Risk Management

Module 2
Impact of Risk on Organizations

Level of Risk

Following the events in the world financial system during 2008, all organizations are
taking a greater interest in risk and risk management. It is increasingly understood that the
explicit and structured management of risks brings benefits. By taking a proactive approach to
risk and risk management, organizations will be able to achieve the following four areas of
improvement:

 Strategy, because the risks associated with different strategic options will be fully
analyzed and better strategic decisions will be reached.
 Tactics, because consideration will have been given to selection of the tactics and the
risks involved in the alternatives that may be available.
 Operations, because events that can cause disruption will be identified in advance and
actions taken to reduce the likelihood of these events occurring, limit the damage
caused by these events and contain the cost of the events.
 Compliance will be enhanced because the risks associated with failure to achieve
compliance with statutory and customer obligations will be recognized.

It is no longer acceptable for organizations to find themselves in a position whereby

unexpected events cause financial loss, disruption to normal operations, damage to reputation
and loss of market presence. Stakeholders now expect that organizations will take full account
of the risks that may cause disruption within operations, late delivery of projects or failure to
deliver strategy.

The exposure presented by an individual risk can be defined in terms of the likelihood of
the risk materializing and the impact of the risk when it does materialize. As risk exposure
increases, the likely impact will also increase. Guide 73 refers to this measurement of likelihood
and impact as being the current or residual ‘level of risk’. This level of risk should be compared
with the risk attitude and risk appetite of the organization for risks of that type. The risk
appetite will sometimes be described as a set of risk criteria.

The term ‘magnitude’ is used to indicate the size of the event that has occurred or might occur.
The term ‘impact’ is used to define how the event affects the finances, operations, reputation
and/or marketplace (FIRM) of the organization. This use of terminology is also consistent with
the use of impact in business continuity planning evaluations. This is a measure of the risk at
the current level. The term ‘consequences’ is used in this book to indicate the extent to which
the event results in failure to achieve effective and efficient strategy, tactics, operations and
compliance (STOC).

Impact of Hazard Risks

Hazard risks undermine objectives, and the level of impact of such risks is a measure of their
significance. Risk management has its longest history and earliest origins in the management of
hazard risks. Hazard risk management is closely related to the management of insurable risks.
Remember that a hazard (or pure) risk can only have a negative outcome.

Hazard risk management is concerned with issues such as health and safety at work, fire
prevention, avoiding damage to property and the consequences of defective products. Hazard
risks can cause disruption to normal operations, as well as resulting in increased costs and poor
publicity associated with disruptive events. Hazard risks are related to business dependencies,
including IT and other supporting services. There is increasing dependence on the IT
infrastructure of most organizations and IT systems can be disrupted by computer breakdown
or fire in server rooms, as well as virus infection and deliberate hacking or computer attacks.

Theft and fraud can also be significant hazard risks for many organizations. This is
especially true for organizations handling cash or managing a significant number of financial
transactions. Techniques relevant to the avoidance of theft and fraud include adequate security
procedures, segregation of financial duties, and authorization and delegation procedures, as
well as the vetting of staff prior to employment.

It is worth reflecting on terminology, because this is especially important in relation to

hazard risks, if an event occurs. If a hazard risk materializes, it may have a very large magnitude,
such as the destruction of the main distribution warehouse of an organization. This large
magnitude event will have an impact on the organization related to potential financial costs,
destruction of infrastructure, damage to reputation and the inability to function in the
marketplace. Magnitude represents the gross or inherent level of the risk.

However, the impact of the event will be reduced because of the controls that are in
place. Impact represents the net, residual or current level of the risk. These controls reduce the
financial impact, the extent of destruction of infrastructure, as well as controls designed to
protect reputation and marketplace activities. But, what is also important for the organization
is the consequences of the major warehouse fire. These consequences relate to the effect that
the fire might have on the strategy, tactics, operations and compliance activities within the
organization. It is possible that a major fire will cause significant financial loss that is covered by
insurance, so that this large magnitude event has little impact on the finances of the
organization. Effective crisis management and business continuity will ensure that the
consequences of this major fire from the point of view of customers will be so well managed
that customers need not be aware that a major fire has taken place.
 Finally, the importance of compliance risks should not be underestimated. Compliance
risks can be substantial for many organizations, especially those business sectors that are
heavily regulated. In some cases, compliance with mandatory requirements, represents a
‘license to operate’ and failure to achieve the level of compliance activities required by the
relevant regulator can have a significant impact on the reputation of the organization and
substantial consequences for routine business activities.

Attachment of Risks

Although most standard definitions of risk refer to risks as being attached to corporate
objectives, Figure 2.1 provides an illustration of the options for the attachment of risks. Risks
are shown in the diagram as being capable of impacting the key dependencies that deliver the
core processes of the organization. Corporate objectives and stakeholder expectations help
define the core processes of the organization. These core processes are key components of the
existing nature and future enhancement of the business model and can relate to operations,
tactics and corporate strategy, as well as compliance activities.

The intention of Figure 2.1 is to demonstrate that significant risks can be attached to
features of the organization other than corporate objectives. Significant risks can be identified
by considering the key dependencies of the organization, the corporate objectives and/or the
stakeholder expectations, as well as by analysis of the core processes of the organization. For
example, the failure of Northern Rock occurred because the wholesale money markets, on
which the bank depended, stopped functioning. Another way of viewing the concept of
attachment of risks is to consider that the features shown in Figure 2.1 offer alternative starting
points for undertaking a risk assessment. For example, a risk assessment can be undertaken by
asking ‘what do stakeholders expect of us?’ and ‘what risks could impact the delivery of those
stakeholder expectations?’

In the build-up to the recent financial crisis, banks and other financial institutions
established operational and strategic objectives. By analyzing these objectives and identifying
the risks that could prevent the achievement of them, risk management made a contribution to
the achievement of the high-risk objectives that ultimately led to the failure of the
organizations. This example illustrates that attaching risks to attributes other than objectives is
not only possible but may well have been desirable in these circumstances. It is clearly the case
that risks are greater in circumstances of change. Therefore, linking risks to change objectives is
not unreasonable, but the analysis of each objective in turn may not lead to robust risk
recognition/identification. In any case, business objectives are usually stated at too high a level
for the successful attachment of risks.
 To be useful to the organization, the corporate objectives should be presented as a full
statement of the short-, medium- and long-term aims of the organization. Internal, annual,
change objectives are usually inadequate, because they may fail to fully identify the operational
(or efficiency), change (or competition) and strategic (or leadership) requirements of the
organization.

The most important disadvantage associated with the ‘objectives-driven’ approach to

risk and risk management is the danger of considering risks out of the context that gave rise to
them. Risks that are analyzed in a way that is separated from the situation that led to them will
not be capable of rigorous and informed evaluation. It can be argued that a more robust
analysis can be achieved when a ‘dependencies-driven’ approach to risk management is
adopted. It remains the case that many organizations continue to use an analysis of corporate
objectives as a means of identifying risks, because some benefits do arise from this approach.
For example, using this ‘objectives-driven’ approach facilitates the analysis of risks in relation to
the positive and uncertain aspects of the events that may occur, as well as facilitating the
analysis of the negative and compliance aspects.
 If the decision is taken to attach risks to the objectives of the organization, it is
important that these objectives have been fully and completely developed. Not only do the
objectives need to be challenged to ensure that they are full and complete, but the
assumptions that underpin the objectives should also receive careful and critical attention.

Core processes are discussed in Chapter 19 and may be considered as the high level
processes that drive the organization. In the example of a sports club, one of the key processes
is the operational process of ‘delivering successful results on the pitch’. Risks may be attached
to this core process, as well as being attached to objectives and/or key dependencies. Core
processes can be classified as strategic, tactical, operational and compliance (STOC). In all cases,
the core processes need to be effective and efficient. Mature (or sophisticated) risk
management activities can then be designed to enhance the effectiveness and efficiency of
core processes. Although risks can be attached to other features of the organization, the
standard approach is to attach risks to corporate objectives. One of the standard definitions of
risk is that it is something that can impact (undermine, enhance or cause doubt about) the
achievement of corporate objectives. This is a useful definition, but it does not provide the only
starting point for identifying significant risks.

Attachment of risks to key dependencies and, especially, stakeholder expectations is

becoming more common. The use of key dependencies to identify risks can be a
straightforward exercise. The organization will need to ask what are the features or
components of the organization and its external context that are key to success. This will result
in the identification of the strengths, weaknesses, opportunities and threats facing the
organization. This is often referred to as a SWOT analysis.

Risk and Reward

Another feature of risk and risk management is that many risks are taken by
organizations in order to achieve a reward. Figure 2.2 illustrates the relationship between
the level of risk and the anticipated size of reward. A business will launch a new product
because it believes that greater profit is available from the successful marketing of that
product. In launching a new product, the organization will put resources at risk because it has
decided that a certain amount of risk taking is appropriate. The value at risk represents the risk
appetite of the organization with respect to the activity that it is undertaking.

When an organization puts value at risk in this way, it should do so with the full knowledge of
the risk exposure and it should be satisfied that the risk exposure is within the appetite of the
organization. Even more important, it should ensure that it has sufficient resources to cover the
risk exposure. In other words, the risk exposure should be quantified, the appetite to take that
level of risk should be confirmed, and the capacity of the organization to withstand any
foreseeable adverse consequences should be clearly established.
Not all business activities will offer the same return for the same level of risk taken. Start-up
operations are usually high risk and the initial expected return may be low. Figure 2.2
demonstrates the probable risk versus reward development for a new organization or a new
product. The activity will commence in the bottom right-hand corner as a start-up operation,
which is high risk and low return.

As the business develops, it is likely to move to a higher return for the same level of risk.
This is the growth phase for the business or product. As the investment matures, the reward
may remain high, but the risks should reduce. Eventually, an organization will become fully
mature and move towards the low-risk and low-return quadrant. The normal expectation in
very mature markets is that the organization or product will be in decline.

The particular risks that the organization faces will need to be identified by management or by
the organization. Appropriate risk management techniques will then need to be applied to the
risks that have been identified. The nature of these risk responses and the nature of their
impact is considered in Part Four of this book.

The above discussion about risk and reward applies to opportunity risks. However, it must
always be the case that risk management effort produces rewards. In the case of hazard risks, it
is likely that the reward for increased risk management effort will be fewer disruptive events. In
the case of project risks, the reward for increased risk management effort will be that the
project is more likely to be delivered on time, within budget and to specification/quality.

For opportunity risks, the risk versus reward analysis should result in fewer unsuccessful
new products and a higher level of profit or (at worst) a lower level of loss for all new activities
or new products. In all cases, profit or enhanced level of service is the reward for taking risk.
The concept of the risk versus reward analysis in relation to strategic risks is considered in more
detail in Figure 15.2.

Attitudes to Risk

Different organizations will have different attitudes to risk. Some organizations may be
considered to be risk averse, whilst others will be risk aggressive. To some extent, the attitude
of the organization to risk will depend on the sector and the nature and maturity of the
marketplace within which it operates, as well as the attitude of the individual board members.

Risks cannot be considered outside the context that gave rise to them. It may appear
that an organization is being risk aggressive, when in fact, the board has decided that there is
an opportunity that should not be missed. However, the fact that the opportunity entails high
risk may not have been fully considered.

One of the major contributions from successful risk management is to ensure that
strategic decisions that appear to be high risk are actually taken with all of the information
available. Improvement in the robustness of decision-making activities is one of the key
benefits of risk management. Attitude to risk is a complex subject and is closely related to the
risk appetite of the organization, but they are not the same. Risk attitude indicates the long-
term view of the organization to risk and risk appetite indicates the short-term willingness to
take risk. This is similar to the difference between the long-term or established attitude of an
individual towards the food they eat and their appetite for food at a particular moment in time.

Other key factors that will determine the attitude of the organization to risk include the
stage in the maturity cycle, as shown in Figure 2.2. For an organization that is in the start-up
phase, a more aggressive attitude to risk is required than for an organization that is enjoying
growth or one that is a mature organization in a mature marketplace. Where an organization is
operating in a mature marketplace and is suffering from decline, the attitude to risk will be
much more risk averse.

It is because the attitude to risk has to be different when an organization is a startup

operation rather than a mature organization, that it is often said that certain high-profile
businessmen are very good at entrepreneurial start-up but are not as successful in running
mature businesses. Different attitudes to risk are required at different parts of the business
maturity cycle shown in Figure 2.2.

The referendum in the UK on continued membership of the European Union (EU) in

June 2016 resulted in a vote in favour of British exit (Brexit). The UK government has to activate
the procedure for the UK to leave the EU. The text box below provides an outline of the most
commonly discussed options available to the UK government. Overall, the challenge for the UK
government is to ensure the continued success of the UK economy based on a Brexit strategy
and tactics that will ensure the continued resilience of the UK.

Risk and Triggers

Risk is sometimes defined as uncertainty of outcomes. This is a somewhat technical, but

nevertheless useful, definition and it is particularly applicable to the management of control
risks. Control risks are the most difficult to identify and define, but are often associated with
projects. The overall intention of a project is to deliver the desired outcomes on time, within
budget and to specification, quality or performance.

For example, when a building is being constructed, the nature of the ground conditions
may not always be known in detail. As the construction work proceeds, more information will
be available about the nature of the conditions. This information may be positive news that the
ground is stronger than expected and less foundation work is required. Alternatively, it may be
discovered that the ground is contaminated or is weaker than expected or that there are other
potentially adverse circumstances, such as archaeological remains being discovered.

Given this uncertainty, these risks should be considered to be control risks and the
overall management of the project should take account of the uncertainty associated with
these different types of risk. It would be unrealistic for the project manager to assume that only
adverse aspects of the ground conditions will be discovered. Likewise, it would be unwise for
the project manager to assume that conditions will be better than expected, just because s/he
wants that to be the case.

Because control risks cause uncertainty, it may be considered that an organization will
have an aversion to them. Perhaps, the real aversion is to the potential variability in outcomes
that then need to be managed. A certain level of deviation from the project plan can be
tolerated, but it must not be too great. Tolerance in relation to control risks can be considered
to have the same meaning as in the manufacture of engineering components, where the
components must be of a certain size, within acceptable tolerance limits.

A means of representing the risk management process so that it becomes more

accessible to managers and other stakeholders concerned with risk management activities is
constantly developing. One of the tools for representing risk management activities that has
recently been developed is the bow-tie. Figure 2.3 shows a simple representation of the bow-
tie applicable to events that can cause disruption to normal efficient operations.
 The left-hand side of the bow-tie represents the source of a particular hazard and will
indicate the classification system used by the organization for sources of risk. In Figure 2.3,
these sources of risk used are the high-level sources of strategic, tactical, operational and
compliance (STOC) risks. The right-hand side of the bow-tie sets out the impact should the risk
events occur, and Figure 2.3 uses the high-level components of financial, infrastructure,
reputational and marketplace (FIRM) impact of a risk materializing.

In the center of the bow-tie is the risk event. Table 3.2 indicates the categories of
disruption that can affect organizations, and the same categories of people, premises,
processes and products are used here. The purpose of using the bow-tie illustration is to
demonstrate the risk classification systems used by the organization and the potential range of
impacts should a risk materialize. Controls can be put in place to prevent the event occurring
and these can be represented by vertical lines on the left-hand side of the bow-tie. In a similar
manner, recovery controls can be represented on the right-hand side of the bow-tie.

The bow-tie representation of the risk management process can be used in many ways,
including the representation of opportunity risks. Additionally, the bow-tie can be used to
illustrate the various types of controls that are available to organizations and this is discussed in
more detail in Chapter 13 on loss control. Use of the bow-tie has become widespread,
especially in the public sector. The box below provides a practical application of the bow-tie to
the identification of preventive and response controls related to a fire in the kitchen of a
residential home.
 ---End---

References:

Hopkin, P. (2017). Fundamentals of Risk Management: Understanding, Evaluating and

Implementing Effective Risk Management, Fourth Edition