORTANCE OF RISK MANAGEMENT, BUT HOW MUCH OFTHIS IS A FAADE? SENIOR MANAGEMENT OFTEN FEIGNS INTEREST TOAPPEASE STAKEHOLDERS OR TICK BOXES, SAYS RICHARD MACKIE FIRM.SO HOW DO YOU TELL THE FAKERS FROM THOSE WHO REALLY CARE?
IS YOUR FIRMFAKINGIT?
Risk managers have spent the last decadebuilding and embedding risk managementframeworks, and raising awarenessthroughout their organisations. But, just asrisk considerations have become critical todecision-making, is the illusion of boardroom
interest in risk management being exposed as a sham?With the collapse of the major banks, high-street names
gone bust and billions of pounds lost, could there still be anegative attitude towards risk professionals? As we recentlyread in RMProfessional(Spring 2013), one former HBOSemployee described risk managers as an alien species.Does this hint at a feeling among senior management thatrisk professionals are not always on board, not one of theboys or, as I heard one female risk manager recently say,the girl who cries wolf.
That was, of course, until the big, bad wolf came
knocking at our door. But when it did, the seniormanagement team simply removed any sign of the wolffrom the risk report as it would make the shareholdersnervous. CEOs, petrified that the cold, hard facts couldaffect future investment, are choosing to ignore thewarnings we deliver.
Are we complicit?Which begs the question: why employ a risk manager?The simple answer is that, in 2013, in a medium-to-largesize company, the board expects the organisation tohave one.
Ratings agencies expect to see robust enterprise
risk management (ERM) practices, so companies createrisk positions that nominally exist but whose work isconspicuous by its absence. The risk manager is not thereto reduce risk or uncertainty, or to effect a change in therisk-taking culture. They are there because managementcannot fake it without them.
As one of my risk professional peers revealed, therewas no desire to identify risk within their organisation, justa superficial attempt to pretend it was being addressed.The CEO would remove a number of their entries from themonthly board report prior to publication.
When the risk manager challenged the CEO, they weretold off for reporting too many risks. And the CEO, citingtheir 20 years of experience, said they did not want tosee any risks you would expect any normal company toface because, as an experienced leader, they had alreadyforeseen these risks.
The risks deemed irrelevant involved the lead-up to the Olympics, an untested business continuitymanagement IT plan, European uncertainty impacting onsupply chain exposure, and the traditional loss of key staffand lack of any succession planning.
All of these were removed or altered to read as apositive for the organisation. It would appear that thelessons from HBOS and the sacking of Paul Moore, thehead of group regulatory risk removed for raising concernsabout excessive risk-taking [and a speaker at IRMs RiskLeaders Conference in London, UK, on 4 November], havenot been learned. But what is more worrying is that thisorganisation is not alone in its actions.SY
DAPRODUCTIONS/SHUTTERSTOCK
8/13/2019 RMPsum13 Web 0
14/52
Fear cultureA culture of fear, characterised by the boardroombelief that the threat to the organisation is not the riskitself but the market perception of the risk exposure,is haunting our businesses. Some say this is down tothe egos at the top, but there appears to be a beliefthat if an organisation becomes too honest with theirrisk exposure, it is an admission of guilt, acceptance offailure or an acknowledgement that there is doubt in itsbusiness strategy.
Look at the local high street. Where have Borders,Comet, JJB Sports, Jessops and Woolworths gone? Thereis a universal belief among the public that all the big
name companies have failed due to the global economicrecession but this is an excuse.These failures were many years in the making. Borders
closure was the result of rapid changes in the marketplacecoupled with their unwillingness and/or inability to reactin time to them. If your industry is selling books and CDs,you do not have to look far back to see that people andcars no longer use cassettes, and that CDs were alreadyon the way out by 2005.
Mentioning the unmentionableThe rapid rise in popularity of e-readers, MP3s and IPodsmakes you wonder what the risk manager was doing.Agreed, it is not the risk managers place to be designingnew technology, but it is the risk managers role to ensurethat the impact of game-changing products coming ontothe market is on the radar.
Prior to the recession, when times were good, Comet,JJB and Woolworths experienced financial difficulties; allwere slow to react to changes in the business environmentand adapt their business model accordingly. The internetdid not kill these big names. Neither did the competition,or even new products. It was the failure of the seniormanagement team to acknowledge the risks to theorganisations strategy.
Failure is still unmentionable in some high-levelmeetings, so much so that if the risk manager does
raise the possibility, they are seen to be challenging thecompetence and the leadership of management.
Risk professionals are effectively being ostracised. Wetalk of the risk culture and a bottom-up, top-down oruniversal approach, but what does that all mean if, behindthe meeting room doors, your organisation only centres onthe positive aspects of their strategy?
Spotting the fakesSo how can you spot a fake? Unlike a watch, or a pairof suspicious-looking Karen Klein sunglasses, this isprobably harder to identify.
The first sign that all may not be as it seems is an
inconsistent approach to risk. Does the organisationuse numerous styles or outdated formats for riskreporting? Is there poor risk communication betweenthe different functions? Poor reporting and ineffectivecommunication is often a deliberate method to preventthe risk manager from getting a true picture of therisks. When management does not see the value in anefficient reporting system, we need to be asking what themotivation is behind that view.
As a risk professional, you should know if the mannerin which your organisation reports risks is outdated andstagnant. If you are trying to drive risk reporting forwardand hitting a wall, it probably means there is no desire
to streamline the risk process for fear of uncovering thefamily secrets.
Time for changeHas the time come to enhance the focus from embeddinga risk culture to changing the corporate risk environmentfrom one of concealment to honesty?
Senior managers must understand that, effectively, riskmanagement can only come by acknowledging risk andembracing an honest approach, including highlightingany uncertainty that threatens the achievement of thecorporate objectives.
When the risk manager or risk function challenge theassumptions that are the foundations of managementdecisions, they are not stifling opportunity. They areactually increasing the likelihood of success.
Only by identifying, understanding and recognising thepotential for failure can failure itself be avoided. Havingreviewed a number of corporate failures and big lossesrecently, the main questions we all have to ask ourselvesare: is there a risk management facade festering withinyour business? Is your firm a faker?
14|www.rmprofessional.com |Summer 2013 |
RichardMackie FIRMis manager,risk advisory,RSM [email protected]
ANALYSISCULTURE
BRIANAJACKSON
/SHUTTERSTOCK
8/13/2019 RMPsum13 Web 0
15/52
On 16 April, the European Parliament overruledUK opposition and adopted new legislationunder the Capital Requirements DirectiveIV (CRD IV), which puts a cap on bankers
bonuses. It is expected to be effective from 1 January 2014.
The rules seek to limit bonuses to the amount of theindividuals salary (the so-called 1:1 ratio) although, withshareholder approval, the ratio could rise to 2:1. Therules will apply to EU banks including their overseassubsidiaries as well as foreign units operating in theEU, and will affect material risk-takers such as seniormanagement and major traders. Banks have somediscretion over which employees are considered materialrisk-takers, although the European Banking Authorityslatest proposal seeks to expand the category to includethose earning more than 500,000.
The legislation aims to improve stability in the globalfinancial sector by limiting the incentive for seniormanagement/traders to take short-term risks, which mightbenefit them personally but which are imprudent in thelong term. It also responds to public outrage at bankerremuneration following the 2008 credit crisis.
Continuing negative publicity has fuelled public hostility:in Europe, the sovereign debt crisis has seen five EUmember states bailed out, while UK examples include thepart-nationalisation of HBOS, Lloyds TSB and the RoyalBank of Scotland the latter sparking a furore over theseverance package of chief executive, Fred Goodwin.Additionally, the multi-billion dollar rogue-trading scandalsof Jrme Kerviel at Socit Gnrale and UBSs KwekuAdoboli have intensified the perception of banking greed.
DisincentiveThese examples suggest an unstable banking sector,exacerbated by a combination of recklessness and anemphasis on short-term gain. The EU considers that thecommon denominator is remuneration of key executives,with personal financial incentive closely correlated torisk appetite. The EU hopes that the bonus cap willde-incentivise high-risk short-term transactions, creategreater transparency and accountability, and enable banksto safeguard deposits and investors returns.
However, there is considerable speculation that thebonus cap is, at best, a blunt tool and, at worst, willhave a significant detrimental effect on the sector.
Legally, there is concern that the rules may violateinternational trade agreements, since they extend to EUsubsidiaries operating outside the EU. Furthermore, thelegislation arguably goes beyond the powers vested inthe EU. Article 153(5) of the Lisbon Treaty 2007 provides
that any attempts made by the European Parliament andCouncil to modify social policy shall not apply to pay.The counter-argument is that the legislation does
not seek to limit total pay just the proportions of fixedto variable pay and addresses systemic risk, not socialpolicy.
StrategiesIn order to retain top talent, banks will probably comeup with various strategies to moderate the impact of therules.
The most obvious method will be to increase basicsalaries (fixed pay). Other possibilities include restructuringpackages to offer individuals greater shareholdings;withholding salary over the course of the year andallocating it according to performance; or introducingallowances such as grants. While some of these strategiesmay be treated as bonuses, there is likely to be a greyarea that could be creatively exploited.
There is a risk that these measures will drive bankingtalent out of the EU, damaging its financial sector andresulting in senior banking positions being occupied byless-qualified people. This outcome is contradictory to theaim of the rules and will affect the UK significantly, giventhe size of the City of London financial sector.
In particular, there is speculation that internationalbanks may move Europe, Middle East and Africa business
from London to the Gulf, which would be damagingto the UK and EU, possibly prolonging the Europeansovereign debt crisis and regional financial instability.
The ultimate impact of these rules will becomeclearer in time. However, if the bonus cap fails to deliverthe expected reform, perhaps banks should considerincentivising those in compliance roles in the same way asfront office staff. This would encourage closer monitoringof risk, resulting in greater clarity and accountability, andalso provide a degree of reassurance. While profits maybe hit in the short term, overall, such an initiative mighthelp to stabilise the banking sector and renew public trustin EU banks, thereby generating growth.
LEGAL ANALYSISBONUSES
IF THE CAPFITSWILL CONTROLLING BANKERS BONUSES BRING STABILITY TO THE FINANCIAL SECTOR?OLIVER KNOXCONSIDERS THE CONSEQUENCES
|Summer 2013|www.rmprofessional.com|15
Oliver Knox
is a trainee atCity law firmRPC
8/13/2019 RMPsum13 Web 0
16/52
ORGANISATIONS MUST QUESTION THEIR CULTURES AND LEARN FROMRISK EVENTS TO REDUCE THEIR OPERATIONAL RISK LOSSES,AN EXCLUSIVE STUDY FROM THE OPERATIONAL RISK CONSORTIUM(ORIC) HAS CLAIMED
Arecent report into the UK Mid-Staffordshire National Health Service(NHS) Trust found that some 1,200unnecessary patient deaths at hospitalsin the area over a number of yearswere caused, to some degree, by a
prioritisation of financial performance over patient safetyimposed by top management, and by a blame-ladenculture where people at all levels were frightened tospeak out.
Contrast this with the North Sea approach, where alloil and gas companies openly share details of all safety andenvironmental risk events including near-misses in orderto understand whether they could be exposed and to ensurethat they are prepared for any events of a similar nature.
These are just two examples from a new studypublished by the Operational Risk Consortium (ORIC),Creating value from risk events: leading practices inoperational risk event reporting, analysis and investigation,learning and management, which calls for firms toquestion their risk cultures and learn lessons from riskevents in order to survive and thrive in the modern world and to avoid situations such as that at UK Mid-StaffordshireNHS Trust.
Alex Hindson FIRM, chairman of ORIC and a director ofIRM, says the study fulfils ORICs objectives to set leadingpractice for operational risk and inspires firms to improvetheir risk event capture, reporting and analysis.
CharacteristicsAccording to ORIC, organisations can actively reduceoperational risk losses by placing a strong focus on riskevent reporting, analysis and learning. Firms that getthis right typically exhibit the following characteristics/actions: an open culture where people use risk eventsas an opportunity to improve; analysis of risk eventsto understand the root causes and establish whetherother areas of the organisation could be exposed; andcontinuous improvement of control frameworks, usinglearning from internal and external risk events.
After identifying best practice approaches, ORIC created
LESSONS
LEARNED?
16|www.rmprofessional.com |Summer 2013 |
SHUTTERSTOCK/JO
SEGIL/DABARTICGI
8/13/2019 RMPsum13 Web 0
17/52|Summer 2013 |www.rmprofessional.com |17
a maturity diagnostic (see below) to assist organisations inbenchmarking and improving their performance.
Caroline Coombe FIRM, head of ORIC, says creating anopen culture, where people can speak openly about riskevents, is fundamental.
A crucial ingredient for success, says Coombe, isfor visible leadership behaviour to be in place. Bestpractice organisations have strong, risk-aware leaderswho actively champion the process, get involved intraining their people, communicate the importance ofrisk to the business, actively follow up on actions, andrecognise people for reporting. Such organisations investin developing risk leadership skills and measuring leaders
performance in this area.
EducationThe study states: Critically, these leaders avoid blamingthose who report, or those who have made genuinemistakes, and place a high value on the opportunity tolearn from risk events to drive value for their organisation.
By focusing on risk event reporting including near-miss
reporting, addressing behavioural failures, undertakingroot-cause analysis and combining data with learning organisations can target year-on-year reductions inoperational risk losses.
The study highlights the practices of a nuclear aircraftcarrier, where the most junior sailor is empowered to stopoperations if they perceive a risk. When a junior stoppedflying operations because a tool had been mislaid, theywere publicly congratulated for being risk aware ratherthan reprimanded.
ORICs work has been endorsed by IRM, withCarolyn Williams MIRM, the institutes head of thoughtleadership, praising a worthwhile study on the
importance of risk event reporting in creating a healthyrisk management culture.She added: Our own recent publication on risk culture
identified the importance of risk disclosure and the effectivereporting and escalation of risk events as fundamental testsof an organisations ability to create a supportive culture. To receive a copy of the study, contact ORIC [email protected].
FOCUSOPERATIONAL RISK
Reactive Compliant Proactive High reliability
Openenvironmentfor reporting
Only signicant risk events are reported Lack of leadership involvement Inconsistent reporting processes Fear of blame/reprimand impedes
reporting People are unsure what to report and why Reporting delegated to the second line Near-misses not reported
Coherent process for people to reportevents
Most events reported Key people are risk aware
Key people understand how to report arisk event Little focus on near-miss reporting
Everyone feels encouraged to reportevents
Simple standardised company-wideapproach to reporting
Ownership of reporting at rst line Selected staff at rst line of defence staff
are focused on risk Staff understand the need to report
near-misses. More than 50 per cent arereported
Single, simple approach to captureenterprise-wide risks
Everyone understands current andpotential risks they face
Everyone understands the need to reportrisk events and do so directly
Open, learning culture sees events as anopportunity to improve
Near-misses actively reported in order toreduce frequency of loss events
Risk eventanalysis,investigationand impactassessment
Focus on addressing recovery from lossevents
Leadership seek to identify responsibilityand blame
Root cause analysis (RCA) not conducted
Root cause analysis (RCA) conducted forpriority events
Focus on controls, processes and systems not behaviours
Ad hoc and inconsistent approach to RCA few standard tools
Little trained investigative capability
Clear thresholds for root cause analysis(RCA)
Standard, proven tools and approachesused to conduct RCA
Behavioural root causes always sought Strong trained capability to conduct RCA Top leadership reviews causes of major
events
Deep root cause analysis (RCA) for keyevents and major near misses
Analysis identies trends and causes fromvolume lesser events
All leaders are seen to engage in RCA Focus on behaviours (why people acted
that way) Leadership, behavioural and cultural
issues confronted Quality assurance of investigations
through peer and third-line review
Actionmanagement Actions for most loss events are notmonitored or followed up Follow-up for major events is on an
ad hoc basis
Actions often derived so that they can bedelivered rather than make a difference Actions are managed, monitored and
closed Approach and tools for action
management are not consistent acrosscompany
Actions derived to make a difference Actions are prioritised, based on resourcesavailable and risk appetite
Actions clearly tracked and only closedon evidence
Top leadership review actions for majorevents
Action management process integratedinto company-wide continuousimprovement approach
Actions may involve replacing existingcontrols that are not cost-effective, notjust adding controls
Learning andcontinuousimprovement
No systematic approach in place to learnfrom internal or external risk events
Learnings tend to be ad hoc and rely oftenon informal networks
Changes to policies and procedures occurin response to signicant internal riskevents
Learnings not always shared across allrelevant parts of the company
Review of major external risk events is notsystematic
Processes in place to prioritise and sharelearnings across the company frominternal risk events
Learnings are derived from external riskevents
Appropriate ORIC data shared with rst line Multiple channels used to engage staff
in learnings The third line review learning effectiveness
Learnings from loss events and nearmisses used to deliver year-on-yearreductions in risk exposure
Rigorous approach optimises behavioursand controls based on learning frominternal and external events
Proactive sharing and learning across theindustry to reduce sector-wide operationaland reputational risks
8/13/2019 RMPsum13 Web 0
18/52
The risks associatedwith space travelin general, and theexploration of Mars inparticular, are manyand varied
Abright speck appears over theeastern horizon, flies across thedeep blue sky, expanding in bothsize and intensity, until suddenly and in complete silence itexplodes in a brilliant fireball with
the power of a 440-kiloton nuclear bomb.Two and a half minutes later, the shockwave rips
through the Russian town of Chelyabinsk, sendingglass and debris flying and injuring 1,500 people,many of who were staring through windows at theexpanding smoke plume in the sky.
For many, the events of January 2013 were asurprising wake-up call to the power of nature. Butfor others, this demonstration of the destructiveimpact of space-based objects was just another
18|www.rmprofessional.com|Summer 2013 |
ONE SMALL STEP,
AS MARS ONE STARTS ACCEPTING APPLICATIONS FOR AONE-WAY TRIP TO THE RED PLANET, MARK TURNERCIRMASKS IFTHE DANGER POSED BY THE MISSION IS OUTWEIGHED BY THETHREAT OF GLOBAL CATASTROPHE
STEPHENGIRIMONT/SHUTTERSTOCK
8/13/2019 RMPsum13 Web 0
19/52|Summer 2013 |www.rmprofessional.com|19
reminder of the perilous hold that the humanspecies has on its continued existence.
Sudden impactSixty-five million years ago, a larger fireball swept inacross the Atlantic. The prehistoric witnesses to thismeteor were instantaneously incinerated and manythousands of species, in the days and weeks thatfollowed the impact, succumbed to extinction on aglobal scale.
Such is the devastating effect that a meteor orcomet impact would have on our fragile world.Yet it is not the only life-threatening risk thatexists. Mega-volcanoes, such as the one found inYellowstone Park in Wyoming, USA; coronal massejections from the sun; reversal of the Earths
magnetic poles; pandemic super-flu; runawaynanotechnology (the so-called grey goo); climatechange leading to methane release from the sea
bed or suspension of the gulf stream; and any othernumber of global catastrophes all could destroyour species at any moment.
One-way ticketHowever, for the first time in the history of ourplanet, a species possesses the sophistication andtechnology to withstand such a global catastrophe.
In recent decades, mankind has walked on theMoon, sent the Voyager probes beyond the furthestreaches of our solar system, and have begun toexplore the Martian surface with robots. We arecapable of placing people on Mars.
ANALYSISMARS MISSION
8/13/2019 RMPsum13 Web 0
20/52
It is no longer a question of technology. However, ithas not yet happened due to funding constraints, limitedpolitical will and, above all, a deep-seated expectationby the public and politicians alike that it should be atwo-way journey.
On 22 April 2013, a private Dutch company calledMars One opened the first round of applications forprospective Martian colonists. Within two weeks, almost80,000 people had indicated that they were interested inthe one-way mission to the red planet.
Many detractors identified the death sentence theseindividuals had signed up for. The risks associated withspace travel in general, and the exploration of Mars inparticular, are many and varied.
Extreme pressureFirst, there are the problems associated with leaving theEarth. As spectacularly demonstrated by the Space ShuttleChallenger in 1986, the act of getting into orbit is notwithout risk. Once in space, the transition to Mars requiresthe spacecraft to leave the protection of the Earthsmagnetic shell.
Without this defence, intense radiation from theSun and other cosmic sources will begin to damagehuman DNA. The seven-month trip to Mars exposesthe astronauts to a microgravity, which acceleratesmuscle wastage and is believed to increase the risk ofosteoporosis. Micrometeorites, with the kinetic energy of
bullets, threaten to puncture the hull of the spacecraft atany moment. With restricted rations and limited facilitiesfor hygiene, the bodys defences will also be placed underextreme pressure.
Provided that guidance and propulsion have workedcorrectly, once in orbit around Mars, the next challengewill be the descent. Over the years, NASA has usedseveral methods to get probes onto the surface, includingparachutes, airbags and sky cranes. Some have succeeded,while many others have failed. The lack of a denseatmosphere, and potentially high cross-winds, make Marsa formidable target to touchdown on.
Life on MarsMars does not possess a strong magnetosphere, and so
the cosmic and solar radiation will continue to impact theexplorers whenever they are not under cover. To preventfurther exposure, the colonists will need to bury theirhabitats under two metres of Martian soil.
The famous red dust that covers the planet hasbeen analysed by Mars rovers such as Curiosity. Theresults indicate that it contains high levels of mineralsthat are harmful to human health. Not least of theseare perchlorates, which are known to affect the thyroidgland, and gypsum, which affects the lungs in a similarway to coal-lung disease on coal miners.
The Mars One mission is expected to land at thelatitudes nearer one of the poles. This area is known toSE
RGEYDV/SHUTTERSTOCK
Mark TurnerCIRM is headof internalaudit UK atSelex ES. Viewhis Mars Oneapplicationvideo athttp://tinyurl.com/mfav8es
20|www.rmprofessional.com |Summer 2013 |
8/13/2019 RMPsum13 Web 0
21/52
ANALYSISMARS MISSION
possess sub-surface water. The extraction of this waterwill be a priority for the explorers if a self-sustainingcolony is to be established.
Food for thoughtHowever, it is not known what contaminants this watermay contain. All food necessary for the first two years willneed to be transported to the planet with the travellers.While it is anticipated that they will begin to grow theirown food, this will take months to bring to harvest. Theeffects of Martian gravity only 38 per cent that of theEarth may have an unpredictable impact on both yieldand nutritional value of the crops grown. It is possible thatsustaining a balanced diet may be difficult.
Accidents, the effects of cosmic radiation,
environmental disease and other bodily threats will allneed to be self-treated. There will be no palliative care asthe colonists age, and the safe disposal of corpses willneed to be addressed.
Mars or mankind?With this array of known hazards, and the many yetto be discovered, why is it that so many people arewilling to put their lives at such peril? Not all of them areuninformed glory seekers. Many are well-read scientists,technologists and professionals from all walks of life.
For one thing, there is the personal challenge ofleaving the Earth. For many people, growing up during
the golden age of lunar landings and Space Shuttlemissions, this presents an opportunity to live a childhoodambition.
For others, the allure of never-ending fame is enticing.To be the first person to walk on Mars would placetheir name alongside those of Marco Polo, ChristopherColumbus and Neil Armstrong. In addition, the money which, it is hoped, will be generated by sponsorship andcelebrity endorsement could ensure that the familiesleft behind on Earth would be well-looked after formany generations.
Basic instinct
However, the appeal to apply for the one-way trip maybe deeper than this. Instinct for genetic survival droveour ancestral explorers to leave the broad savannahof Africa in search of new land, and this instinct maywell be acting again. If mankind is to survive, then thecolonisation of the solar system is the only action thatcan assure the continuation of our species, and Mars isthe first logical step.
Going to Mars may be fraught with individual danger,but the threat to mankind for not going is a risk thespecies cannot ignore.
Detractors identifiedthe death sentence
these individuals hadsigned up for
BERTRANDBENOIT/SHUTTERSTOCK
|Summer 2013 |www.rmprofessional.com |21
8/13/2019 RMPsum13 Web 0
22/52
VLADGRIN/SHUTTERSTOCK
Risk is too ambiguous a term to be usedon its own and must be simplified. Whenconducting research at Cranfield Universitybetween 2008 and 2011, I concluded thatthere was no point in defining risk as Isaw it. I needed to see risk from the other
perspective.I collated 43 different risk definitions fromacademic and practitioner literature, aiming to identifywhether definitions of risk fall into one sector or arespread across the spectrum.
Simple definitionsI plotted simple definitions, separating risk into thedefinitions in the box below.
From here, usage of the word places risk in one offour categories:InputsTransformation processOutputsControlsInputs are where risk is defined as an event or a
cause of an effect.A questionable assumption is perceived as
borderline input/transformation process, while riskas uncertainty (it is seen as being an uncertainty ora probability within the transformation process) andrisk as a form of rationality fell clearly within thetransformation process category. Those that wereperceived as falling in the output category were risk asan effect, an implication and failure. Finally, risk as
exposure and volatility was deemed to fit into thecontrol box.
Risk as exposure was interpreted as the level of riskor the amount of risk to which the organisation is being,or will be, exposed; this was seen as a control total and,therefore, placed within the control area.
Risk as exposure has been interpreted as beingconsistent with the many other terms (such as riskappetite, risk tolerance and risk profile) that have beenused to express the amount of risk that is expected oracceptable; these are all seen as being a control total.
Risks can be seen to be present in any, and every,part of the system. The exact placing of each
22|www.rmprofessional.com |Summer 2013 |
MODERN RISK PROFESSIONALS MUST UNDERSTAND OTHERDEFINITIONS OF RISK INSTEAD OF FOCUSING ON THEIR OWNINTERPRETATION, INSISTS DR MIKE LAUDER
InputsTransformation
process
Outputs
Risk asanuncertainty
Risk asan event
Risk asquestionableassumptions
Risk asform ofrationality
Risk asfailure
Risk asuncertainty
Risk asan effect
Risk asanimplication
ControlsRisk asvolatilityRisk as
exposure
8/13/2019 RMPsum13 Web 0
23/52 |Summer 2013 |www.rmprofessional.com |23
ANALYSISDEFINING RISK
8/13/2019 RMPsum13 Web 0
24/52
concept is not considered to be as important as the factthat definitions fall within all four areas of the systemboxes. Risk, then, should have its temporal dimensionacknowledged and not be seen as a single concept.
Complex definitionsThe next step in the analysis of risk is to examine a series ofcomplex risk definitions (that is, those articulated asrisk = A (x) B. The selection in Table 1 (below)demonstrates further complexity.
These articulations of risk combine aspects from all foursystem boxes. However, they predominantly concentrateon the outputs (impact, consequence or magnitude)
and control boxes (probability, frequency, magnitude orseverity). These, therefore, need further analysis.
Such definitions of risk often suggest limits or controltotals. This reinforces the place for a control box within theproposed framework. These scales articulate potential limitsof what might be expected to happen, or what mightbe deemed to be acceptable should it happen. All thesescales are features of management control. They, therefore,fit into the control box within the framework. They areencompassed in the term risk exposure. This leaves onlythe construct of the outputs requiring further examination.The term output covers a more complicated construct. Iidentified five, and define these terms as:Results the result is an initial outcome of the
mechanism at play on an entity in creating thenegative outcome. For example, if the mechanism
is the continual flexing of a structure due to naturalphenomena, such as wind, the result of this may bethat the structure becomes stressed
Effect the effect is the end product of the resulton the entity causing the negative outcome. Buildingon the stress example, the effect of stress may bestructural failure
Consequence a consequence is the automatic(cascade) effect that will occur as the end product.Continuing the example, the consequence of partof the structure failing may be the total collapse ofthe structure
Subsequence subsequence is defined as
24|www.rmprofessional.com |Summer 2013 |
VLADGRIN/SHUTTERSTOCK
Risk = probability x magnitude (Slovic, 2000:232)
Risk = probability (of occurrence of loss) x magnitude
(of possible loss) (Malik, 2008:48)
Risk = probability x impact (APRA, 2008)
Risk = probability x s (damage scale)
(Stankiewicz, 2009:112)
Risk = threat + vulnerability
(Kovacich and Halibozek 2003:26)
Risk = threat x vulnerability x consequence
(Cox, 2008:1749)
Risk = probability x consequence (Van Well-Stam et al.,
2004:45, Damodaran, 2007:6)
Risk = expected consequences + uncertainties
(Aven, 2007:433)
Risk = exposure + uncertainty (which you care about)
(Holton, 2004:22)
Risk is the possibility and quantum of loss
[March and Shapira (1987) cited by Coleman, 2006:255)]
Risk is the probability of a material hazard
circumstance occurring (Tullock in Lupton, 1999:36)
Table 1: Examples of complex risk definitions
Simple definitionsAn uncertainty: Frank Knight(1921) cited by (Damodaran,
2008:5)
An event: (Aven and Renn, 2009:1)
Form of rationality: (Lupton, 1999:138)
Questionable assumption: (Baxter 1996)
Uncertainty: (Holton, 2004:20)
Failure: (Malik, 2008:88)
An implication: (Chapman and Ward, 1997:7)
An effect: (Hillson and Simon, 2007:224)
Exposure: (Holton, 2004:22)
Volatility: (Hubbard, 2009:84)
8/13/2019 RMPsum13 Web 0
25/52
ANALYSISDEFINING RISK
the consequence of a decision that follows anunwanted occurrence rather than being part of anycascade of events
Impact the term impact is reserved for anoverarching term that embraces all negative outputsrelevant to the matter in hand.
The basic sequencing from input risk through tosubsequence can be seen as having a temporalconstruct, whether measured over microseconds ormillennia. An organisations capacity to manage such riskwill depend on its ability and desire to intervene betweenany of the dimensions.
Basic frameworkUsing a basic systems structure, the seven categories ofrisk may now be seen as: input risks (R1); transformationrisks (R2); results (R3); effects (R4); consequences (R5);subsequence (R6); and as an expression of what isacceptable exposure (R7). This provides the structure inFigure 1 (below).
Connecting the dimensions of risk are both pathwaystowards positive outcomes, as represented by the dottedline, and negative outcomes, represented by the solid line.There is coupling between the two.
Second dimensionThe process involved taking each use of the term risk andevaluating it for it context and concern. The result of theanalysis was that five categories emerged. These I labelled:[1] Non-delivery non-delivery covers what might beknown as mission failure. This is where an organisation orgroup fails to deliver all or part of what was intended[2] Barrier to delivery this category encompassesanything that may prevent the organisation from deliveringits intended output[3] The unknown this category covers both what isunknown and what is uncertain[4] The unintended the category of unintendedincludes the problems raised by the interactive complexity
within any organisation where the consequences of anaction may be different from those intended[5] The unexpected the final category embracesexternal influences on the organisation that had not beenforeseen or for which mitigation had not been planned.
Combining the two dimensionsThe final step is to combine the two dimensions. The resultis Table 2, which can be seen to produce 35 problemspaces embraced by the term risk.
Table 2: Risk definition matrix
Non-delivery
Barrier todelivery
Theunknown
Theexpected
Theunintended
Input (R1)
Transformation (R2)
Results (R3)
Effect (R4)
Consequence (R5)
Subsequence (R6)
Exposure (R7)
ConclusionRisk is a word that is used in many ways. Individualsdefine the term to suit their own needs; communities or
specialisms define the word for their own purpose.But senior managers do not have this luxury. They are
required to understand the word risk the way the userintends it to be understood. To do this, they must firstappreciate that it can be used in more than one way.
I have looked to provide a method through whichthe word can be analysed and its meanings categorised.The grid that I have produced gives 35 ways that theterm may be being used. I would suggest that anynon-specialist who hears someone using the term riskshould consider using the grid to improve understandingbetween the various disciplines required to manage anycomplex organisation.
Dr MikeLauder isdirector andowner ofAlto42 seewww.alto42.co.uk
|Summer 2013 |www.rmprofessional.com |25
Input risk(R1)
Transformation(R2)
Exposure(R7)
Subsequence (R6)
Consequence (R5)
Impact
Objective(Social good)Result (R3)/
Effect (R4)
Downside(Social bad)
Coupling
Figure 1: Seven temporal categories of risk
Individuals definethe term to suit their ownneeds; communitiesor specialisms definethe word for their ownpurpose
8/13/2019 RMPsum13 Web 0
26/52
WITH ITS ECONOMY EXPERIENCING GLOBAL INVESTMENT ANDGROWTH, LYNN STRONGIN DODDSEXPLORES HOW RISK MANAGEMENTCULTURE IS BECOMING INCREASINGLY IMPORTANT IN MALAYSIA
26|www.rmprofessional.com|Summer 2013 |
A
lthough risk managementpractices are well embedded
for publicly listed companies inMalaysia, progress is slow forthose outside the stock exchangerealm. The government and trade
organisations, such as Malaysian Association of Riskand Insurance Management (MARIM), the MalaysianInstitute on Corporate Governance and Institute ofInternal Auditors (IIA), are leading the charge, butit will take time for the word to spread across theindustrial spectrum.
According to the findings of a report by Ernst &Young and the Institute of Internal Auditors in2011, there was an increasing importance being
placed on identifying, understanding and managingrisks but more work was needed. For example,
while many organisations surveyed believed they hada formal and relatively mature governance, risk andcompliance (GRC) framework in place, the majorityneeded to improve the interconnectivity betweenrisk management, business strategies and keyperformance indicators. Organisations also needed tobetter align and coordinate their activities to ensurethe best possible risk coverage.
Moving aheadFast-forward to today, and advancements have beenpatchy. In its latest global report Business pulse:exploring the duel perspectives of the top 10 risksEM
RAN/SHUTTERSTOCK
Malaysiancompanies mustbe alert to thesedevelopments andconsider the risksand opportunitiesaffecting their ownbusinesses
8/13/2019 RMPsum13 Web 0
27/52|Summer 2013 |www.rmprofessional.com|27
AREA FOCUSMALAYSIA
and opportunities in 2013 Philip Rao, partner, Ernst& Young, Malaysia and ASEAN risk leader, noted:As companies in developed markets continue toperform at low levels amid recession and sovereigndebt problems, the world is now looking to newmarkets for expansion opportunities. Countries inrapid growth markets, including Malaysia, are nowbecoming the focus for investments and growth,as many global organisations rethink their businessstrategies. While this is encouraging for Malaysiaseconomy, Malaysian companies must be alert tothese developments and consider the risks andopportunities affecting their own businesses in anincreasingly competitive market.
It is not surprising, perhaps, that those companieslisted or looking to join Bursa Malaysia are thefarthest ahead on the risk management curve.
They are required to adhere to the Malaysian Codeon Corporate Governance, which was updatedlast year. It incorporates not only part of the2007 Code, but also recommendations from theSecurities Commission Malaysias five-year CorporateGovernance Blueprint (Blueprint) which was launchedin July 2011 to raise the corporate governance bar inthe country.
Under the new Code, the profile of the board ofdirectors has been raised with a greater emphasison establishing clear roles and responsibilities. Otherrecommendations included strengthening thecomposition, as well as reinforcing its independence.
In addition, companies are advised to fostercommitment, ensure integrity in financial reportingand disclose information in a timely manner. Equallyas important is establishing a sound structure todetermine, manage and monitor a companys risks.
StrengtheningSeparately, the IIA, the national body for theinternal audit profession, published a new versionof its Statement on Risk management and internalcontrol guidelines for directors of listed issuers,after a year-long consultation with directors of publiclisted companies (PLCs), to better reflect the currentregulatory landscape and corporate governance.The aim is not only to enhance disclosures onrisk management and internal controls in annualreports, but also to ensure directors conform to the
listing requirements. They are also encouraged tostrengthen the obligations of management, as well asthe board on risk management and internal controls,including implementation and monitoring.
According to Datin Josephine Low president ofIIA Malaysia and chief audit executive of the groupinternal audit department of Tan Chong MotorHoldings Berhad, one of the largest automotiveorganisations in Malaysia the new guidelinesincorporate the various amendments in the MalaysianCode of Corporate Governance and Bursas listingrequirements. She noted that even though thekey principles underlying the original guidance
Petronas Twin Towers
at night, Kuala Lumpur,
Malaysia
8/13/2019 RMPsum13 Web 0
28/52
aretimeless, the rapid changes we have seen in todaysbusiness and operating environments have spurred usto undertake this vital revision to enable organisations tobe more efficient in developing and maintaining a morerobust and effective system of internal controls and riskmanagement, which can enhance their long-term success.
Low added: The revised guidelines have put in place thetimely need for significant evaluation of the effectivenessof the risk assessment processes that not only include thetraditional internal controls over financial reporting, but alsoascertain that controls over risk management systems arebeing firmly put in place.
For example, the CEO and chief financial officer are
now required to tell the board whether the companys riskmanagement and internal control systems are operatingadequately and effectively, while the board is responsiblefor establishing a sound framework to manage risk. It is notmerely about preparing a statement on internal controlsand risk management, but also about enhancing investorconfidence by providing comprehensive information aboutrisk management practices, according to Low.
BankingThe other sector that is ahead of the pack is banks,although not all are listed on the stock exchange. Lessonshad already been learnt from the 1998 Asian financialcrisis and, as a result, they are in much better shape thantheir Western counterparts. Overall, the risk management
culture in the banking sector is very strong, although thereis always room for improvement, says Jeroen Thijs, chiefrisk officer at Bank Islam Malaysia Berhad. The main trendwe are seeing at the moment is compliance with Basel III.Unlike in the West, the regulator the Central Bank ofMalaysia seems, at this stage, keen to implement it fullyand not have it watered down. As for risks, there is concernover the increasing debt levels of the ordinary consumer,and the move towards regionalisation is introducingdifferent geographical risk elements. Asia may be seen ashomogenous, but the culture and products that peoplewant differ.
The push for regionalisation is being spearheaded
by the Bank Negara Malaysia (BNM) as part of its ten-year financial sector blueprint 2011-2020. The aim is toencourage greater regional and international participationof Malaysian financial institutions. This includesfacilitating cross-border financial transactions, financialintegration, regional trade and investment, as well as theinternationalisation of Islamic finance. However, BNMhopes it will be a two-way street, with foreign banksplaying a bigger role in the countrys financial serviceslandscape. The door has been slowly opening since 2009,with several areas being liberalised namely, investmentbanking, the insurance and takaful (a type of Islamicinsurance) sectors, as well as Islamic finance. Foreigninvestment in Malaysian commercial banks, however,remain restricted.
28|www.rmprofessional.com |Summer 2013 |
SHAMLEEN/SHUTTERSTOCK
Traditional
dancers
Kuala Lumpur city
skyline at sunset
FOOWENG/SHUTTERSTOCK
8/13/2019 RMPsum13 Web 0
29/52
Lynn StronginDoddsis afreelancefinancialand businessjournalist
AREA FOCUSMALAYSIA
While listed companies and banks are expected tocontinue making strides, the pace is much slower for thoseoutside these two spheres. Enterprise risk management(ERM) is well understood by listed companies withinMalaysia, but project risk management, particularly withinthe construction industry, has yet to reach the same levelof maturity, says Dr Robert Chapman FIRM, head of riskmanagement at MMC-Gamuda. The MRT Corporation hasengaged MMC-Gamuda as the project delivery partner forthe Klang Valley Mass Rapid Transit (KVMRT) project, whichis a multi-billion Ringgit undertaking, involving 41.5km ofviaduct and 9.5km of tunnels, 34 stations and two depots.
Chapman adds: The key issues for major construction
projects in Malaysia is a common lack of project and riskmanagement expertise within contracting organisations,combined with skilled labour shortages. The project hasencouraged participating contractors to enrol their staffin professional project risk management training to raiseawareness and competency levels. However, the level ofinterest to date has been very low.
AdoptionMohamad Mohamad Zain, vice president, groupbusiness assurance, Telekom Malaysia, and chairman ofthe Malaysian Risk Management Association (MARIM),concurs that the main challenge is to ensure thatorganisations across the industry spectrum adopt robustrisk management practices. Most major projects initiated
by the public sector lack risk management and have endedup wasting taxpayers money, due to the escalation of aprojects cost or extension of the deadline. This is becausethe risk management culture is still low, except for PLCs,because they have to comply with the Malaysian Codeon Corporate Governance 2000, which is monitored andupdated by the Bursa Malaysia and Securities Commissionof Malaysia.
One of the main problems is finding certified riskmanagement personnel. Most risk managers in Malaysiastart off their risk management careers in the insuranceindustry, says Zain. They may then end up as a riskmanager in a PLC that requires immediate personnel to
run their risk management programme in compliance withthe Malaysian Code on Corporate Governance.There are moves, though, to rectify the situation.
MARIM is trying to encourage the private sector toemulate its publicly-listed brethren by providing platformsand forums for risk managers, to enable exchange of ideason how to implement and improve within their respectiveorganisation. It is also spearheading the campaign tohave ISO 31000 which provides guidelines, principles,a framework and process for managing risk adoptedand converted to MS ISO 31000 (MS = MalaysianStandard). Using ISO 31000 can help organisations achieveobjectives, improve the identification of opportunities andthreats, and effectively allocate and use resources for risktreatment, according to Zain.
|Summer 2013 |www.rmprofessional.com |29
Low Yat Plaza,
Kuala Lumpur
Street vendor in
Kuala Lumpur
ENCIKTAT/SHUTTERSTOCK
ALIMUFTI/SHUTTERSTOCK
8/13/2019 RMPsum13 Web 0
30/52
The issue of accreditation might seem terriblycomplex, but it is actually rather simple.
Much work has already been done by many
organisations around the world. The RiskManagement Institution of Australasia (RMIA), forinstance, has already carried out a tremendous amount ofwork on a professionalism system for risk management.The Federation of European Risk ManagementAssociations (FERMA) is also carrying out some work as are, jointly, the Association of Insurance and RiskManagers in Industry and Commerce (Airmic) and TheChartered Insurance Institute (CII).
But we need to look beyond insurance, and at what isbeing done elsewhere.
I speak at conferences covering other areas ofrisk management, where exactly the same debatesover certification are happening. Be it audit andcompliance, occupational health and safety, or any ofthe various others, you hear the same refrain about theprofessionalisation of risk management, because eachworld sees risk management as belonging to them.
The foundationThe above brings a number of points home.First off, if we are going to build something and I would suggest that we have to build acertification system it has to be global and ithas to be enterprise risk management (ERM)focused. I know people argue about the detailof ISO 31000, but we stand every chance of
looking stupid if we fail to build everything we doaround that international standard.
If we look at other professions accountancy,law, medicine and engineering they all have globalsystems of certification, where a certain small number ofthings are held in common. Clearly, there is individualismwithin each of the specialities in these professions. Theseprofessions have shown the way.
In the US, the American National Standard Institute(ANSI) says that there are four elements belonging to aprofession, and all professions operating within the Stateswork to this principle.
These are: experience; qualifications; continued
professional development; and a code of conduct/ethics.You cannot have a certification scheme that does not
take experience into account. Qualifications are equally
important. I would refuse brain surgery from someonequalified as a lawyer, no matter how many operationsthey had previously performed. But, when it comes to riskmanagement, this is effectively what we do.
Continuing professional development the extensionof experience into the future is crucial. And it goeswithout saying that a code of conduct or a code of ethicsis absolutely critical to any profession.
Non-negotiableThese four elements are non-negotiable. Our certificationframework will not stand up without them. It will lookridiculous, particularly when our boardroom colleaguescomply with these four factors.
But we also need to consider whether we shouldinduct grey-hairs and no-hairs into our certificationsystem. We might want to consider a way to get into
that certification scheme that does not require taking awhole new set of qualifications.
So how do we go about doing all of this? Itis simple.
We must define a common framework ata high level. At IRM, we have spent aroundnine months looking at all the major riskmanagement certification frameworks.
There are around 60 to 70 that wemanaged to find. We then carried out a meta-
level analysis of the common factors amongthem. We asked: what are the common core
competencies between, for example, project riskmanagement, insurable risk, market and credit risk, and
so on and so forth?This has given us a base from which to develop
a certification framework. And within the comingmonths, we will build on this and bring you the latestdevelopments on certification.
Fowlers comments were adapted from a speech atGlobal Risk Frontiers, London, UK, a Commercial RiskEuropeevent.SH
UTTERSTOCK/SPECTRAL-DESIGN
Steve Fowler
FIRM is
IRM chief
executive
IRMCERTIFICATION
KEEPING ITSIMPLEAS THE DEBATE OVER CERTIFICATION RUMBLES ON, IRM CHIEF EXECUTIVESTEVE FOWLERFIRMCALLS FOR AN UNCOMPLICATED DISCUSSION
30|www.rmprofessional.com |Summer 2013 |
8/13/2019 RMPsum13 Web 0
31/52
In moving beyond its UK home and becominga truly international organisation, IRMs naturalmarket has primarily been where English is thebusiness language.
English is increasingly the language of continentalEurope, but I am still keen to encourage IRM to continuebuilding a closer relationship with the rest of Europe.
I see two principal benefits. First, IRM can help tostrengthen the position of enterprise risk management(ERM) in European directives. Second, IRM membersneed to be aware of how risk management in Europeworks, even if they are outside the EU.
Anglo-Saxon originsAs a specific, professional function, risk managementhas strong Anglo-Saxon origins, but its practicewithin Europe takes place within a framework ofEU-origin regulations.
Beyond the member states, European directives arestill influential because the EU is the worlds largesttrading block and the second largest economy inthe world.
At the same time, the business culture in eachcountry in Europe is different, and we know howimportant culture is in the way a company deals withrisk whatever the rules intend.
You have to adapt your approach to the localbusiness culture, as IRM is demonstrating throughaccreditation of local training bodies thatcan provide relevant material and localcase studies.
Thought leadershipThe Federation of European RiskManagement Associations(FERMA), of whichI served as presidentfor four yearsand now act astechnical advisor,is the principalorganisation lobbyingthe European institutions on riskmanagement issues.
Through the development of its thought leadershipprojects, such as its white papers, IRM can add to thetheoretical dimension of the case that risk managers put tothe commission on specific proposals.
In my experience, members of the commissionappreciate an argument that has an academic groundingpresented in tandem with the practitioners knowledge.
Consider, for example, the draft directive oncorporate social responsibility that will shortly go to theEuropean parliament. It would require that all companieswith more than 500 employees disclose informationon policies, risks and results on issues such as theenvironment, social and employee-related aspects, andrespect for human rights. But disclosure alone does notmean that the risks are controlled.
Professional developmentSecond, when it comes to professional education, IRMis in close discussion with FERMA about the proposedEuropean certificate in risk management. It is too early forme to say more than that now, but both organisationsbelieve strongly in the value of a portable, internationalrecognition of enterprise risk management competence.
Whatever happens in terms of this certification, there isa strong community of interest between IRM and FERMAin risk management education and the professionaldevelopment of young risk managers in Europe.
We hope to see many of these young risk professionalsjoin us at our biannual risk forum. This yearthe forum is taking place in Maastricht, in theNetherlands, from 29 September to
2 October.I believe IRM and FERMA can
build on each others strengthsto influence the European
regulatory frameworkand develop theknowledge that riskmanagers need toimplement it.For more
information on the
FERMA Forum 2013, see
www.ferma.eu/ferma-forum-2013. MIRCEAMATIES/SHUTTERSTOCK
IRM FOCUSDIRECTORS CUT
EUROVISIONIRM BOARD DIRECTOR DR MARIE GEMMA DEQUAEDISCUSSES THE INSTITUTESWORK WITH CONTINENTAL EUROPE
|Summer 2013 |www.rmprofessional.com |31
Marie GemmaDequae isan honorarylife member
of IRM, amember ofits board,and technicaldirector at theFederation ofEuropean RiskManagementAssociations(FERMA)
8/13/2019 RMPsum13 Web 0
32/52
THE INSTITUTE OF RISK MANAGEMENT
To find out how a qualification from the Institute of Risk Management
can help you, visit www.theirm.org,email us at [email protected] contact one of our team on +44 (0)207 709 9808
IRMs qualifications are internationally
recognised, providing practical, sector
independent skills that can be applied
anywhere in the world.
Whether you are new to risk management,
an experienced risk practitioner looking
for a formal qualification or a risk specialist
requiring a broader understanding, IRM
can help.
Course enrolment is from:1stSeptember 2013 December 31st2013
Why take an
IRM qualification?Achieve a globally recognised qualification
Gain practical, transferable skills
Offered on an on-line, distance learning basis
Build your own network of international
contacts
Enhance your career opportunities and
earning potential
8/13/2019 RMPsum13 Web 0
33/52|Summer 2013 |www.rmprofessional.com |33
GHISLAIN GIROUX DUFORT MIRM ASKS HOW RISK PROFESSIONALS CAN HANDLE EMPLOYEERESISTANCE TO CHANGE
Ghislain
Giroux Dufort
MIRM ispresident ofBaldwin RiskStrategies, a
member ofIRMs globaleducationadvisory boardand a memberof thestrategic riskcouncil of theConferenceBoard ofCanada
HOW TO...SOFT SKILLS
Most risk catastrophes are not due to
deficient policies and procedures but rather
to wrong-headed behavioural norms: a
blind adherence to rules at the expense
of sensible risk judgement in the heat of a crisis or, at the
other end of the spectrum, a casual and tolerated if not
encouraged disregard for risk management rules.
The way we do things around here the risk culture of
the organisation is often more important than the formal
risk management framework or system.
That is why IRM published two documents on risk
culture last autumn: guidance for boards and resources for
practitioners. At the core of IRMs risk culture framework
lies the individuals predisposition to risk. Personal ethics,
group behaviours and organisational culture combine with
this core personal attitude to risk, interacting with each
other to form the companys risk culture. The guidance
recommends that boards should request a diagnostic of
their organisational risk culture and ask ten questions along
four major aspects: tone at the top; governance; decision-
making; and competency.
In the real worldWhen a state-owned energy company started embedding
an enterprise risk management (ERM) framework, led by a
team of six with strong board backing, it became clear that
the companys risk universe and levels of risk were widening
and heightening calling into question the risk management
competency of existing personnel and management.
Insecurity brewed, and resistance to ERM
implementation grew. To alleviate this problem, the ERM
team asked the CEO to gather and speak to all key leaders
of the company about the importance of risk management
for its future.
He told them that although new personnel were
required, every existing employee who recognised their own
failings, embraced ERM and trained adequately would have
a place in the company. This would be valuable not only
to the company, but also to each individual willing to learn
and change. This speech was followed-up with a regular
newsletter from the CEO on ERM implementation progress,
which substantially helped to facilitate the change process.
The second case concerns an entrepreneurial consumer
goods manufacturer. Facing revolutionary technological
change, the chief financial officer convinced colleagues
that it would be appropriate to implement ERM. But
the CEO, part of the family that ran the business, was
lukewarm about the idea and fearful that it could neutralise
the firms entrepreneurial and autonomous culture.
In response to those concerns, ERM was implemented
lightly, and at minimal cost, by only one person, pr
![[XLS] · Web view1 0 0 1.24671818014417 0.52759785896345202-0.23724809405583899 0 0-1 0.34891224099419998 0.16172389898414799-1.00687492690458 0-1 0-0.39613940112725698-1.5713113004358701-0.49860875438554603](https://static.documents.pub/doc/80x56/5b075a377f8b9a58148e2be9/xls-view1-0-0-124671818014417-052759785896345202-023724809405583899-0-0-1-034891224099419998.jpg)
