RMPsum13 Web 0

Building up for the future
Area focus: Malaysia
Out of this world

Is a manned mission to Mars worth the risk?
IRM Risk Leaders Member Conference 2013 prole

Insights, guidance and expert advice Malaysian member Zalina Jaus
The ofcial magazine of the Institute of Risk Management www.rmprofessional.com | Summer 2013
Is your business taking risk seriously?
Faking it?
Fed up with the ght?
AVAILABILITY SERVICES MAKE A RECOVERY, NOT WAR

If getting the resources you need is a constant battle, we can help.
Having completed more than 100,000 recovery tests, we found that some businesses just have a plan, while others continuously test and sync it with the rest of the business. But time and again, resource is the main issue. Its impossible to test, or recover, without technical support from colleagues outside your department, but they will already be battling with their own priorities. At SunGard Availability Services, we can manage your entire testing and recovery environment, including the process, tasks and the recovery itself. Our experts work side-by-side with you to review and develop your plans and dene procedures. Together, we make sure the plan is in line with your production environment from design to testing to change control. And we are ready to perform the test and carry out the recovery for your business 24/7/365. SunGards Managed Recovery Programme can help you focus your energy on building your business, rather than ghting over how to get up and running following a disaster.
Discover a less stressful route to recovery and request a free consultation by calling 0800 143413 or nd out more at www.sungard.co.uk/MRP
SunGard and the SunGard logo are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. All other trade names are trademarks or registered trademarks of their respective holders.
IRM CHAIRMAN: Richard Anderson FIRM CHIEF EXECUTIVE OFFICER: Steve Fowler FIRM DePutY chief executive: Sophie Williams MIRM head of marKetinG: Fiona Duhig ona.duhig@theirm.org Tel: +44 (0)20 7709 9808 manaGinG editor: Tom Bovingdon tom.bovingdon@theirm.org Tel: +44 (0)20 7709 9808 editor: Phil Lattimore phil.lattimore@ rmprofessional.com Tel: +44 (0)7802 870008 deSiGn and Production: CPL (Cambridge Publishers Ltd) 275 Newmarket Road Cambridge CB5 8JE Tel: 01223 477411 Web: www.cpl.co.uk advertiSinG manaGer: Richard Walters Tel: +44 (0) 1223 477 428 richard.walters@ rmprofessional.com
Risk Management Professional is the ofcial publication of the Institute of Risk Management (IRM). ISSN 2042-4078 IRM is the worlds leading enterprisewide risk education institute. We are independent, well-respected advocates of the risk profession, owned by practising risk professionals and operate internationally, with members and students in more than 100 countries. InStitute of RiSK ManaGement 6 Lloyds Avenue, London EC3N 3AX Tel: +44 (0)20 7709 9808 Fax +44(0)20 7709 0716 www.theirm.org enquiries@theirm.org Copyright 2013 Institute of Risk Management. All rights reserved. Reproduction without written permission is strictly forbidden. The views of outside contributors are not necessarily the views of IRM, its editor or its staff.
EDITORIAL
Real deal?
ow many of us are pretending to be something were not? Can you, hand on heart, say you practise everything you believe in? Can you faithfully attest that you stay true to your convictions? Will you draw your last breath without any regrets? Do you always speak out when something is wrong? The overwhelming reaction to Edward Snowden, the whistleblower who exposed US government-agency snooping on an unprecedented scale, has been to laud him as a hero. Be it ex-Olympus CEO Michael Woodford, who spoke at last years IRMs Risk Leaders Conference, or ex-HBOS head of group regulatory risk Paul Moore, who will speak at this years event on 4 November, our reaction is to shake their hand, congratulate them on their courage and admire their bravery. Is this because they do what we would not, or because they have acted as we would? Snowden exposed the US National Security Agencys state surveillance and is now seeking refuge in Hong Kong. But how many other organisations have secrets to hide? How about your rm? Does it take risk management seriously or is its interest counterfeit, a sham and fabrication? One risk professional wants to nd out if your rm is faking it (p12-14). And, in an age of villains and heroes, we look ahead to IRMs Risk Leaders Conference, where Paul Moore is joined by Sharon Shoesmith, the former head of childrens services at Haringey Council (p42-43), to discuss integrity and doing the right thing. Our features also include a report on operational risk (p16-17), a discussion around the Mars One mission (p18-21), an examination of the semantics of risk (p22-25) and an area focus on Malaysia (p26-29). Enjoy the magazine. Tom Bovingdon Managing editor RMProfessional
| Summer 2013 | www.rmprofessional.com | 3
Regulars
6 News
The latest risk management news and views, from cyber risks and telecoms security to climate change impact studies and food shortage forecasts
36 News
11 Chairmans column
IRM chairman Richard Anderson FIRM explains how risk management professionals can help organisations prepare for the future
IRM updates, including the launch of the Pan-Asian Risk & Insurance Management Association (PARIMA); developments in the Gulf; calls for member involvement; plus the latest news from IRMs special interest and regional groups
46 Brand and deliver
We report on the recent IRM Forum, which saw hundreds of leading risk professionals gather to discuss reputation, brand management and survival
48 Appointments/careers
41 Learning evolution
34 Book reviews
Featuring Enterprise risk management: straight to the point an implementation guide function by function by Al Decker and Donna Galer, and Risk management by Paul Hopkin FIRM
Exploring the shifting educational landscape for the risk profession and outlining IRM's aims for the future
Members taking on new roles, plus a Q&A with businesswoman and author Margaret Heffernan a keynote speaker at IRM's Risk Leaders Conference
49 Welcome to IRM
42 Do the right thing
The latest additions and changes to the IRM membership
IRM Focus
35 CEOs message
IRMs chief executive, Steve Fowler FIRM, asks what the future may bring for the risk profession
Preview of IRM's Risk Leaders Conference 2013 an event that promises insights on risk and integrity and access to key risk experts
50 Member prole: Zalina Jaus
The Malaysia-based senior risk manager talks to RMProfessional
44 Forward thinking
The latest issues, ideas and initiatives from IRMs thought leadership activities
SYDA PRODUCTIONS / SHUTTERSTOCK
12
STEPHEN GIRIMONT / SHUTTERSTOCK
18
4 | www.rmprofessional.com | Summer 2013 |
CONTENTS SUMMER 2013
Features
12 Is your rm faking it?
Many organisations and their leaders talk about the importance of risk management, but for some it is a faade. So how do you tell the fakers from those that really care? rather than simply focusing on their own interpretation
26 Building up
16 Lessons learned?
Organisations must question their cultures and learn lessons from risk events to reduce their operational losses, according to a study from ORIC
This issue, our regular regional overview spotlights Malaysia and explores how risk management culture is becoming increasingly important to its buoyant economy
30 Keeping it simple
18 One small step, one giant risk
IRM chief executive Steve Fowler FIRM outlines his vision for developing a comprehensive risk management certication framework
The rst sign that all may not be as it seems is an inconsistent approach to risk
Page 12
As Mars One starts accepting applications for a one-way trip to the Red Planet, we consider whether the dangers posed by the mission are outweighed by the threat of global catastrophe
31 Euro vision
IRM board member Dr Marie Gemma Dequae discusses the institute's work with continental Europe
22 Tower of Babel
33 Breaking barriers
Modern risk professionals must understand other denitions of risk,
How risk managers can address employee resistance to implementing a new ERM culture
22
26
VLADGRIN / sHUTTErsTOCK
EMran/sHUTTErsTOCK
Still shooting the messenger

Organisations are getting better at addressing wrongdoing but are still shooting the messenger when staff raise concerns, according to a study by Public Concern at Work (PCaW) and the University of Greenwich. Entitled Whistleblowing: the inside story a study of the experience of 1,000 whistleblowers, the study found that the vast majority of individuals only ever raise their concern internally and that 85 per cent stilleither do not receive feedback, are unhappy with the investigation, continue to receive detrimental treatment at work or lose their jobs. We remain at risk of a culture of silence existing in too many workplaces where only the tenacious few will be willing to pursue their concern to a degree that stops or prevents harm, the report said. It found that organisations have limited opportunities to listen to their staff, as a concern will only be raised once or twice at most. Cathy James, chief executive of PCaW, said that a whistleblowers journey is often fraught with threats, fears and contradictions, and can be incredibly stressful for the individual involved. The study found that the top ve concerns of 1,000 surveyed whistleblowers are: ethical (19 per cent); nancial malpractice (19 per cent); work safety (16 per cent); public safety (11 per cent); and patient safety (eight per cent). Health, care, education, charities, local government, and nancial services were the top six industries for those raising concerns. A typical whistleblower was found to be a skilled worker or professional working for the organisation for less than two years, who is concerned about a wrongdoing that is ongoing, affects wider society and has been occurring for less than six months. The study called on organisations to train frontline managers on how to be proactive, identify whistleblowing concerns, handle problems well and support whistleblowers.
US LAW A GRAVE RIsK TO UK CITIZENs

Brussels says the wideranging US surveillance law that has allowed the British government to gather information from internet rms poses a grave risk to data protection and citizens rights. A European Parliament coordinating body issued a report last year saying that a section of the Foreign Intelligence Surveillance Amendments Act (Fisaa) grants the US government what it describes as heavy-calibre mass surveillance repower that could be brought to bear against individuals in Europe and elsewhere. The report says the 2008 Act has very strong implications on EU data sovereignty and protection of its citizens rights. Despite the warning, foreign secretary William Hague dismissed as baseless the idea that the intelligence services listening post GCHQ in Cheltenham had somehow got round UK law in its dealings with the US intelligence agency. Prime Minister David Cameron also said the UK agencies operated within the law and within a legal framework.
C-suite advised to leave ivory tower

Senior managers must eliminate internal barriers and earn their staffs respect in order to become more resilient, a report produced by Craneld Business School on behalf of the Association of Insurance and Risk Managers (Airmic) has claimed. Roads to resilience the follow-on report from 2011s Roads to ruin study found that resilient rms exist where everyone is risk-aware because barriers between senior managers and their staff are reduced to a minimum. It advised the C-suite to escape from your ivory towers and engage with your staff. The analysis of eight rms recommended that rms create cultures where all staff feel able to pass their views including bad news to senior management, with the role of the risk function to guide and educate colleagues, rather than create a risk management silo. John Hurrell, Airmic chief executive, said the ndings were a great opportunity for risk managers, adding: They [risk professionals] are ideally placed to facilitate the development of a corporate culture where everyone owns the risk management process. The ndings were revealed as part of a brieng ahead of the full launch of the report this summer.
sTEpHEN DOREY / GETTY
APP / GETTY
INDUSTRY FOCUS NEWs ROuND-uP
Risk management reporting by UK companies can be opaque, lacking in detail and detached from overall corporate strategy, a joint report by the Association of Insurance and Risk Managers (Airmic) and the Institute of Chartered Secretaries and Administrators (ICSA) has found. Finding a wide disparity in the quality of risk reporting by companies on the London Stock Exchange, the two bodies will urge the Financial Reporting Council (FRC) to tighten risk reporting
when it updates the UK Corporate Governance Code later this year. If youre good at risk then why hide the fact? said Airmic technical director Paul Hopkin FIRM. The impression is that many rms with strong stories to tell see risk reporting as little more than a compliance exercise. Yet the exercise can underpin condence in the company. Seamus Gillen, director of policy at ICSA, said that stakeholders and shareholders need to clearly see how risk management relates to
strategy and opportunity. We need to see a more compelling, linked-up narrative, he said. The review of 24 companies from the FTSE 100 and FTSE 250 found that rms in the leisure industry have a higher standard of risk reporting, while reports emanating from the food and drink sector were said to be uninformative. Reporting from chemical and pharmaceuticals companies, along with mining and energy rms, were found to be not generally of a high standard.
EMPLOYee MIGRATION SeT TO RISe

The number of workers moving jobs is set to rise to 4.3 million in 2015, as turnover levels continue to rise sharply in line with a growing economy. The next ve years will see employee migration grow from 14.6 to 18 per cent, while by 2015, 765,000 more staff than in 2012 are forecast to depart for new employment. The gures have been collated by Hay Group, in association with the Centre for Economics and Business Research, as part of a report entitled Preparing for take off. Worryingly, the research highlights the lack of skilled workers in Britain, with 18 per cent of manufacturing rms having difculty nding skilled staff. It also found that a quarter of new jobs created over the next ve years will need skilled science and technology workers, but that there will be a shortage of suitable employees. Hay Group consultant Chris Smith said: People have been reluctant to leave their current role due to the turbulent labour market associated with the economic downturn, government spending austerity and the Eurozone crisis. As conditions improve, dissatised workers provide a signicant risk for organisations of all shapes and sizes in the UK.
Cyber attack warning

Cyber attacks are costing the UK economy up to 27bn a year and staff to combat the growing threat are in short supply, says the National Audit Ofce (NAO). It warns that it could take 20 years to address a skills gap, because the number of IT and cyber security professionals has not risen in line with the growth of the online economy. BAE Systems says that nearly half of all graduates and trainees hired this year will go into its cyber and security services business. The NAO also warned that there was a skills shortage among psychologists and risk managers, as well as specialist police, lawyers and accountants needed to manage and mitigate threats. In a bid to increase staff numbers, the government, in 2010, boosted spending on its National Cyber Security programme by 650m over four years. It also plans to make cyber security part of the GCSE computer science syllabus. n IRM is hosting a series of high-level roundtables during 2013 to discuss cyber risk.
VOYaGER624 / sHUTTERsTOCK
JP MORGAN FINeD 3.1M

JP Morgans UK wealth management business has been ned more than 3m for failing to keep les on its clients up to date. The Financial Conduct Authority said the lapse put the banks customers at risk of receiving the wrong investment advice. Failings persisted for two years until 2012, a time when the business was dealing with $29bn in assets from some 3,000 clients. The regulator said that the bank had failed to retain and update information on client objectives and risk tolerance, and that its computer system was inadequate. JP Morgan has now agreed to review all its customer les. A report in the Financial Times says that, so far, 1,500 les have been scrutinised and only one case with unsuitable investment has been found.
STOCKLITE / sHUTTERsTOCK
RIsK rEPOrTING CAN BE OPAQUE AND DETACHED
Risk calculation by banks wide of the mark

Banks are failing to make the grade when it comes to predicting loan defaults, says a report by Barclays. Some of the worlds biggest institutions are miscalculating the riskiness of their balance sheets by an average of 13 per cent, the research shows. Nineteen banks took part in the study, which looked at data on predicted against actual losses on corporate, institutional and mortgage loans over the past ve years. It found that banks missed the mark by an average of 54 per cent. Quoted in the Financial Times,
PaTRICK WaNG / sHUTTERsTOCK
Climate study: New York facing grim future

New York is facing a future of rising temperatures and more oods, according to Mayor Michael Bloomberg. A report, commissioned by the mayor in the wake of Hurricane Sandy last October, concluded that by the middle of this century, almost one million New Yorkers could be living in a ood zone and the average daily temperature could be up to 7F hotter. Quoted in the Daily Mail, Mr Bloomberg said: We have to anticipate threats, not only from hurricanes and other coastal storms, but also from droughts, heavy downpours and heatwaves. The report said extreme weather in the region could become the norm, affecting the eight million people who live and work in the city.
German brewers voice fracking fears

Germanys brewing industry is calling for a ban on fracking the controversial method of gas extraction until the risk of water contamination can be ruled out. Chancellor Angela Merkels government is producing a legal framework to strictly regulate the system, which involves the horizontal pumping of water and chemicals at high pressure into rocks to release trapped stores of gas. However, the countrys brewers believe that water contamination is still an issue and fracking should not be allowed until more scientic research has been carried out. The industry relies heavily on water drawn from private wells, and a spokesman for the German Brewers Federation told the Financial Times: So long as fracking is not proven completely safe, [we say] hands off. In the US, fracking has helped lower gas prices for industry, but in Germany and in other European countries, the UK included, there remains deep public scepticism.
Csp / sHUTTERsTOCK
S.BORIsOV / sHUTTERsTOCK
The good news is that banks seem to be erring on the side of caution
Simon Samuels, the bank analyst who led the study, said: The good news is that banks seem to be erring on the side of caution. The bad news is that the forecasting error is quite substantial. The paper says that the research highlights a problem for regulators and investors because default probabilities are critical when working out risk-weighted assets, which in turn are used to calculate the basic measure of bank safety: the core tier one capital ratio.
INDUSTRY FOCUS NEWs ROuND-uP
WeATHeR TO HIT FOOD PRIceS

Food producer Tate & Lyle has blamed volatile food prices, caused by changing weather patterns, as one of the reasons its pre-tax prots fell last year. The group was hit after a severe drought across North America last year caused a fungus to ravage corn crops in the region pushing up prices,. Tim Lodge, chief nancial ofcer, quoted in the Financial Times, said the drought was like going back to the Steinbeck days in the 1930s. It just stopped raining and crops withered. He said that investors should expect similar events to become commonplace and that they would inevitably put added pressure on food producers. Tate & Lyles chief executive, Javed Ahmed, said the food and beverage industry should not expect producers to shoulder the burden of rising raw material prices. If the underlying raw material price goes up, you will see food ination. When corn goes up, we pass that [increase] on. The companys pre-tax prots fell almost a fth on year to 309m to the end of March. However, last years gure was helped by 76m of exceptional items, caused by one of the rms mothballed factories coming back into production.
RUDY LOpEZ / PHOTOGRapHY KZENON
Take it all in.

Study via Distance Learning for an MSc in: Risk Crisis and Disaster Management
Whether its natural disasters, human error, or terrorist acts, emergency situations are becoming an increasingly frequent feature of everyday life for all of us. If you have a professional or academic interest in this area of study our programme will advance your understanding of risk management theory, decision making and organisational behaviour. Our degree provides a wide-ranging interdisciplinary analysis of the extent, effects and explanations of crisis and disaster and the use of risk theory and provide opportunities to take part in supervised research. To develop your skills and understanding with a major research university contact:
Distance Learning
Institute of Lifelong Learning, Civil Safety and Security Unit, Tel: +44 (0)116 229 7575 Email: riskmanagement@le.ac.uk www.le.ac.uk/cssu
Sa
7 2 e t a d e h t e v
1 0 2 y r a Febru
Presented by
The Institute of Risk Management
leading the risk profession through delivery of education and lifelong learning
Grand Connaught Rooms, London, UK

Awards entry open Monday 17 June 2013 Awards deadline Monday 4 October 2013 Shortlist announced Monday 18 November 2013 Awards dinner Thursday 27 February 2014
IRM CHAIRMANS COLUMN
SLIDING DOORS
IRM CHAIRMAN RICHARD ANDERSON FIRM EXPLAINS HOW RISK MANAGEMENT PROFESSIONALS CAN HELP ORGANISATIONS PREPARE FOR THE FUTURE
In the heady days prior to the global nancial crisis, risk managers were ignored when they asked doomladen questions implying that house prices might one day fall rather than continue to increase, or were sacked (as in the case of Paul Moore, a speaker at our Risk Leaders conference in London, UK, in November) for doubting the sustainability of the pace of growth at HBOS. And yet, that is the biggest single contribution risk management can make to society: to ask the questions that make us reect on the benets (or otherwise) of running with the crowd. I have described this elsewhere as being the disruptive intelligence that pierces perfect-place arrogance. I think that makes a good motto for the profession, and it dovetails neatly into the exhortation from Ren Carayol at our recent IRM Forum that we, as risk management professionals, should be focused on delivering leadership. That gives us an important role in all organisations; we should be inuencing at boardroom level, as well as in the engine room. you can inuence the debate, then the whole remit of the profession is enhanced. Our aim at IRM is to help people walk tall in their organisations. We are proud to be in risk management, and we are proud to be the organisation that provides the underpinnings for the profession: training, competence and ongoing leadership. That is why we are focused on the boardroom debate, focused on ensuring that our profession has global recognition and focused on providing the best training available. This is your profession. Please come along and support us. We welcome your help in a multitude of ways, and we always value your opinions. s I was stepping on to the train the other day, I had a sense of dj vu, which is of course a well-trodden path for lmgoers familiar with the movie Sliding Doors. But putting romantic comedies aside, we all have just one past, whereas we face multiple possible futures each of which depends on a vast number of imponderables, many of which are beyond our control or even imagination. And that bewildering complexity is exactly what we face in our organisations as well. So, what does that have to do with risk management professionals? It seems to me that one of the really important competencies for risk management professionals is to be among those that help the organisation deal with the multiple complexities of the future.
Breaking the chains
Of course we must learn from the past, but by learning from the past we do not need to be relentlessly tied to our history. That frees us to explore the options that are open to us. While the media talks about signs of growth in the economy (ngers crossed and touching wood while I write that, like a good risk manager), there is a risk that organisations many of which have been relentlessly hit by gloom and doom since the onset of the global nancial crisis all those years ago will face this new future with a less-thancondent spring in their step, with the consequence that they might not grasp the new and emerging opportunities.
Our aim at IRM is to help people walk tall in their organisations
Walking tall
Some people tell me that I am talking too much about the boardroom and not enough about our day job. That is because I think we have already proved, without a doubt, that we are technical masters of the day job. Very few people say to me that their risk managers are not up their job from a technical viewpoint, but I still get negative comments about our ability to inuence the leadership of our organisations. And yet, when you talk strategy with your board and
SHUTTERSTOCK / ALPHASPIRIT
The rst sign that all may not be as it seems is an inconsistent approach to risk
ANALYSIS CULTURE
IS YOur FirM FAKING it?

MOST ORGANISATIONS AND THEIR LEADERS EXCEL AT TALKING ABOUT THE ImPORTANCE OF RISK mANAGEmENT, BUT HOW mUCH OF THIS IS A FAADE? SENIOR mANAGEmENT OFTEN FEIGNS INTEREST TO APPEASE STAKEHOLDERS OR TICK BOXES, SAYS RICHArD MACKIE FIRM. SO HOW DO YOU TELL THE FAKERS FROM THOSE WHO REALLY CARE?
isk managers have spent the last decade building and embedding risk management frameworks, and raising awareness throughout their organisations. But, just as risk considerations have become critical to decision-making, is the illusion of boardroom interest in risk management being exposed as a sham? With the collapse of the major banks, high-street names gone bust and billions of pounds lost, could there still be a negative attitude towards risk professionals? As we recently read in RMProfessional (Spring 2013), one former HBOS employee described risk managers as an alien species. Does this hint at a feeling among senior management that risk professionals are not always on board, not one of the boys or, as I heard one female risk manager recently say, the girl who cries wolf. That was, of course, until the big, bad wolf came knocking at our door. But when it did, the senior management team simply removed any sign of the wolf from the risk report as it would make the shareholders nervous. CEOs, petried that the cold, hard facts could affect future investment, are choosing to ignore the warnings we deliver.
R
SYDA PRODUCTIONs / sHUTTERsTOCK
Are we complicit?
Which begs the question: why employ a risk manager? The simple answer is that, in 2013, in a medium-to-large size company, the board expects the organisation to have one. Ratings agencies expect to see robust enterprise
risk management (ERM) practices, so companies create risk positions that nominally exist but whose work is conspicuous by its absence. The risk manager is not there to reduce risk or uncertainty, or to effect a change in the risk-taking culture. They are there because management cannot fake it without them. As one of my risk professional peers revealed, there was no desire to identify risk within their organisation, just a supercial attempt to pretend it was being addressed. The CEO would remove a number of their entries from the monthly board report prior to publication. When the risk manager challenged the CEO, they were told off for reporting too many risks. And the CEO, citing their 20 years of experience, said they did not want to see any risks you would expect any normal company to face because, as an experienced leader, they had already foreseen these risks. The risks deemed irrelevant involved the leadup to the Olympics, an untested business continuity management IT plan, European uncertainty impacting on supply chain exposure, and the traditional loss of key staff and lack of any succession planning. All of these were removed or altered to read as a positive for the organisation. It would appear that the lessons from HBOS and the sacking of Paul Moore, the head of group regulatory risk removed for raising concerns about excessive risk-taking [and a speaker at IRMs Risk Leaders Conference in London, UK, on 4 November], have not been learned. But what is more worrying is that this organisation is not alone in its actions.
ANALYSIS CULTURE
Fear culture
A culture of fear, characterised by the boardroom belief that the threat to the organisation is not the risk itself but the market perception of the risk exposure, is haunting our businesses. Some say this is down to the egos at the top, but there appears to be a belief that if an organisation becomes too honest with their risk exposure, it is an admission of guilt, acceptance of failure or an acknowledgement that there is doubt in its business strategy. Look at the local high street. Where have Borders, Comet, JJB Sports, Jessops and Woolworths gone? There is a universal belief among the public that all the big name companies have failed due to the global economic recession but this is an excuse. These failures were many years in the making. Borders closure was the result of rapid changes in the marketplace coupled with their unwillingness and/or inability to react in time to them. If your industry is selling books and CDs, you do not have to look far back to see that people and cars no longer use cassettes, and that CDs were already on the way out by 2005.
Richard Mackie FIRM is manager, risk advisory, RSM Tenon richard. mackie@ rsmtenon.com
inconsistent approach to risk. Does the organisation use numerous styles or outdated formats for risk reporting? Is there poor risk communication between the different functions? Poor reporting and ineffective communication is often a deliberate method to prevent the risk manager from getting a true picture of the risks. When management does not see the value in an efcient reporting system, we need to be asking what the motivation is behind that view. As a risk professional, you should know if the manner in which your organisation reports risks is outdated and stagnant. If you are trying to drive risk reporting forward and hitting a wall, it probably means there is no desire to streamline the risk process for fear of uncovering the family secrets.
Time for change
Mentioning the unmentionable
Spotting the fakes
So how can you spot a fake? Unlike a watch, or a pair of suspicious-looking Karen Klein sunglasses, this is probably harder to identify. The rst sign that all may not be as it seems is an
BRIAN A JACKsON / sHUTTERsTOCK
The rapid rise in popularity of e-readers, MP3s and IPods makes you wonder what the risk manager was doing. Agreed, it is not the risk managers place to be designing new technology, but it is the risk managers role to ensure that the impact of game-changing products coming onto the market is on the radar. Prior to the recession, when times were good, Comet, JJB and Woolworths experienced nancial difculties; all were slow to react to changes in the business environment and adapt their business model accordingly. The internet did not kill these big names. Neither did the competition, or even new products. It was the failure of the senior management team to acknowledge the risks to the organisations strategy. Failure is still unmentionable in some high-level meetings, so much so that if the risk manager does raise the possibility, they are seen to be challenging the competence and the leadership of management. Risk professionals are effectively being ostracised. We talk of the risk culture and a bottom-up, top-down or universal approach, but what does that all mean if, behind the meeting room doors, your organisation only centres on the positive aspects of their strategy?
Has the time come to enhance the focus from embedding a risk culture to changing the corporate risk environment from one of concealment to honesty? Senior managers must understand that, effectively, risk management can only come by acknowledging risk and embracing an honest approach, including highlighting any uncertainty that threatens the achievement of the corporate objectives. When the risk manager or risk function challenge the assumptions that are the foundations of management decisions, they are not stiing opportunity. They are actually increasing the likelihood of success. Only by identifying, understanding and recognising the potential for failure can failure itself be avoided. Having reviewed a number of corporate failures and big losses recently, the main questions we all have to ask ourselves are: is there a risk management facade festering within your business? Is your rm a faker?
LEGAL ANALYSIS BONUSES
IF THE CAP FITS

O
WILL CONTROLLING BANKERS BONUSES BRING STABILITY TO THE FINANCIAL SECTOR? OLIVER KNOX CONSIDERS THE CONSEQUENCES
Oliver Knox is a trainee at City law rm RPC
n 16 April, the European Parliament overruled UK opposition and adopted new legislation under the Capital Requirements Directive IV (CRD IV), which puts a cap on bankers bonuses. It is expected to be effective from 1 January 2014. The rules seek to limit bonuses to the amount of the individuals salary (the so-called 1:1 ratio) although, with shareholder approval, the ratio could rise to 2:1. The rules will apply to EU banks including their overseas subsidiaries as well as foreign units operating in the EU, and will affect material risk-takers such as senior management and major traders. Banks have some discretion over which employees are considered material risk-takers, although the European Banking Authoritys latest proposal seeks to expand the category to include those earning more than 500,000. The legislation aims to improve stability in the global nancial sector by limiting the incentive for senior management/traders to take short-term risks, which might benet them personally but which are imprudent in the long term. It also responds to public outrage at banker remuneration following the 2008 credit crisis. Continuing negative publicity has fuelled public hostility: in Europe, the sovereign debt crisis has seen ve EU member states bailed out, while UK examples include the part-nationalisation of HBOS, Lloyds TSB and the Royal Bank of Scotland the latter sparking a furore over the severance package of chief executive, Fred Goodwin. Additionally, the multi-billion dollar rogue-trading scandals of Jrme Kerviel at Socit Gnrale and UBSs Kweku Adoboli have intensied the perception of banking greed.
Legally, there is concern that the rules may violate international trade agreements, since they extend to EU subsidiaries operating outside the EU. Furthermore, the legislation arguably goes beyond the powers vested in the EU. Article 153(5) of the Lisbon Treaty 2007 provides that any attempts made by the European Parliament and Council to modify social policy shall not apply to pay. The counter-argument is that the legislation does not seek to limit total pay just the proportions of xed to variable pay and addresses systemic risk, not social policy.
Strategies
Disincentive
These examples suggest an unstable banking sector, exacerbated by a combination of recklessness and an emphasis on short-term gain. The EU considers that the common denominator is remuneration of key executives, with personal nancial incentive closely correlated to risk appetite. The EU hopes that the bonus cap will de-incentivise high-risk short-term transactions, create greater transparency and accountability, and enable banks to safeguard deposits and investors returns. However, there is considerable speculation that the bonus cap is, at best, a blunt tool and, at worst, will have a signicant detrimental effect on the sector.
In order to retain top talent, banks will probably come up with various strategies to moderate the impact of the rules. The most obvious method will be to increase basic salaries (xed pay). Other possibilities include restructuring packages to offer individuals greater shareholdings; withholding salary over the course of the year and allocating it according to performance; or introducing allowances such as grants. While some of these strategies may be treated as bonuses, there is likely to be a grey area that could be creatively exploited. There is a risk that these measures will drive banking talent out of the EU, damaging its nancial sector and resulting in senior banking positions being occupied by less-qualied people. This outcome is contradictory to the aim of the rules and will affect the UK signicantly, given the size of the City of London nancial sector. In particular, there is speculation that international banks may move Europe, Middle East and Africa business from London to the Gulf, which would be damaging to the UK and EU, possibly prolonging the European sovereign debt crisis and regional nancial instability. The ultimate impact of these rules will become clearer in time. However, if the bonus cap fails to deliver the expected reform, perhaps banks should consider incentivising those in compliance roles in the same way as front ofce staff. This would encourage closer monitoring of risk, resulting in greater clarity and accountability, and also provide a degree of reassurance. While prots may be hit in the short term, overall, such an initiative might help to stabilise the banking sector and renew public trust in EU banks, thereby generating growth.
HADRIAN / SHUTTERSTOCK
LESSONS LEARNED?
ORGANISATIONS MUST QUESTION THEIR CULTURES AND LEARN FROM RISK EVENTS TO REDUCE THEIR OPERATIONAL RISK LOSSES, AN EXCLUSIVE STUDY FROM THE OPERATIONAL RISK CONSORTIUM (ORIC) HAS CLAIMED
Contrast this with the North Sea approach, where all oil and gas companies openly share details of all safety and environmental risk events including near-misses in order to understand whether they could be exposed and to ensure that they are prepared for any events of a similar nature. These are just two examples from a new study published by the Operational Risk Consortium (ORIC), Creating value from risk events: leading practices in operational risk event reporting, analysis and investigation, learning and management, which calls for rms to question their risk cultures and learn lessons from risk events in order to survive and thrive in the modern world and to avoid situations such as that at UK Mid-Staffordshire NHS Trust. Alex Hindson FIRM, chairman of ORIC and a director of IRM, says the study fulls ORICs objectives to set leading practice for operational risk and inspires rms to improve their risk event capture, reporting and analysis.
SHUTTERSTOCK / JOSE GIL / DABARTI CGI
recent report into the UK MidStaffordshire National Health Service (NHS) Trust found that some 1,200 unnecessary patient deaths at hospitals in the area over a number of years were caused, to some degree, by a prioritisation of nancial performance over patient safety imposed by top management, and by a blame-laden culture where people at all levels were frightened to speak out.
Characteristics
According to ORIC, organisations can actively reduce operational risk losses by placing a strong focus on risk event reporting, analysis and learning. Firms that get this right typically exhibit the following characteristics/ actions: an open culture where people use risk events as an opportunity to improve; analysis of risk events to understand the root causes and establish whether other areas of the organisation could be exposed; and continuous improvement of control frameworks, using learning from internal and external risk events. After identifying best practice approaches, ORIC created
FOCUS OPERATIONAL RISK

a maturity diagnostic (see below) to assist organisations in benchmarking and improving their performance. Caroline Coombe FIRM, head of ORIC, says creating an open culture, where people can speak openly about risk events, is fundamental. A crucial ingredient for success, says Coombe, is for visible leadership behaviour to be in place. Best practice organisations have strong, risk-aware leaders who actively champion the process, get involved in training their people, communicate the importance of risk to the business, actively follow up on actions, and recognise people for reporting. Such organisations invest in developing risk leadership skills and measuring leaders performance in this area. reporting, addressing behavioural failures, undertaking root-cause analysis and combining data with learning organisations can target year-on-year reductions in operational risk losses. The study highlights the practices of a nuclear aircraft carrier, where the most junior sailor is empowered to stop operations if they perceive a risk. When a junior stopped ying operations because a tool had been mislaid, they were publicly congratulated for being risk aware rather than reprimanded. ORICs work has been endorsed by IRM, with Carolyn Williams MIRM, the institutes head of thought leadership, praising a worthwhile study on the importance of risk event reporting in creating a healthy risk management culture. She added: Our own recent publication on risk culture identied the importance of risk disclosure and the effective reporting and escalation of risk events as fundamental tests of an organisations ability to create a supportive culture. n To receive a copy of the study, contact ORIC at international@abi.org.uk.
Proactive Everyone feels encouraged to report events Simple standardised company-wide approach to reporting Ownership of reporting at first line Selected staff at first line of defence staff are focused on risk Staff understand the need to report near-misses. More than 50 per cent are reported Clear thresholds for root cause analysis (RCA) Standard, proven tools and approaches used to conduct RCA Behavioural root causes always sought Strong trained capability to conduct RCA Top leadership reviews causes of major events High reliability Single, simple approach to capture enterprise-wide risks Everyone understands current and potential risks they face Everyone understands the need to report risk events and do so directly Open, learning culture sees events as an opportunity to improve Near-misses actively reported in order to reduce frequency of loss events Deep root cause analysis (RCA) for key events and major near misses Analysis identifies trends and causes from volume lesser events All leaders are seen to engage in RCA Focus on behaviours (why people acted that way) Leadership, behavioural and cultural issues confronted Quality assurance of investigations through peer and third-line review
Education
The study states: Critically, these leaders avoid blaming those who report, or those who have made genuine mistakes, and place a high value on the opportunity to learn from risk events to drive value for their organisation. By focusing on risk event reporting including near-miss
Reactive Open environment for reporting Only significant risk events are reported Lack of leadership involvement Inconsistent reporting processes Fear of blame/reprimand impedes reporting People are unsure what to report and why Reporting delegated to the second line Near-misses not reported Compliant Coherent process for people to report events Most events reported Key people are risk aware Key people understand how to report a risk event Little focus on near-miss reporting
Risk event analysis, investigation and impact assessment
Focus on addressing recovery from loss events Leadership seek to identify responsibility and blame Root cause analysis (RCA) not conducted
Root cause analysis (RCA) conducted for priority events Focus on controls, processes and systems not behaviours Ad hoc and inconsistent approach to RCA few standard tools Little trained investigative capability
Action management
Actions for most loss events are not monitored or followed up Follow-up for major events is on an ad hoc basis
Actions often derived so that they can be delivered rather than make a difference Actions are managed, monitored and closed Approach and tools for action management are not consistent across company
Action management process integrated Actions derived to make a difference into company-wide continuous Actions are prioritised, based on resources improvement approach available and risk appetite Actions may involve replacing existing Actions clearly tracked and only closed controls that are not cost-effective, not on evidence just adding controls Top leadership review actions for major events Learnings from loss events and near Processes in place to prioritise and share misses used to deliver year-on-year learnings across the company from reductions in risk exposure internal risk events Rigorous approach optimises behaviours Learnings are derived from external risk and controls based on learning from events internal and external events Appropriate ORIC data shared with first line Proactive sharing and learning across the Multiple channels used to engage staff industry to reduce sector-wide operational in learnings and reputational risks The third line review learning effectiveness
Learning and continuous improvement
Changes to policies and procedures occur No systematic approach in place to learn in response to significant internal risk from internal or external risk events events Learnings tend to be ad hoc and rely often Learnings not always shared across all on informal networks relevant parts of the company Review of major external risk events is not systematic
The risks associated with space travel in general, and the exploration of Mars in particular, are many and varied
ONE SMALL STEP ,

AS MARS ONE STARTS ACCEPTING APPLICATIONS FOR A ONE-WAY TRIP TO THE RED PLANET, MARK TURNER CIRM ASKS IF THE DANGER POSED BY THE MISSION IS OUTWEIGHED BY THE THREAT OF GLOBAL CATASTROPHE
bright speck appears over the eastern horizon, ies across the deep blue sky, expanding in both size and intensity, until suddenly and in complete silence it explodes in a brilliant reball with the power of a 440-kiloton nuclear bomb. Two and a half minutes later, the shockwave rips
STEPHEN GIRIMONT / SHUTTERSTOCK
through the Russian town of Chelyabinsk, sending glass and debris ying and injuring 1,500 people, many of who were staring through windows at the expanding smoke plume in the sky. For many, the events of January 2013 were a surprising wake-up call to the power of nature. But for others, this demonstration of the destructive impact of space-based objects was just another
ANALYSIS MARS MISSION
reminder of the perilous hold that the human species has on its continued existence.
Sudden impact
Sixty-ve million years ago, a larger reball swept in across the Atlantic. The prehistoric witnesses to this meteor were instantaneously incinerated and many thousands of species, in the days and weeks that followed the impact, succumbed to extinction on a global scale. Such is the devastating effect that a meteor or comet impact would have on our fragile world. Yet it is not the only life-threatening risk that exists. Mega-volcanoes, such as the one found in Yellowstone Park in Wyoming, USA; coronal mass ejections from the sun; reversal of the Earths
magnetic poles; pandemic super-u; runaway nanotechnology (the so-called grey goo); climate change leading to methane release from the sea bed or suspension of the gulf stream; and any other number of global catastrophes all could destroy our species at any moment.
One-way ticket
However, for the rst time in the history of our planet, a species possesses the sophistication and technology to withstand such a global catastrophe. In recent decades, mankind has walked on the Moon, sent the Voyager probes beyond the furthest reaches of our solar system, and have begun to explore the Martian surface with robots. We are capable of placing people on Mars.
It is no longer a question of technology. However, it has not yet happened due to funding constraints, limited political will and, above all, a deep-seated expectation by the public and politicians alike that it should be a two-way journey. On 22 April 2013, a private Dutch company called Mars One opened the rst round of applications for prospective Martian colonists. Within two weeks, almost 80,000 people had indicated that they were interested in the one-way mission to the red planet. Many detractors identied the death sentence these individuals had signed up for. The risks associated with space travel in general, and the exploration of Mars in particular, are many and varied.
Mark Turner CIRM is head of internal audit UK at Selex ES. View his Mars One application video at http://tinyurl. com/mfav8es
bullets, threaten to puncture the hull of the spacecraft at any moment. With restricted rations and limited facilities for hygiene, the bodys defences will also be placed under extreme pressure. Provided that guidance and propulsion have worked correctly, once in orbit around Mars, the next challenge will be the descent. Over the years, NASA has used several methods to get probes onto the surface, including parachutes, airbags and sky cranes. Some have succeeded, while many others have failed. The lack of a dense atmosphere, and potentially high cross-winds, make Mars a formidable target to touchdown on.
Life on Mars
Extreme pressure
First, there are the problems associated with leaving the Earth. As spectacularly demonstrated by the Space Shuttle Challenger in 1986, the act of getting into orbit is not without risk. Once in space, the transition to Mars requires the spacecraft to leave the protection of the Earths magnetic shell. Without this defence, intense radiation from the Sun and other cosmic sources will begin to damage human DNA. The seven-month trip to Mars exposes the astronauts to a microgravity, which accelerates muscle wastage and is believed to increase the risk of osteoporosis. Micrometeorites, with the kinetic energy of
Mars does not possess a strong magnetosphere, and so the cosmic and solar radiation will continue to impact the explorers whenever they are not under cover. To prevent further exposure, the colonists will need to bury their habitats under two metres of Martian soil. The famous red dust that covers the planet has been analysed by Mars rovers such as Curiosity. The results indicate that it contains high levels of minerals that are harmful to human health. Not least of these are perchlorates, which are known to affect the thyroid gland, and gypsum, which affects the lungs in a similar way to coal-lung disease on coal miners. The Mars One mission is expected to land at the latitudes nearer one of the poles. This area is known to
SERGEYDV / sHUTTERsTOCK

Detractors identied the death sentence these individuals had signed up for
ANALYSIS MARS MISSION

the golden age of lunar landings and Space Shuttle missions, this presents an opportunity to live a childhood ambition. For others, the allure of never-ending fame is enticing. To be the rst person to walk on Mars would place their name alongside those of Marco Polo, Christopher Columbus and Neil Armstrong. In addition, the money which, it is hoped, will be generated by sponsorship and celebrity endorsement could ensure that the families left behind on Earth would be well-looked after for many generations.
Basic instinct
However, the appeal to apply for the one-way trip may be deeper than this. Instinct for genetic survival drove our ancestral explorers to leave the broad savannah of Africa in search of new land, and this instinct may well be acting again. If mankind is to survive, then the colonisation of the solar system is the only action that can assure the continuation of our species, and Mars is the rst logical step. Going to Mars may be fraught with individual danger, but the threat to mankind for not going is a risk the species cannot ignore. possess sub-surface water. The extraction of this water will be a priority for the explorers if a self-sustaining colony is to be established.
Food for thought
However, it is not known what contaminants this water may contain. All food necessary for the rst two years will need to be transported to the planet with the travellers. While it is anticipated that they will begin to grow their own food, this will take months to bring to harvest. The effects of Martian gravity only 38 per cent that of the Earth may have an unpredictable impact on both yield and nutritional value of the crops grown. It is possible that sustaining a balanced diet may be difcult. Accidents, the effects of cosmic radiation, environmental disease and other bodily threats will all need to be self-treated. There will be no palliative care as the colonists age, and the safe disposal of corpses will need to be addressed.
BERTRANd BENOIT / sHUTTERsTOCK
Mars or mankind?
With this array of known hazards, and the many yet to be discovered, why is it that so many people are willing to put their lives at such peril? Not all of them are uninformed glory seekers. Many are well-read scientists, technologists and professionals from all walks of life. For one thing, there is the personal challenge of leaving the Earth. For many people, growing up during
R
Inputs
Risk as an uncertainty
VLADGRIN / SHUTTErSTOCK
MODERN RISK PROFESSIONALS mUST UNDERSTAND OTHER DEFINITIONS OF RISK INSTEAD OF FOCUSING ON THEIR OWN INTERPRETATION, INSISTS Dr MiKE LaudEr
From here, usage of the word places risk in one of four categories: n Inputs n Transformation process n Outputs n Controls Inputs are where risk is dened as an event or a cause of an effect. A questionable assumption is perceived as borderline input/transformation process, while risk as uncertainty (it is seen as being an uncertainty or a probability within the transformation process) and risk as a form of rationality fell clearly within the transformation process category. Those that were perceived as falling in the output category were risk as an effect, an implication and failure. Finally, risk as exposure and volatility was deemed to t into the control box. Risk as exposure was interpreted as the level of risk or the amount of risk to which the organisation is being, or will be, exposed; this was seen as a control total and, therefore, placed within the control area. Risk as exposure has been interpreted as being consistent with the many other terms (such as risk appetite, risk tolerance and risk prole) that have been used to express the amount of risk that is expected or acceptable; these are all seen as being a control total. Risks can be seen to be present in any, and every, part of the system. The exact placing of each
isk is too ambiguous a term to be used on its own and must be simplied. When conducting research at Craneld University between 2008 and 2011, I concluded that there was no point in dening risk as I saw it. I needed to see risk from the other perspective.I collated 43 different risk denitions from academic and practitioner literature, aiming to identify whether denitions of risk fall into one sector or are spread across the spectrum.
Simple denitions
I plotted simple denitions, separating risk into the denitions in the box below.
Transformation process
Risk as form of rationality
Outputs
Risk as failure Risk as an implication
Risk as questionable assumptions
Risk as an event
Risk as uncertainty
Risk as an effect
Risk as volatility
Controls
Risk as exposure
ANALYSIS DEFINING RISK
VLADGRIN / SHUTTErSTOCK
n Risk = probability x magnitude (Slovic, 2000:232) n Risk = probability (of occurrence of loss) x magnitude (of possible loss) (Malik, 2008:48) n Risk = probability x impact (APRA, 2008) n Risk = probability x s (damage scale) (Stankiewicz, 2009:112) n Risk = threat + vulnerability (Kovacich and Halibozek 2003:26) n Risk = threat x vulnerability x consequence (Cox, 2008:1749) n Risk = probability x consequence (Van Well-Stam et al., 2004:45, Damodaran, 2007:6) n Risk = expected consequences + uncertainties (Aven, 2007:433) n Risk = exposure + uncertainty (which you care about) (Holton, 2004:22) n Risk is the possibility and quantum of loss [March and Shapira (1987) cited by Coleman, 2006:255)] n Risk is the probability of a material hazard circumstance occurring (Tullock in Lupton, 1999:36)
Table 1: Examples of complex risk denitions
Simple denitions
An uncertainty: Frank Knight (1921) cited by (Damodaran, 2008:5) An event: (Aven and Renn, 2009:1) Form of rationality: (Lupton, 1999:138) Questionable assumption: (Baxter 1996) Uncertainty: (Holton, 2004:20) Failure: (Malik, 2008:88) An implication: (Chapman and Ward, 1997:7) An effect: (Hillson and Simon, 2007:224) Exposure: (Holton, 2004:22) Volatility: (Hubbard, 2009:84)
concept is not considered to be as important as the fact that denitions fall within all four areas of the system boxes. Risk, then, should have its temporal dimension acknowledged and not be seen as a single concept.
Complex denitions
The next step in the analysis of risk is to examine a series of complex risk denitions (that is, those articulated as risk = A (x) B. The selection in Table 1 (below) demonstrates further complexity. These articulations of risk combine aspects from all four system boxes. However, they predominantly concentrate on the outputs (impact, consequence or magnitude)
and control boxes (probability, frequency, magnitude or severity). These, therefore, need further analysis. Such denitions of risk often suggest limits or control totals. This reinforces the place for a control box within the proposed framework. These scales articulate potential limits of what might be expected to happen, or what might be deemed to be acceptable should it happen. All these scales are features of management control. They, therefore, t into the control box within the framework. They are encompassed in the term risk exposure. This leaves only the construct of the outputs requiring further examination. The term output covers a more complicated construct. I identied ve, and dene these terms as: n Results the result is an initial outcome of the mechanism at play on an entity in creating the negative outcome. For example, if the mechanism is the continual exing of a structure due to natural phenomena, such as wind, the result of this may be that the structure becomes stressed n Effect the effect is the end product of the result on the entity causing the negative outcome. Building on the stress example, the effect of stress may be structural failure n Consequence a consequence is the automatic (cascade) effect that will occur as the end product. Continuing the example, the consequence of part of the structure failing may be the total collapse of the structure n Subsequence subsequence is dened as
ANALYSIS DEFINING RISK

the consequence of a decision that follows an unwanted occurrence rather than being part of any cascade of events n Impact the term impact is reserved for an overarching term that embraces all negative outputs relevant to the matter in hand. The basic sequencing from input risk through to subsequence can be seen as having a temporal construct, whether measured over microseconds or millennia. An organisations capacity to manage such risk will depend on its ability and desire to intervene between any of the dimensions.
Dr Mike Lauder is director and owner of Alto42 see www.alto42. co.uk
Individuals dene the term to suit their own needs; communities or specialisms dene the word for their own purpose
within any organisation where the consequences of an action may be different from those intended [5] The unexpected the nal category embraces external inuences on the organisation that had not been foreseen or for which mitigation had not been planned.
Basic framework
Using a basic systems structure, the seven categories of risk may now be seen as: input risks (R1); transformation risks (R2); results (R3); effects (R4); consequences (R5); subsequence (R6); and as an expression of what is acceptable exposure (R7). This provides the structure in Figure 1 (below). Connecting the dimensions of risk are both pathways towards positive outcomes, as represented by the dotted line, and negative outcomes, represented by the solid line. There is coupling between the two.
Combining the two dimensions
The nal step is to combine the two dimensions. The result is Table 2, which can be seen to produce 35 problem spaces embraced by the term risk.
Table 2: Risk denition matrix
Nondelivery Input (R1) Transformation (R2) Results (R3) Effect (R4) Consequence (R5) Subsequence (R6) Exposure (R7) Barrier to delivery The The unknown expected The unintended
Second dimension
The process involved taking each use of the term risk and evaluating it for it context and concern. The result of the analysis was that ve categories emerged. These I labelled: [1] Non-delivery non-delivery covers what might be known as mission failure. This is where an organisation or group fails to deliver all or part of what was intended [2] Barrier to delivery this category encompasses anything that may prevent the organisation from delivering its intended output [3] The unknown this category covers both what is unknown and what is uncertain [4] The unintended the category of unintended includes the problems raised by the interactive complexity
Input risk (R1) Transformation (R2)
Conclusion
Impact
Result (R3)/ Effect (R4) Objective (Social good) Coupling Consequence (R5)
Exposure (R7)
Downside (Social bad)
Subsequence (R6) Figure 1: Seven temporal categories of risk
Risk is a word that is used in many ways. Individuals dene the term to suit their own needs; communities or specialisms dene the word for their own purpose. But senior managers do not have this luxury. They are required to understand the word risk the way the user intends it to be understood. To do this, they must rst appreciate that it can be used in more than one way. I have looked to provide a method through which the word can be analysed and its meanings categorised. The grid that I have produced gives 35 ways that the term may be being used. I would suggest that any non-specialist who hears someone using the term risk should consider using the grid to improve understanding between the various disciplines required to manage any complex organisation.
Malaysian companies must be alert to these developments and consider the risks and opportunities affecting their own businesses
WITH ITS ECONOMY EXPERIENCING GLOBAL INVESTMENT AND GROWTH, LYNN STRONGIN DODDS EXPLORES HOW RISK MANAGEMENT CULTURE IS BECOMING INCREASINGLY IMPORTANT IN MALAYSIA
lthough risk management practices are well embedded for publicly listed companies in Malaysia, progress is slow for those outside the stock exchange realm. The government and trade organisations, such as Malaysian Association of Risk and Insurance Management (MARIM), the Malaysian Institute on Corporate Governance and Institute of Internal Auditors (IIA), are leading the charge, but it will take time for the word to spread across the industrial spectrum. According to the ndings of a report by Ernst & Young and the Institute of Internal Auditors in 2011, there was an increasing importance being
placed on identifying, understanding and managing risks but more work was needed. For example, while many organisations surveyed believed they had a formal and relatively mature governance, risk and compliance (GRC) framework in place, the majority needed to improve the interconnectivity between risk management, business strategies and key performance indicators. Organisations also needed to better align and coordinate their activities to ensure the best possible risk coverage.
EMRAN/SHUTTERSTOCK
Moving ahead
Fast-forward to today, and advancements have been patchy. In its latest global report Business pulse: exploring the duel perspectives of the top 10 risks
AREA FOCUS MALAYSIA

Petronas Twin Towers at night, Kuala Lumpur, Malaysia
and opportunities in 2013 Philip Rao, partner, Ernst & Young, Malaysia and ASEAN risk leader, noted: As companies in developed markets continue to perform at low levels amid recession and sovereign debt problems, the world is now looking to new markets for expansion opportunities. Countries in rapid growth markets, including Malaysia, are now becoming the focus for investments and growth, as many global organisations rethink their business strategies. While this is encouraging for Malaysias economy, Malaysian companies must be alert to these developments and consider the risks and opportunities affecting their own businesses in an increasingly competitive market. It is not surprising, perhaps, that those companies listed or looking to join Bursa Malaysia are the farthest ahead on the risk management curve. They are required to adhere to the Malaysian Code on Corporate Governance, which was updated last year. It incorporates not only part of the 2007 Code, but also recommendations from the Securities Commission Malaysias ve-year Corporate Governance Blueprint (Blueprint) which was launched in July 2011 to raise the corporate governance bar in the country. Under the new Code, the prole of the board of directors has been raised with a greater emphasis on establishing clear roles and responsibilities. Other recommendations included strengthening the composition, as well as reinforcing its independence.
In addition, companies are advised to foster commitment, ensure integrity in nancial reporting and disclose information in a timely manner. Equally as important is establishing a sound structure to determine, manage and monitor a companys risks.
Strengthening
Separately, the IIA, the national body for the internal audit profession, published a new version of its Statement on Risk management and internal control guidelines for directors of listed issuers, after a year-long consultation with directors of public listed companies (PLCs), to better reect the current regulatory landscape and corporate governance. The aim is not only to enhance disclosures on risk management and internal controls in annual reports, but also to ensure directors conform to the listing requirements. They are also encouraged to strengthen the obligations of management, as well as the board on risk management and internal controls, including implementation and monitoring. According to Datin Josephine Low president of IIA Malaysia and chief audit executive of the group internal audit department of Tan Chong Motor Holdings Berhad, one of the largest automotive organisations in Malaysia the new guidelines incorporate the various amendments in the Malaysian Code of Corporate Governance and Bursas listing requirements. She noted that even though the key principles underlying the original guidance
are timeless, the rapid changes we have seen in todays business and operating environments have spurred us to undertake this vital revision to enable organisations to be more efcient in developing and maintaining a more robust and effective system of internal controls and risk management, which can enhance their long-term success. Low added: The revised guidelines have put in place the timely need for signicant evaluation of the effectiveness of the risk assessment processes that not only include the traditional internal controls over nancial reporting, but also ascertain that controls over risk management systems are being rmly put in place. For example, the CEO and chief nancial ofcer are now required to tell the board whether the companys risk management and internal control systems are operating adequately and effectively, while the board is responsible for establishing a sound framework to manage risk. It is not merely about preparing a statement on internal controls and risk management, but also about enhancing investor condence by providing comprehensive information about risk management practices, according to Low.
Banking
The other sector that is ahead of the pack is banks, although not all are listed on the stock exchange. Lessons had already been learnt from the 1998 Asian nancial crisis and, as a result, they are in much better shape than their Western counterparts. Overall, the risk management
Traditional dancers Kuala Lumpur city skyline at sunset
culture in the banking sector is very strong, although there is always room for improvement, says Jeroen Thijs, chief risk ofcer at Bank Islam Malaysia Berhad. The main trend we are seeing at the moment is compliance with Basel III. Unlike in the West, the regulator the Central Bank of Malaysia seems, at this stage, keen to implement it fully and not have it watered down. As for risks, there is concern over the increasing debt levels of the ordinary consumer, and the move towards regionalisation is introducing different geographical risk elements. Asia may be seen as homogenous, but the culture and products that people want differ. The push for regionalisation is being spearheaded by the Bank Negara Malaysia (BNM) as part of its tenyear nancial sector blueprint 2011-2020. The aim is to encourage greater regional and international participation of Malaysian nancial institutions. This includes facilitating cross-border nancial transactions, nancial integration, regional trade and investment, as well as the internationalisation of Islamic nance. However, BNM hopes it will be a two-way street, with foreign banks playing a bigger role in the countrys nancial services landscape. The door has been slowly opening since 2009, with several areas being liberalised namely, investment banking, the insurance and takaful (a type of Islamic insurance) sectors, as well as Islamic nance. Foreign investment in Malaysian commercial banks, however, remain restricted.
FOO WENG/sHUTTERsTOCK
SHAMLEEN/sHUTTERsTOCK
AREA FOCUS MALAYSIA

While listed companies and banks are expected to continue making strides, the pace is much slower for those outside these two spheres. Enterprise risk management (ERM) is well understood by listed companies within Malaysia, but project risk management, particularly within the construction industry, has yet to reach the same level of maturity, says Dr Robert Chapman FIRM, head of risk management at MMC-Gamuda. The MRT Corporation has engaged MMC-Gamuda as the project delivery partner for the Klang Valley Mass Rapid Transit (KVMRT) project, which is a multi-billion Ringgit undertaking, involving 41.5km of viaduct and 9.5km of tunnels, 34 stations and two depots. Chapman adds: The key issues for major construction projects in Malaysia is a common lack of project and risk management expertise within contracting organisations, combined with skilled labour shortages. The project has encouraged participating contractors to enrol their staff in professional project risk management training to raise awareness and competency levels. However, the level of interest to date has been very low.
Lynn Strongin Dodds is a freelance nancial and business journalist
Adoption
Mohamad Mohamad Zain, vice president, group business assurance, Telekom Malaysia, and chairman of the Malaysian Risk Management Association (MARIM), concurs that the main challenge is to ensure that organisations across the industry spectrum adopt robust risk management practices. Most major projects initiated
Low Yat Plaza, Kuala Lumpur
by the public sector lack risk management and have ended up wasting taxpayers money, due to the escalation of a projects cost or extension of the deadline. This is because the risk management culture is still low, except for PLCs, because they have to comply with the Malaysian Code on Corporate Governance 2000, which is monitored and updated by the Bursa Malaysia and Securities Commission of Malaysia. One of the main problems is nding certied risk management personnel. Most risk managers in Malaysia start off their risk management careers in the insurance industry, says Zain. They may then end up as a risk manager in a PLC that requires immediate personnel to run their risk management programme in compliance with the Malaysian Code on Corporate Governance. There are moves, though, to rectify the situation. MARIM is trying to encourage the private sector to emulate its publicly-listed brethren by providing platforms and forums for risk managers, to enable exchange of ideas on how to implement and improve within their respective organisation. It is also spearheading the campaign to have ISO 31000 which provides guidelines, principles, a framework and process for managing risk adopted and converted to MS ISO 31000 (MS = Malaysian Standard). Using ISO 31000 can help organisations achieve objectives, improve the identication of opportunities and threats, and effectively allocate and use resources for risk treatment, according to Zain.
Street vendor in Kuala Lumpur
ALI MUFTI /sHUTTERsTOCK
ENCIKTAT/sHUTTERsTOCK
IRM CERTIFICATION
KEEPING IT SIMPLE
AS THE DEBATE OVER CERTIFICATION RUMBLES ON, IRM CHIEF EXECUTIVE STEVE FOWLER FIRM CALLS FOR AN UNCOMPLICATED DISCUSSION
he issue of accreditation might seem terribly complex, but it is actually rather simple. Much work has already been done by many organisations around the world. The Risk Management Institution of Australasia (RMIA), for instance, has already carried out a tremendous amount of work on a professionalism system for risk management. The Federation of European Risk Management Associations (FERMA) is also carrying out some work as are, jointly, the Association of Insurance and Risk Managers in Industry and Commerce (Airmic) and The Chartered Insurance Institute (CII). But we need to look beyond insurance, and at what is being done elsewhere. I speak at conferences covering other areas of risk management, where exactly the same debates over certication are happening. Be it audit and compliance, occupational health and safety, or any of the various others, you hear the same refrain about the professionalisation of risk management, because each world sees risk management as belonging to them.
professional development; and a code of conduct/ethics. You cannot have a certication scheme that does not take experience into account. Qualications are equally important. I would refuse brain surgery from someone qualied as a lawyer, no matter how many operations they had previously performed. But, when it comes to risk management, this is effectively what we do. Continuing professional development the extension of experience into the future is crucial. And it goes without saying that a code of conduct or a code of ethics is absolutely critical to any profession.
Non-negotiable
The foundation
The above brings a number of points home. First off, if we are going to build something and I would suggest that we have to build a certication system it has to be global and it has to be enterprise risk management (ERM) focused. I know people argue about the detail of ISO 31000, but we stand every chance of looking stupid if we fail to build everything we do around that international standard. If we look at other professions accountancy, law, medicine and engineering they all have global systems of certication, where a certain small number of things are held in common. Clearly, there is individualism within each of the specialities in these professions. These professions have shown the way. In the US, the American National Standard Institute (ANSI) says that there are four elements belonging to a profession, and all professions operating within the States work to this principle. These are: experience; qualications; continued
SHUTTERSTOCK / SPECTRAL-DESIGN
Steve Fowler FIRM is IRM chief executive
These four elements are non-negotiable. Our certication framework will not stand up without them. It will look ridiculous, particularly when our boardroom colleagues comply with these four factors. But we also need to consider whether we should induct grey-hairs and no-hairs into our certication system. We might want to consider a way to get into that certication scheme that does not require taking a whole new set of qualications. So how do we go about doing all of this? It is simple. We must dene a common framework at a high level. At IRM, we have spent around nine months looking at all the major risk management certication frameworks. There are around 60 to 70 that we managed to nd. We then carried out a metalevel analysis of the common factors among them. We asked: what are the common core competencies between, for example, project risk management, insurable risk, market and credit risk, and so on and so forth? This has given us a base from which to develop a certication framework. And within the coming months, we will build on this and bring you the latest developments on certication. I Fowlers comments were adapted from a speech at Global Risk Frontiers, London, UK, a Commercial Risk Europe event.
IRM FOCUS DIRECTORS CUT
EURO VISION
I
n moving beyond its UK home and becoming a truly international organisation, IRMs natural market has primarily been where English is the business language. English is increasingly the language of continental Europe, but I am still keen to encourage IRM to continue building a closer relationship with the rest of Europe. I see two principal benets. First, IRM can help to strengthen the position of enterprise risk management (ERM) in European directives. Second, IRM members need to be aware of how risk management in Europe works, even if they are outside the EU.
Marie Gemma Dequae is an honorary life member of IRM, a member of its board, and technical director at the Federation of European Risk Management Associations (FERMA)
IRM BOARD DIRECTOR DR MARIE GEMMA DEQUAE DISCUSSES THE INSTITUTES WORK WITH CONTINENTAL EUROPE
Through the development of its thought leadership projects, such as its white papers, IRM can add to the theoretical dimension of the case that risk managers put to the commission on specic proposals. In my experience, members of the commission appreciate an argument that has an academic grounding presented in tandem with the practitioners knowledge. Consider, for example, the draft directive on corporate social responsibility that will shortly go to the European parliament. It would require that all companies with more than 500 employees disclose information on policies, risks and results on issues such as the environment, social and employee-related aspects, and respect for human rights. But disclosure alone does not mean that the risks are controlled.
Anglo-Saxon origins
As a specic, professional function, risk management has strong Anglo-Saxon origins, but its practice within Europe takes place within a framework of EU-origin regulations. Beyond the member states, European directives are still inuential because the EU is the worlds largest trading block and the second largest economy in the world. At the same time, the business culture in each country in Europe is different, and we know how important culture is in the way a company deals with risk whatever the rules intend. You have to adapt your approach to the local business culture, as IRM is demonstrating through accreditation of local training bodies that can provide relevant material and local case studies.
Professional development
Thought leadership
The Federation of European Risk Management Associations (FERMA), of which I served as president for four years and now act as technical advisor, is the principal organisation lobbying the European institutions on risk management issues.
Second, when it comes to professional education, IRM is in close discussion with FERMA about the proposed European certicate in risk management. It is too early for me to say more than that now, but both organisations believe strongly in the value of a portable, international recognition of enterprise risk management competence. Whatever happens in terms of this certication, there is a strong community of interest between IRM and FERMA in risk management education and the professional development of young risk managers in Europe. We hope to see many of these young risk professionals join us at our biannual risk forum. This year the forum is taking place in Maastricht, in the Netherlands, from 29 September to 2 October. I believe IRM and FERMA can build on each others strengths to inuence the European regulatory framework and develop the knowledge that risk managers need to implement it. For more information on the FERMA Forum 2013, see www.ferma.eu/ferma-forum-2013.
MIRCEA MATIES / SHUTTERSTOCK
THE INSTITUTE OF RISK MANAGEMENT

IRMs qualications are internationally recognised, providing practical, sector independent skills that can be applied anywhere in the world. Whether you are new to risk management, an experienced risk practitioner looking for a formal qualication or a risk specialist requiring a broader understanding, IRM can help.
Course enrolment is from: 1 September 2013 December 31 2013
st st
Why take an IRM qualication?

Achieve a globally recognised qualication Gain practical, transferable skills Offered on an on-line, distance learning basis Build your own network of international contacts Enhance your career opportunities and earning potential
To nd out how a qualication from the Institute of Risk Management
www.theirm.org, email us at studentqueries@theirm.org or contact one of our team on +44 (0)207 709 9808
can help you, visit
HOW TO... SOFT SKILLS
BREAkiNG BARRiERS
GHISLAIN GIROUX DUFORT MIRM ASKS HOW RISK PROFESSIONALS CAN HANDLE EMPLOYEE RESISTANCE TO CHANGE
ost risk catastrophes are not due to decient policies and procedures but rather to wrong-headed behavioural norms: a blind adherence to rules at the expense of sensible risk judgement in the heat of a crisis or, at the other end of the spectrum, a casual and tolerated if not encouraged disregard for risk management rules. The way we do things around here the risk culture of the organisation is often more important than the formal risk management framework or system. That is why IRM published two documents on risk culture last autumn: guidance for boards and resources for practitioners. At the core of IRMs risk culture framework lies the individuals predisposition to risk. Personal ethics, group behaviours and organisational culture combine with this core personal attitude to risk, interacting with each other to form the companys risk culture. The guidance recommends that boards should request a diagnostic of their organisational risk culture and ask ten questions along four major aspects: tone at the top; governance; decisionmaking; and competency.
Ghislain Giroux Dufort MIRM is president of Baldwin Risk Strategies, a member of IRMs global education advisory board and a member of the strategic risk council of the Conference Board of Canada
The second case concerns an entrepreneurial consumer goods manufacturer. Facing revolutionary technological change, the chief nancial ofcer convinced colleagues that it would be appropriate to implement ERM. But the CEO, part of the family that ran the business, was lukewarm about the idea and fearful that it could neutralise the rms entrepreneurial and autonomous culture. In response to those concerns, ERM was implemented lightly, and at minimal cost, by only one person, providing mostly guidance through a top-down approach. The executive team identied about 50 risks that way, and decided quickly on the top 10. Managers and employees were entrusted with incorporating a few key risk management principles into their own decision-making processes, reporting only their top ve risks to the ERM function. It resulted in sound basic plans being implemented by business units with little supervision from the ERM function.
Tuning in
If you are a risk management practitioner or executive, you have to be attuned to the specicities of your organisation and adjust your ERM delivery platform accordingly. Of course, one could rightly argue that you should not dilute ERM principles too much to accommodate the companys culture. But, on the other hand, being pragmatic and able to implement ERM partly or slowly will benet your organisation much more than failing to do it altogether.
In the real world

When a state-owned energy company started embedding an enterprise risk management (ERM) framework, led by a team of six with strong board backing, it became clear that the companys risk universe and levels of risk were widening and heightening calling into question the risk management competency of existing personnel and management. Insecurity brewed, and resistance to ERM implementation grew. To alleviate this problem, the ERM team asked the CEO to gather and speak to all key leaders of the company about the importance of risk management for its future. He told them that although new personnel were required, every existing employee who recognised their own failings, embraced ERM and trained adequately would have a place in the company. This would be valuable not only to the company, but also to each individual willing to learn and change. This speech was followed-up with a regular newsletter from the CEO on ERM implementation progress, which substantially helped to facilitate the change process.
KOYA979 / sHUTTERsTOCK
BOOK REVIEWS
BE PREPARED
Enterprise Risk Management: Straight to the Point
An Implementation Guide Function by Function By Al Decker and Donna Galer A useful guide that does what it says on the tin. Enterprise Risk Management (ERM) can be a variety of things to different people, but this 142-page guide sets out useful denitions and, more importantly, helps give wellreasoned justication for implementing ERM. It notes the impact of Standard & Poors inclusion of ERM in its rating criteria, and goes much further in making the case. The strong focus on worked examples and practicalities makes for a comprehensive guide in all but a few areas. There is more here than just a methodology. The focus on strategy, ownership, brand value and prioritisation is appropriately unremitting. A heat map, for example, shows not merely top/greatest risks but rather the results of analysis that reveals those parts of key business strategy and goals thought to be most at risk a more helpful output for senior executives. The worked examples may sometimes focus on smaller enterprises, but there is no reason that these cannot be scaled-up to apply to larger concerns. Also, risks are not just seen in isolation and there are many references (but, frustratingly, no index or glossary) to correlated risks. The authors touch on plans and projections and make the case that risks change, but the book would benet from an additional chapter covering projects and joint ventures. They also seem to treat strategy as a given and give very little attention to the need for ERM outputs to inuence and modify corporate strategy. Similarly, there is less focus than many may like on those risks that any organisation may take, often unwittingly, by not pursuing new markets, products or means of communication that is, the risks of not.... Likely resistance to ERM is not overtly addressed, although a strong benets case is made throughout. ERM is shown to be of value to a wide variety of stakeholders, not least CEOs who may rarely see composite, unbiased data covering not just one function but the whole business and its strategy in a competitive and social/environmental context. Chance favors [sic] the prepared... is a favourite phrase adopted throughout the guide and a good mantra for ERM implementers. CHARLES TOOMER FIRM is head of risk management at GoodCorporation.
Risk Management (Kogan Page)

By Paul Hopkin FIRM
Experienced risk manager Paul Hopkin FIRM brings a wealth of practical guidance to this compact, goodvalue book covering enterprise risk management (ERM) as it is practiced today. Using straightforward language and a notable absence of risk-geek jargon Hopkin explains how, and why, embedded risk management can add value to every business. Well structured, with checklists, text boxes, diagrams, further reading references and lots of examples, this book is a joy to read, either cover-tocover or dipping into it as an introduction to the subject. While the anglo-centricity of the examples given is a weakness, they are all relevant globally. In this book, Hopkin has moved away from the many acronyms used in his earlier books, and this text is an easier read for it.
The focus on strategy, ownership, brand value and prioritisation is appropriately unremitting
STEVE FOWLER FIRM is the chief executive of IRM
IRM FOCUS CHIEF EXECUTIVES MESSAGE
LIVING IN VUCA TIMES

IRMS CHIEF EXECUTIVE, STEVE FOWLER FIRM, ASKS WHAT THE FUTURE MAY BRING FOR THE RISK PROFESSION
You are not going to be in business in 10 years time if you are unable to keep up with the changing world. This is where we were 10 years ago with the internet. There were organisations saying that the internet was something kids used and that it wouldnt be of use for business. Today, if you are booking a ight or a hotel or theatre ticket, where do you go? That is the way the world has changed. s hundreds of members recently heard at our IRM Forum in Ashford, Kent, UK, we are now living in VUCA times that is, times that are volatile, uncertain, complex and ambiguous. The comments were made by Ren Carayol, a keynote speaker at our event on reputation and brand, who began by examining what we, as risk professionals, bring to the table and how we can improve our leadership skills to enhance our reputations and those of our respective organisations. We are in the middle of a period of great change but, as is often the case when you lie in the eye of the storm, many of us are unaware of it. When people look back on the early part of the 21st century, they will say: It must have been fascinating to live through that time, because that is the time that the world really changed.
Adding value
Looking ahead
To ensure that risk professionals are an integral part of this future, we need to position ourselves correctly. If we want to be seen as a negative, as the people who always say no, as the people who are a drag on our businesses and do not add any value, then we need to go down the route of aligning risk as a profession with governance and compliance. This is something that is often called for, but whilst I can see some benets of alignment, I would ask: Why these two functions? We could invent another acronym:
VRI value, risk and innovation. There is just as strong a case in fact, possibly a stronger case for aligning risk with value management and with innovation in our businesses. Adding value to our organisations is one way that we will be seen as leaders. Tomorrows leading businesses are going to be the ones that innovate today those that can create value. If, as risk professionals, we can work alongside those value management people and the product and service innovators, it is going to get us a lot further than looking in the rear-view mirror all the time and asking how we can comply with laws or tick boxes. That is how we can ensure we are ready for Carayols VUCA times.
We are in a period of great change, but many of us are unaware of it
If you look at the worlds top 20 brands, half of them have only been around for fewer than 20 years. Half have history on their side, but the others exist not because of their history but because of the things they are doing now and the plans they are putting in place for the future. That is not to say that history is unimportant, but the world has changed from one where we are always looking in the rear-view mirror to one where what really matters is looking ahead and listening to what your customers want to buy, rather than what you want to sell them. There are still businesses out there that fail to see the value in social media.
AFP / GETTY
PARIMA PrEMIERES
IRM chief executive Steve Fowler FIRM presented a session on risk management competencies at the launch of the Pan-Asian Risk & Insurance Management Association (PARIMA) on 2 April. Held in Singapore, the event featured sessions on the rise of Asia, social media and cyber risks, and people risks. Fowler spoke about IRMs work in developing an overall view of the many risk competency frameworks around the world, and whether work by IRM, the Federation of European Risk Management Associations (FERMA) and others could work in Asia. Fowler said: With members in more than 100 countries and a signicant and growing presence in Asia, IRMs relationship with PARIMA can help us continue to educate people about the importance of effective risk management across the globe.
Singapore
IRMs relationship with PARIMA can help educate people across the globe
Read all about it

The Sunday Telegraph is working with IRM on a special risk management report, due for publication on 8 September. Written for CEOs, boards and key decision-makers, the report will be a strategic guide to effective risk management and future risk solutions. If you are a thought leader who wants to shape the discussion, contact tom.bovingdon@theirm.org. IRM members will receive 30 per cent off the standard rate card, should they be involved.
First Gulf conference plans for IRM

IRM chief executive Steve Fowler FIRM and head of thought leadership Carolyn Williams MIRM visited Dubai at the end of May. Discussions were held with Global Risk Awards-winner Dubai Electricity and Water Authority (DEWA) to develop plans for a joint annual risk management conference in the Emirates, starting in November. Fowler and Williams, pictured with Waleed Salman and Ali AlMuwaijei, also met IRM partner Hawkamah and leading IRM members in Dubai.
Institute seeks experts for nance group

IRM members with specialist accounting knowledge and skills are being sought to ll three vacancies on IRMs nance group. The groups role is to provide advice and support, and to challenge IRMs CEO and senior staff on nancial performance, accounts, budgets and nancial policies. The group meets quarterly at IRMs ofces in London, UK. Ideally, applicants will possess a recognised accounting qualication; knowledge of bookkeeping; experience of operating in a not-for-prot environment; and an understanding of IRMs core activities and the environment in which it operates. n Full details of the role can be found at http://tinyurl. com/IRMFinanceGroup, while application forms can be downloaded at http://tinyurl. com/IRMAppForm.
LEUNGCHOPAN/ sHUTTERsTOCK
IRM FOCUS NEWS
Global Risk Awards 2014 enter now

Is it time you were recognised for outstanding risk management practice? Are you a leading light in the profession? IRMs Global Risk Awards are back for the second year in 2014 as the only truly international recognition of risk management excellence, run by the worlds leading educational risk management body. With this years inaugural awards ceremony attracting hundreds of nominees from across the planet, and a judging panel made up of more than 30 internationally-recognised experts and practitioners, IRMs Global Risk Awards has become the standard bearer for outstanding achievement. These awards represent the pinnacle for the risk management profession, said IRM chief executive Steve Fowler, and this magnicent evening offers the opportunity for the leading lights of risk management talent to showcase their brilliance. The awards will take place on 27 February 2014 at the prestigious Grand Connaught Rooms, London, UK. Entries are now open and will close on 4 October, before IRM announces the shortlist in November. To view the categories and enter, visit www.irmawards.org.
sHUTTERsTOCK / DENYs PRYKHOdOV
Have your say on ISO

The ISO technical committee 262 has compiled a survey to help it understand more about the use and perceptions of ISO 31000. IRM members are strongly encouraged to complete the survey, which can be found via www.theirm.org.
Two new directors appointed

Amelia Stubbs and Jeremy Harrison FIRM have been appointed to IRMs board of directors with immediate effect. Stubbs, a senior client partner at executive search and talent management company Korn/Ferry, and IRM Afliate member, has more than 10 years experience in senior risk appointments and is responsible for the development of the rms global risk practice. Harrison, who has worked extensively on IRMs education and annual forum committees, is head of project risk and value management at Network Rail, with more than 20 years of risk management experience. IRM chief executive Steve Fowler said: We are delighted to announce the appointment of both Amelia and Jeremy to IRMs board. Their respective backgrounds in risk recruitment and pioneering risk thinking will bring additional expertise to our board as we continue to expand our membership and qualications portfolio.
Renewals reminder
Members are reminded that their annual subscriptions are due for renewal on 1 July. Renewal invitation letters were issued in early June and the online payment facility is now available. Details of the 2013/2014 subscriptions can be found on IRMs website at www.theirm.org.
Meetings round-up
IRM chief executive Steve Fowler FIRM attended meetings with the Chartered Institute of Internal Auditors (CIIA), the Institution of Occupational Safety and Health (IOSH), and the Association of Risk and Insurance Managers in Commerce (AIRMIC) in June. Fowler met the president and CEO of the CIIA, the president and new chairman of IOSH, and the CEO of AIRMIC. Fowler said: Meeting with these bodies enabled us to start, or continue, conversations about risk management and IRMs work that will benet all of us in the future. It has been a busy, but productive, month.
Mirabal joins EAB

Javier Mirabal has joined IRMs education advisory board (EAB). Mirabal, executive director at Latin American Risk and Insurance Management Association (ALARYS) and president of Mirabal Risk Management, joins a group of approximately 30 leading risk practitioners and academics on the board. The board, led by IRM education programme director Dr Lynn Drennan FIRM, is working to ensure that IRMs educational offerings meet the needs of contemporary risk professionals. n More information on the work of the EAB can be found on page 41.
JOB SHARE
IRM has issued a call for members to submit their job descriptions to help the institute identify common roles and responsibilities in risk-related jobs. All condential information will be removed from submissions, with the content used to support and inform those developing their careers in risk management. If you are willing to share your job description, contact bhamini.ladani@theirm.org.
PREssMAsTER/ sHUTTERsTOCK
SPECIAL INTEREST GROUPS (SIGS)

ERM SIG hits milestone
More than 600 members are now part of IRMs enterprise risk management in insurance special interest group (ERM in insurance SIG). The milestone was reached earlier this month, with group chairman and IRM director Alex Hindson FIRM saying that the group has tapped into a rich vein with its work on Solvency II, stress and reverse-stress testing, and compliance. Steve Fowler FIRM, chief executive of IRM, said that the strength of the group was fantastic news for the institute, adding: Much credit must go to Alex for his fantastic work overseeing the group, but also to all its 600-plus members for creating such a lively and inspiring special interest group. IRM is dened by its membership, so it is extremely encouraging to see such a proactive group of risk professionals working to advance the case for effective risk management.
BIG DATA DAY

A group of risk practitioners tackled big data at an IRM seminar in London, UK. The institutes innovation, value creation and opportunity special interest group (IVCO SIG) held the session on 9 May to discuss big data in relation to risk management, how to dene big data, and the impact big data can have on reputation. To an audience of about 90 cross-industry risk professionals, Martin Massey MIRM, managing partner, Massey Consulting, compared big data to an iceberg. Data is like an iceberg a bit like risk management really oating in the ocean, only a tiny bit visible at rst sight, with much of it hidden beneath, said Massey. However, Massey said that lots of companies are unaware of small data solutions at the moment, let alone big data solutions. He added: Data is going to get bigger and bigger, and people will have to think differently about how to manage it. Talent matters as much as technology. Later in the same session, Steven Leigh, co-founder and partner at Reputation Consultancy, said big data services could help rms manage their reputation. Organisations are right to be worried. The rules have changed. We are less in control [of our reputation] than we used to be, Leigh told delegates. But he concluded that big data was an enabler for businesses and also offered opportunities, such as risk professionals making its interpretation an evidence-based part of their roles as long as they found the right tools.
Data is like an iceberg a bit like risk management really
Survey ndings from IRMs enterprise risk management in insurance special interest group (ERM in insurance SIG) show that the majority of insurers have four or fewer staff in a group risk function and two or fewer in a local function. Risk professionals, the group found, are principally qualied or have a background in ERM/operational risk, or compliance/internal audit and accounting, and many risk functions have at least one actuary.
MAKsIm KABAKOU / sHUTTERsTOCK
Risk function survey results
Marks ies in for GRC SIG

Risk management legend Norman Marks FIRM joined the governance, risk and compliance special interest group (GRC SIG) on 30 May when it met in London, UK. Marks, an honorary IRM Fellow for his longstanding contribution to the risk management eld, elded questions from the audience as part of an informative and lively debate.
Cyber on the RISE agenda

Almost 300 people responded to IRMs risk in information systems and e-crime special interest group (RISE SIG) survey, with results showing that there are skill gaps within organisations in respect of cyber security risk assessments, as well as determining effective control environments. The group discussed the ndings on 12 June in London, UK, along with culture, awareness and training, and the idea of risk clock speed.
SERGEY NIVEns / sHUTTERsTOCK
REGIONAL GROUPS (RGS)

Bermuda spotlight on risk
The implementation of operational risk frameworks, loss data capture and risk and capital management, were up for discussion on 16 May at a meeting of IRMs Bermuda RG. An earlier workshop, on 30 April, explored risk culture and the national risk assessment currently under way in the country.
IRM FOCUS NEWS
NEIL WIGmORE / sHUTTERsTOCK
V. J. MATTHEw / sHUTTERsTOCK
FIrSt meetING FOr SOUtH AFrICa grOUP

An inaugural meeting of IRMs South Africa RG was held on 11 June. Hosted by Ernst & Young in Johannesburg, the meeting was overseen by group chairman Alex Jeppe SIRM. Jeppe had previously made an appeal via email and the IRM website for interested risk professionals to get in touch. The next meeting will be held on 5 August.
n For more information on IRMs groups, visit http://tinyurl.com/ IRMdiary.
Green agenda for north-east

Environment was the topic of debate when IRMs north-east (UK) RG met in Harrogate on 13 June. The morning session included speeches from group chairman Neil Hodgson FIRM and from Kirsty Gomersal, a partner at Simpson & Marwick specialising in licensing and regulatory matters. Gomersal discussed whether the Environment Agencys use of civil penalties is providing a more proportionate enforcement response for minor offending or instilling a parking ne mentality. Her speech preceded one by Lindsey Downes, EHS risk manager at EAME, on environmental risk, rewards and penalties.
sELLInGPIX / sHUTTERsTOCK
GEnCAY M. EmIn / sHUTTERsTOCK
Social media and Scotland

Glasgow Caledonian University hosted IRMs West of Scotland RG on 8 May. The session was presented by Bill Galloway, director for enterprise risk services at Deloitte, with input on reputation coming from IRM chairman Richard Anderson FIRM.
Turkey exchange
Sharing knowledge and experiences about implementing enterprise risk management (ERM), IRMs Turkey RG met on 6 May, with a mixture of English and Turkish presentations. The session covered annual report disclosures and corporate investment considerations.
Midlands meet up
IRMs midlands (UK) RG met on 9 May to discuss the set-up of the group and the new IRM committee structure, as well to cover regulation and risk topics, with input from the Solicitors Regulation Authority.
North-west tackles risk appetite

Liverpool will play host to IRMs north-west (UK) RG on 11 July as the group meets to discuss risk appetite. Following on from last years meeting, the session will explore how the political, economic and nancial climate has affected organisations risk appetites. Hill Dickinson and Bluen will both speak at the event, along with author Ruth Murray-Webster.
The Institute of Risk Management Events
Risk Leaders Conference 2013

Practical strategies for risk at board level
Monday 4 November 2013 Holiday Inn, Kensington Forum London, UK
RISK LEADERS CONFERENCE 4 NOVEMBER 2013 LONDON

IRMs Risk Leaders conference is designed specically to meet the needs of chief risk ofcers, heads of audit, non-executive directors and others responsible for risk at board level. With speakers and seminars covering critical risk issues, as well as an outstanding networking opportunity, the programme with cover topical risk issues such as: Risk Culture UK and Global Recovery Prospects Whistleblowing Risk Leaders is extremely popular and sells out quickly. To guarantee your place, pre-register your interest by emailing events@theirm.org Sharon Shoesmith, former head of Haringey Council Childrens Services Paul Moore, HBOS whistleblower Speakers include: Margaret Heffernan, author, journalist, TED speaker and entrepreneur. Dr Andrew Sentance, business economist and senior economic adviser to PwC, previously a member of the Monetary Policy Committee of the Bank of England. Venetia Howes, City Values Forum Margaret Woods, Aston University
Sponsorship and partnership opportunities are available. For details, contact murray.barber@theirm.org
To nd out more about this years conference call +44 (0) 20 7709 988, email events@theirm.org or visit www.theirm.org
The Institute of Risk Management, 6 Lloyds Avenue, London EC3N 3AX.
IRM FOCUS EDUCATIONAL ADVISORY BOARD
LEARNING EVOLUTION
DR LYNN DRENNAN FIRM DISCUSSES THE SHIFTING EDUCATIONAL LANDSCAPE FOR THE PROFESSION
ver the last two decades the risk management profession has witnessed some dramatic changes. Once focused in some circles primarily on insurable risks and with its practice limited to the larger private sector companies, the discipline now crosses industries and sectors, and encompasses much broader aspects of business life, including governance, reputation and issues relating to globalisation. In short, risk management has become an accepted and critical part of mainstream business practice.
Dr Lynn Drennan FIRM is education programme director of IRM
Review and revise
Along the way IRM has changed too and in 27 years has grown from an initial membership enrolment of 79 students to a population of thousands. Our qualications have been regularly reviewed and revised a number of times since their inception, to ensure that they continue to offer the highest quality in professional risk management education, anywhere in the world. But despite the undoubted success and credibility of our educational offerings, with student numbers increasing year on year, and more students sitting risk qualications with IRM than across all of Europes universities combined, we cannot rest on our laurels. Our current review draws on the expertise of our newlyestablished global education advisory board a group of experienced risk professionals and academics whose role is to act as a sounding board during the development phase and provide information and advice as necessary. The rst question they addressed was: What are the major skills/competences that you believe need to be included in a professional risk management qualication in order to enable risk practitioners to deal effectively with current and future risks? This produced extensive and varied responses from our advisory board. Input has also been received from IRMs current module developers and examiners, who will be involved in further rening the proposed new programme.
POTOWIZARD / SHUTTERSTOCK
These competence frameworks cover to a greater or lesser degree areas of knowledge, skills and behaviours, and are useful resources for both employers and employees. There is, however, no denitive set of core competences and, for this reason, IRM commissioned an analysis of these documents identifying common knowledge and performance statements and mapping them to IRM modules. This information is also being used in the redesign of the international certicate/diploma qualications, enabling students to develop and demonstrate the achievement of a wide range of competencies, as well as gaining a post-graduate qualication.
Future opportunities
Aside from ensuring that the programme content remains relevant and attractive to new students, the plan also involves securing formal accreditation within the higher education sector, which will give further opportunities for credit to be gained against a number of postgraduate diploma and masters programmes. The aim is to launch the revised programme in the autumn of 2014, with transitional arrangements in place for those students who are already part way through the international diploma. Updates will be provided as the review progresses.
Core competencies
In recent years, an international standard in risk management (ISO 31000) has been published, along with a variety of documents from organisations in Europe, North America and Asia, outlining the core competencies that an effective manager of risk should possess.
Do THe riGHT THinG

IRMS RISK LEADERS CONFERENCE 2013 WILL OFFER INSIGHTS INTO RISK AND INTEGRITY WHILE OFFERING INTIMATE ACCESS TO AN UNPARALLELED PANEL OF EXPERTS
I
GIORDANO AITA / SHUTTERsTOCK
f the police service reects the community it serves, what conclusion can you draw when the services monitoring body refuses to issue it with a clean bill of health? This was the situation when Her Majestys Inspectorate of Constabulary (HMIC), which oversees the UKs police forces, carried out a report into integrity in the police service. HMIC identied a lack of guidance around appropriate relationships between police and the media, a lack of clarity concerning acceptance of gifts and hospitality, and found that few forces had proactive and effective systems in place to identify, monitor and manage these issues. If this is the situation with the defenders of our societies, then what can we determine about the wider world?
So now IRMs Risk Leaders Conference 2013, taking place on 4 November, will ask: how do you ensure that you are doing the right thing? Held at the HI Kensington Forum hotel in Londons museum district, the Risk Leaders Conference is designed to meet the needs of chief risk ofcers (CROs) and those responsible for risk at board level. Following IRMs thought-leadership activities on risk culture and risk appetite, and this years earlier IRM Forum on reputation and brand, the Risk Leaders Conference will offer the chance to question those who have faced integrity issues head-on and equip yourself with the condence and skills to instil the right culture in your organisation. Touching on issues such as child safety, banking collapses, institutional corruption and gaining the courage to speak out against evil-doers, the event aims to tackle issues including: board effectiveness; lessons learned from recent disasters and events; and the implications of new codes and regulations.
Zombies and Nazis
Unresolved issue
HMICs report benchmarked the police against public, private and third sector organisations, and determined that few organisations have resolved these issues well for the modern world (in terms of managing controls around integrity issues). Issues of integrity dominate the news agenda be it the misbehaviour of politicians, the public reaction to bankers and journalists, or the shady activities of government agencies and inuence the way organisations are perceived by the public.
Keynote speakers at the Risk Leaders Conference will tackle issues ranging from zombie banks to rotten orchards, and promise to ask whether the longed-for global economic recovery will end in tears. Author and entrepreneur Margaret Heffernan (more on page 48) pledges to link the corrupted cultures of contemporary businesses to institutions such as the Nazi party and abuse within the Catholic Church, explaining why she believes in rotten orchards rather than rotten apples. The author of Willful blindness, a cautionary tale of why we ignore the obvious at our peril, and a highly-respected TED speaker, Heffernan will dene the difference between a cult and a culture. Prof Margaret Woods, co-ordinator of the European Risk Research Forum and a professor of accounting and
IRM FOCUS CONFERENCE PREVIEW

risk management at Aston Business School, UK, has spoken about zombie banks, or the good, bad, ugly and uncertain sides of risk management. A prolic author of risk management case studies, Woods has attracted national and international media interest for her work on risk management, particularly for her focus on risk reporting and the link between risk and performance management. Other speakers include Venetia Howes, from the City [of London] Values Forum, and Dr Andrew Sentance, a business economist and senior economic adviser to PwC, who was previously a member of the Monetary Policy Committee at the Bank of England.
Put it to the panel

Comprising whistleblowers, experts, authors and those who have found themselves targeted by the media, IRMs question time panel will give you the opportunity to eld your questions on culture and integrity. Discussing how we create a speak-up culture and what our organisations will look like when we do, our panel will offer a unique insight into the issues critical to your future safety and survival. Our panel members are: Paul Moore, former head of group regulatory risk at HBOS, turned whistleblower Sharon Shoesmith, former head of childrens services at Haringey Council Cathy James, chief executive of whistleblowing charity Public Concern at Work Peter Neville Lewis MIRM, expert on risk culture, values and integrity Ex-HBOS whistleblower Paul Moore was red as head of group regulatory risk in 2004, after warning the bank about its excessive risk-taking. Claiming he met with an us and them culture between group risk functions and a cultural indisposition to challenge, Moores testimony to a parliamentary committee helped it report that the banks risk function was a cardinal area of weakness. Shoesmith was dismissed as head of childrens services at Haringey Council after the death of 17-month-old Peter Connelly (known as Baby P), who suffered sustained abuse despite being on the councils child protection register. Her dismissal, and the preceding intervention of UK secretary of state Ed Balls who promised her dismissal on live television was later ruled unlawful by the UK Court of Appeal. Shoesmith will discuss the importance of creating the right corporate culture and the lessons learned from the Baby P tragedy. Peter Neville Lewis MIRM claims there are four questions that every individual and organisation should ask themselves: am I doing the right thing? Am I doing it in the right way? Am I doing it for the right reason? And, crucially, am I doing it based on the right values?
Age of the whistleblower

With increased potential for online anonymity, digital communication channels and an insatiable public demand for the truth to out, it has been said we are living in the age of the whistleblower. With the news agenda dominated by the actions of Edward Snowden the whistleblower who revealed that the US National Security Agency has gathered millions of phone records and snooped on internet activities the time is right to ask: what role do whistleblowers have in society? Are they given enough protection, or too little? And are organisations ensuring that those in their employment are comfortable enough to speak truth unto power? And, with the anti-Snowden backlash building and the trial of US military secrets whistleblower Bradley Manning ongoing, should we view whisteblowers as traitors or heroes? Cathy James, chair of whistleblowing charity Public Concern at Work, will join IRMs question time panel to discuss these issues, along with HBOS whistleblower Paul Moore. James tells RMProfessional it is crucial to have the right policies in place for workers to feel empowered to speak out. She says: Workers are often the rst to realise and have the most to lose. When you look at big disasters such as Piper Alpha and the Clapham Rail crash, and at companies such as Enron and Worldcom, time and time again people knew. Whistleblowing is not a panacea but tip-offs are a major source to nd and eliminate wrongdoing. Put your questions to James and nd out whether this is truly the age of the whistleblower by booking your place at http://irmriskleaders.org/.
HANDOUT / GETTY
FORWARD
CAROLYN WILLIAMS MIRM PROVIDES HER REGULAR ROUND-UP OF THE LATEST ISSUES, IDEAS AND INITIATIVES FROM IRMS ACTIVITIES
Carolyn Williams MIRM is head of thought leadership at IRM
Review of Turnbull guidance at the time of going to press, there was no news from the UK Financial Reporting Council (FRC) about when they might release their draft of a revised and updated version of the 2005 Turnbull guidance on internal control for consultation. The scope of the guidance is likely to be extended to cover risk and internal control, to reect the focus of the latest version of the UK combined code. IRM will forward details of the consultation to members when it is received.
Risk in the extended enterprise the subject of risk across the extended enterprise was covered in discussions led by group leader Richard Anderson FIRM at the IRM Forum in Ashford in May. Their focus was on subjects like the nature of complexity, channels of communication, how to capture and leverage innovation within complex networks, models for governance and assurance and vulnerabilities arising from developments like cloud computing and BYOD (bring-your-own-device). The groups next milestone is an open workshop meeting on 21 June to expose some of the ideas and models being developed, with the intention of then releasing a document for a consultation period. Members who would like to be involved are welcome to get in touch. Cyber risk IRMs risk in information systems and e-commerce special interest group (RISE SIG) is currently producing guidance for organisations and risk practitioners on dealing with cyber risk issues. The group recently conducted a survey of cyber-awareness among IRM members and received more than 200 responses, which will help to shape the groups work. Some of the subjects that the group have been examining include: tools and models for assessment of cyber exposures; reaction, resilience and incident management; interpretation and understanding of the multiple standards, including IS27001; behaviour and the impact of social media; information security and the cloud; insurance options; the iceberg impact of a cyber-loss; skills, training and capability; return on investment; reputation and brand impacts; incident management; and mobile device security. Details of the groups meetings can be found on its web page at www.theirm.org/events/RISE.htm.
BS IEC 62198/Ed2 project risk management application guidelines a group of IRM members with project management experience, led by Ashley Milroy MIRM, prepared a joint response to the consultation on this standard from the British Standards Institute (BSI). They concluded that the proposals did not add sufcient new material not already covered in existing risk and project management standards to justify a separate standard. Further, they thought that a separate standard might be taken as an indication that project risk management
AMASTERPHOTOGRAPHER / SHUTTERSTOCK
IRM FOCUS THOUGHT LEADERSHIP
THINKING
practice differs substantially from non-project risk management practice, whereas in reality there are no substantive differences. They argued that industry would be better served by risk skills commonly used in projects such as quantitative risk analysis being acknowledged as such within the current BS and ISO risk standards. The group also made a number of detailed suggestions on the text of the standard. The BSI dependability committee, nevertheless, decided to support the proposed standard, although the detailed comments made by the IRM members were favourably received. contributed to an initial consultation from the Engineering Council on this subject. IRM will forward details of the more general consultation to members when it is received.
Online resource centre

IRMs online resource centre (ORC) for members provides easy, searchable access to hundreds of documents and links on various aspects of risk management. Recent additions include: n Supply chain resilience survey 2012 report from the Business Continuity Institute (BCI) n Solar storm risk to the North American electric grid 2013 an emerging risks report from Lloyds of London n Global assessment report on disaster risk reduction 2013 report from the United Nations Ofce for Disaster Risk Reduction. Any IRM members who would like to submit papers or suggest links for inclusion in the ORC should contact Carolyn Williams MIRM on carolyn.williams@theirm.org.
UK Engineering Council during 2013, the Engineering Council is undertaking its periodic ve-year review of several key documents, including the UK standard for professional engineering competence (UK-SPEC), and their accreditation of higher education programmes. There is a suggestion that there could be an increased emphasis on risk management in both these documents. A small group of CEng-qualied IRM members have
BRAND AND DELIVER W

ith presentations on reputation, brand, leadership and record-breaking, as well as a number of seminar sessions covering various other topics, IRMs Forum gave delegates a wealth of ideas to take back to their organisations. Opening the event at the Ashford International Hotel, Kent, UK, IRM chairman Richard Anderson FIRM said: It is really important to look at the risk and reputation angles that are going to impact all of us in our organisations. Anderson told about 200 risk professionals from various sectors and industries that organisations carefully craft their reputations because they realise how crucial they are to their public perception and performance. Here we take a look at the big stories from this years IRM Forum.
IRMS FORUM SAW HUNDREDS OF LEADING RISK PROFESSIONALS GATHER TO DISCUSS REPUTATION, BRAND MANAGEMENT AND SURVIVAL
Ten top tips
Keynote speaker Ren Carayol issued 10 top tips on leadership to Forum delegates. These were: I Learn the four most powerful words: what do you think? I Improve your relationships risks do not stand in isolation I Dene what you stand for I Tell stories I Communicate, communicate, communicate I Be clear about what you are great at I Remember that public relations is the truth told well I Share your plan and charge the hill I Inspire and challenge your people I Remember that the world is a stage and that you must perform on it
Understand brand, urges guru
Rita Clifton
Risk professionals cannot do their jobs properly unless they understand the importance of brand and reputation, the president of the Market Research Society and former chairman of Interbrand told Forum delegates. Rita Clifton told delegates: Risk managers cannot truly do their job unless they understand branding. Claiming that good risk management is good brand management and vice versa, and that rms with strong brands would outperform their competitors regardless of the economic climate, Clifton argued that todays best businesses were closely aligning brand with their overall strategy. The best businesses of today are making their brand strategy the alter ego of business strategy, said Clifton. From the way you answer the phone to the way you set up your systems, because anyone and anything can be the weakest link [in your business].
Forum sponsors:
IRM FOCUS FORUM REVIEW

or effectively prevent and mitigate the risks you face, our Forum speakers perfectly demonstrated the importance of effective risk management. Richard Nobles exhilarating speech shows that pioneering, effective risk management can drive innovation, break boundaries and capture the publics imagination.
She said: This [risk and brand management] is all a bit immy-ammy, but there is nothing soft about the nancial results it can produce. Stressing the importance of clarity, communication and consistency, Clifton called on risk professionals to ensure a strong brand was in place in order to survive cock-ups. With a strong brand and a big cock-up you can survive. With a weak brand and a cock-up it could be curtains, she warned.
Risk leaders all too rare
Ren Carayol
Richard Noble OBE
Record-breaker warns against risk aversion
Smashing the land speed record next year can convince people of the benets of risk-taking and inspire a generation, the man who will attempt to travel at more than 1,000mph has claimed. Richard Noble OBE, in a keynote speech to almost 200 global risk professionals, said that the anticipated success of the BLOODHOUND supersonic car project would demonstrate the importance of risk-taking and inspire millions of children to become engineers. Weve created a country which is totally risk-averse and going nowhere at the moment, said Noble, adding: This country has lost condence. People dont think we can do these sorts of things any more. He went on to tell the audience that the City [of London] would never invest in such a high-risk project and that funding had come from a raft of sponsors instead. Noble, who joked that he was a risk pervert due to his long association with such ventures, said the UK was suffering from a huge decline in engineers and IT professionals but that projects such as BLOODHOUND had the potential to stimulate the interest of millions of schoolchildren. Theyre going to be studying this [project] for years after. Its going to have a huge effect, he said. Steve Fowler, chief executive of IRM, said: Whether you are looking to break records and seize opportunities
Leaders are all too rare in the risk management profession, delegates at the Forum heard. Ren Carayol, a leadership guru, who has worked with international statesmen including Bill Clinton and Ko Annan, told delegates that the risk management profession would become irrelevant unless it started breeding leaders. Those trained in yesterdays approaches are no longer relevant today, he said, asking the audience: How relevant are you? Why should anyone be led by you? How are you relevant for 2013? If you want a world of unambiguity, forget it. It [certainty] is not coming back. We cant wait for you. The world, Carayol claimed, had become VUCA volatile, uncertain, complex and ambiguous. To face this new world, risk professionals must manage a little less and lead a little more, he said. Hand on heart, I know everyone in this room is great at management, the leadership expert told delegates, but he called on risk professionals to become great leaders instead in order to put themselves at the hub of their organisations.
Forum feedback
Eighty-three per cent of Forum delegates reported that the overall event was excellent or good, survey results from the event show. One delegate commented that the keynote speakers were fantastic, and it was very easy to network with people, while another rated the theme, subjects covered, keynote speakers and conference chairman, Michael Jackson, as excellent. Another attendee reported that Forum was a high quality event with [a] good atmosphere of professional participation and good time for networking, with another praising the variety of speakers and good mix of seminars to attend.
IRM FOCUS CAREERS/APPOINTMENTS
ROLE CALLS
BUSINESSWOMAN AND AUTHOR MARGARET HEFFERNAN IS A KEYNOTE SPEAKER AT IRMS RISK LEADERS CONFERENCE ON 4 NOVEMBER IN LONDON, UK
What did your book on wilful blindness examine?
My book looks at scandals in the Catholic Church, the rise of Nazi Germany, the renery accident at BPs Texas City plant, and the poisoning of a town in Montana, US. And if I were updating the book, it would look at things like Libor-rigging, Jimmy Savile or Lance Armstrong. It could look at phone hacking. All of these are events that involved lots and lots of people. Our idea that risk is represented by a maverick individual is unsafe. The biggest disasters we encounter are very rarely secret or hidden. They are right out in the public eye and they require the passive participation of hundreds if not thousands of people. Im not talking about bad apples.
APPOINTMENTS
Christopher Heyes SIRM has become an independent consultant on risk, security and emergency management, leaving his position as risk management chief for aviation security operations at Transport Canada. Alex Hindson FIRM, an IRM board director and former chairman, and chair of the enterprise risk management in insurance (Solvency II) special interest group, has been promoted to chief risk ofcer at Amlin, becoming a member of the management teams of both Amlin Bermuda and Amlin Re Europe. Richard Mackie FIRM has left his position as risk manager at Eversholt Rail and is now working as a manager, risk advisory, for RSM Tenon. Ashley Milroy MIRM, formerly a risk analyst at Mott MacDonald, has joined Crowe Horwath Global Risk Consulting as a senior associate. Milroy, chair of IRMs west of Scotland regional group, recently achieved a distinction for her practical assignment in IRMs International Diploma in Risk Management. Charles Toomer FIRM, a former head of risk management at the BBC, has been appointed as senior manager/head of risk management at GoodCorporation. John Walton SIRM has joined Prudential UK as a Solvency II risk specialist.
Youre speaking at IRMs Risk Leaders Conference. Whats your background?

I have run ve companies, so I do not come from a theoretical perspective. Three of them were software businesses in the US, one was an oil and gas trading business, and then there was a media consultancy. But I only learned afterwards that there had been a case of sexual harassment at one of my companies. Everybody who knows me, knows that this is the kind of thing I wouldnt have tolerated for a second. Its quite chastening to learn that nobody told me about it. In a way, that illustrates how profound the bias is against speaking out. The people who work in a company are its eyes and ears. They are the early-warning system and we can create a culture when they can and will speak up. Creating this culture is harder than it sounds but its fundamental to get the right procedures in place. Its also crucial to train people in raising these kinds of issues. And you have to train people in how to manage complaints.
In Europe, it tends to be more a sense of futility: if I do speak up then nothing will happen, so what is the point? I think some of it is born out of ignorance; some of it is experience. In some cases, it stems from this mythology around whistleblowers if you speak out you will be crucied. The happy endings do not get much press. I would argue that there is quite a lot in it for them [the whistleblower], but that is not always easy for them to see. When you dare to articulate your concerns, what you will almost invariably nd is that everyone else has those concerns too. So, in fact, youre rarely alone. And the fact you dared to speak out makes you a hero. And then youre in a position where things can be xed and you can move forward.
Are we talking about rotten orchards, as opposed to bad apples?

Our sense of where risk comes from may be misguided. And,therefore, the way in which we deal with it has to be reconsidered. Its certainly the case that people are scared to speak up. Most of the research into what is known in academic circles as organisational silence suggests as much as 85 per cent of a workforce has issues or concerns that it is afraid to voice. That is a lot of silence.
What causes potential whistleblowers to remain silent?

It depends. In the US, its fear of repercussions from supervisors or co-workers.
IRM FOCUS MEMBERSHIP
WELcomE TO IRM
The latest newcomers to the institUte
Fellows
Robert Kurau Neal Writer VocaLink Royal London Thomas Fay Sonja Folarin Andrew Glancy Laura Groom Brent Halazon Action For Children Caroline Holmes Jegbefume Itua Endurra Indonesia Willis Catlin Barnsley Metropolitan Borough Council Mitsui Sumitomo Insurance Group AIG Shell International International Insurance Company of Hanover Mikael Johansson Maureen Kelly Sheila Keogh Paul Lockett Sheila McCallion David McCarthy Peter McCormick Gavin Noyce Audrey OSullivan Heather Parkinson Florian Peter Lynsey Allen Rajib Banerjee Roger Belgrave George Valentin Bunea Alex Catleugh Charlene Causon Amanda Chapman Gillian Edworthy Laila Faraidooni AECI Dubai Health Authority QBE European Operations AVE European Group Department for Work and Pensions Saudi Aramco Total Rening and Petrochemical RAC Direct Line Group John Pulaski Gaetano Renato Timothy Rollett Valentina Russo Katherine Scanlan Martin Schepers James Shortland Benjamin Smith Theodoros Sofokleous NATO/International Security Assistance Force Generali International Leeds City Council Amlin Marsh Novelis WorldPay Bank of America Trust International Insurance & Reinsurance Jason Reynolds Linda Turner Nigel Whitehead Stephen Wynne Alcatel-Lucent Transport for London Direct Line Group Aspray 24 Bill & Melinda Gates Foundation Moore Stephens Consolidated Hallmark Insurance Ernst & Young AIG Health & safety consultant Bank of America DSD Social Security Agency Berwin Leighton Paisner The Co-operative Banking Group The Co-operative Banking Group Bank of America United Utilities Annika Thalin Robert Walker David Window Dan Wylie Mathew Wynn Richard Young Motor Insurers' Bureau Welland Medical Direct Line Group Ernst & Young Bank of America
Members
Peter Adams John Bates Paul Bravin Josephine Ann Foley Vanessa Hartley Adrian Hunt Andrew Jones Christopher Kelly Lisa Khan Allan Oxborrow
Specialists
Ashwini Amit Anslem Arulanandam Joan Burstow Nathaniel Cole Frank Andrew Davis Arun Dhyani Kins Ekebuike Pesh Framjee Patrick Gardiner Seamus Hughes David Potticary Gregory Ramsbottom Ace Insurance Consultants Marsh Emirates Insurance Brokerage & Consultancy Zurich Risk Engineering Forensics & Compliance Institute Trident Manor African Commodities UnityKapital Assurance Crowe Clarke Whitehill Diamond Offshore Governance Matters Imperial London Hotels Topaz Energy ECS Insurance & ECS Financial Services Brokers Tradex Insurance Company Prudential Regulation Authority Bank of America
Certicants
IRM FOCUS MEMBER PROFILE
ZALINA JaFLUS
MEET THE MALAYSIAN mEmBER KNOWN TO HER FRIENDS AS THE RISKY LADY
Please describe your typical day
Waking around 6am, I do physio exercises as I slipped a disc last year (possibly because my work requires a lot of walking and I tend to walk too fast for my age). After a quick breakfast, I drive around 90km (one way) to my ofce near Kuala Lumpur International Airport, which takes less than one and a half hours. The best part of my job is that its not deskbound. A good risk manager must change their shoes frequently because of all the walking they must do. You must walk about to identify and assess risks and I am so passionate about it. I normally lunch with friends or staff; I would rather not eat than eat alone. Work consists of meetings, surveys and risk assessment activities at airports around Malaysia. I also facilitate enterprise risk management (ERM) and business continuity management (BCM) workshops, and meet with insurance brokers and insurers. food, like Japanese, Korean and Western. You can nd food from all over the world in Malaysia. At weekends, I cook or eat out with family or friends. Sometimes friends come over and I cook lunch for them. My famous home-cooked dish is Assam Laksa, a type of noodles with spicy soup made from shredded sh, cooked in chilli paste and onions.
Where is your favourite place in Malaysia?

Kuala Lumpur, where I live, is my favourite place. There are lots of awesome shopping malls like the KLCC and Pavillion. But I love to visit Penang a haven for delicious food like the Nasi Kandar, Claypot Briyani, Rojak and so on, and the famous Durian dubbed the king of fruits. Malaysia also has great beaches; my favourite is Pangkor Laut Resort.
What do you do in your free time?

I love going to the movies to watch action, comedy and love stories. I love 80s songs, because thats my era, but I still enjoy the latest hits; JLo and Bruno Mars are my favourites. My long-distance drive to and from work gives me time to listen to music. Ive been trying to read more books. My best friend from work inspires me to read more because she said most successful people in the world read a lot of books. So I think its still not too late for me. I love motivational and health books. I am reading a book called 50 is the new fty: ten life lessons for women in second adulthood, by Suzanne Braun Levine, and would denitely recommend this book to those who are 50 or above. As for my friends, some do understand what I do, but some just call me the risky lady!
Zalina Jaus is senior manager, risk management, Malaysia Airports
How did you become involved with risk management?

After studying a risk management module at University Technology Mara, I took a risk management diploma with the Malaysian Insurance Institute (MII). I started implementing risk management at my then place of work, telecommunications company Celcom. Prior to joining Malaysia Airports, MII asked me to initiate their risk management programme, which is where I learnt more about IRM and proposed a collaboration between the two bodies. This relationship jump-started MIIs risk management programme, as we did not have to develop our own modules from scratch. Since joining Malaysia Airports in 2006, my team and I have successfully implemented an ERM framework throughout the organisation and a BCM plan at all ve of our international airports. The latter is now being extended to all 16 major domestic airports.
And nally, tell us something surprising about yourself

Friends and colleagues know me as being talkative, friendly and outspoken, but I grew up as a timid and shy person and this is my true character. But I try to overcome my introverted nature as much as possible since my work requires me to be an extrovert.
What is your favourite food?

My favourite Malaysian dishes are the famous local foods, such as Roti Canai and Nasi Lemak, but I love all kinds of
DIRECTORY RISK MANAGEMENT PROFESSIONALS

INSURANCE CLAIMS HANDLING & RISK MANAGEMENT SOFTWARE
At JC Applications Development Ltd, we believe that our commitment to providing simple-to-use, yet feature-rich, applications for claims and risk management is what has enabled us to grow a successful and satised clientbase of more than 160 organisations. Although our clients can occupy very different sectors of business for instance, UK central and local government, US government, and commercial sentiments converge when looking for a proven technology solution provider. If you are looking to improve the way you handle claims or manage risk, then JCAD has the right mix of products and services to guarantee a cost-effective and timely implementation. JC Applications Development Manor Barn Hawkley Rd Hawkley Liss Hampshire GU33 6JS Tel: +44 (0)1730 712020 Fax: +44 (0)1730 712030 Email: jcad@jcad.co.uk Web: www.jcad.co.uk
RISK MANAGEMENT CONSULTANCY

Arup provides tailored programme and project risk management (PPRM) support to its clients across numerous industry sectors (for example, energy, transport infrastructure, and commercial property), capitalising on the rms core engineering and project management skills. We provide these services at all project lifecycle stages, helping to manage both threats to and opportunities for cost and benet streams. In particular, our risk quantication expertise ensures we can reliably contribute to business case development, procurement and delivery structuring, tender evaluation, project controls during implementation, and costeffective transition to full operation. Importantly, weve also developed a Monte Carlo-based decision support tool for optimising asset management strategies. As part of our PPRM service offering we specialise in ve key areas: n Project risk management (PRM); n Quantitative risk analysis (QRA); n Asset risk management (ARM); n Enterprise risk management (ERM); and n Business continuity management (BCM). Risk Management Consultancy Ove Arup and Partners The Arup Campus Blythe Valley Park Solihull B90 8AE Tel: +44 (0) 121 213 3000 Email: Rob.Davies@arup.com Web: www.arup.com
EnTERPRIsE RIsk ManagEmEnT, MODEllIng & AnalYTICs

Since 1999, riskHive has been at the forefront of risk technology and process, providing enterprise risk management, risk modelling, risk-adjusted portfolio and analytical risk solutions and services. In an independent global survey of analytical risk providers, riskHive was ranked just one place below IBM, in 7th place, and before Protiviti in 8th. We dont claim to be yet another world leader, but many of our customers are, including: Airbus; Atkins; ATO; BAE System; Craneld University; MBDA; London Legacy Development Corporation (post-Olympic Delivery); MoD; Mace; NATO; PwC; and Saab Aerospace. Our aim has always been simple; to make risk tools, techniques and processes more accessible, by making them easier to use and more affordable. Our relationship with customers is of primary importance, and our objective is to leave them enabled and effective. We do this by providing the right tools and advisory support for each customer. Our tools and services are designed and delivered for risk professionals by risk professionals and, as we dont have salespeople only risk specialists we wont hassle you every ve minutes. So why not visit our website to try our free, online risk maturity self-assessment application? Or contact us by phone or email, and nd out what it is that our users just cant do without. riskHive Dilkush Farlers End Nailsea, BS48 4PG North Somerset United Kingdom Tel: +44 (0)117 373 1100 Email: info@riskhive.com Web: www.riskhive.com
TO ADVERTISE Here, CALL RICHARD WALTERS ON +44(0)1223 477 428 or eMail richard.walters@rmprofessional.com
RESILIENCE CAN TAKE A HIT.
In todays global business environment, supply chain disruption is a growing concern. You need a commercial property insurer that helps you minimise exposure, not just in your own facility, but in places you cant even see areas where your suppliers operate and your suppliers suppliers operate. After all, no one knows your business like you, and no one knows all the places it needs protecting like FM Global. Learn how to make your business more resilient at fmglobal.co.uk/resilience. WHEN YOURE RESILIENT, YOURE IN BUSINESS.
2013 FM Global. All rights reserved.

RMPsum13 Web 0

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RMPsum13 Web 0

Uploaded by

Copyright:

Available Formats

Building up for the future

Area focus: Malaysia

Out of this world

IRM Risk Leaders Member Conference 2013 prole

Is your business taking risk seriously?

Fed up with the ght?

AVAILABILITY SERVICES MAKE A RECOVERY, NOT WAR

| Summer 2013 | www.rmprofessional.com | 3

46 Brand and deliver

42 Do the right thing

The latest additions and changes to the IRM membership

50 Member prole: Zalina Jaus

The Malaysia-based senior risk manager talks to RMProfessional

SYDA PRODUCTIONS / SHUTTERSTOCK

STEPHEN GIRIMONT / SHUTTERSTOCK

4 | www.rmprofessional.com | Summer 2013 |

CONTENTS SUMMER 2013

18 One small step, one giant risk

 Modern risk professionals must understand other denitions of risk,

Still shooting the messenger

US LAW A GRAVE RIsK TO UK CITIZENs

C-suite advised to leave ivory tower

6 | www.rmprofessional.com | Summer 2013 |

sTEpHEN DOREY / GETTY

INDUSTRY FOCUS NEWs ROuND-uP

EMPLOYee MIGRATION SeT TO RISe

Cyber attack warning

JP MORGAN FINeD 3.1M

| Summer 2013 | www.rmprofessional.com | 7

RIsK rEPOrTING CAN BE OPAQUE AND DETACHED

Risk calculation by banks wide of the mark

Climate study: New York facing grim future

German brewers voice fracking fears

8 | www.rmprofessional.com | Summer 2013 |

INDUSTRY FOCUS NEWs ROuND-uP

WeATHeR TO HIT FOOD PRIceS

Take it all in.

| Summer 2013 | www.rmprofessional.com | 9

The Institute of Risk Management

Grand Connaught Rooms, London, UK

IRM CHAIRMANS COLUMN

Breaking the chains

Our aim at IRM is to help people walk tall in their organisations

| Summer 2013 | www.rmprofessional.com | 11

12 | www.rmprofessional.com | Summer 2013 |

IS YOur FirM FAKING it?

| Summer 2013 | www.rmprofessional.com | 13

Time for change

Mentioning the unmentionable

Spotting the fakes

14 | www.rmprofessional.com | Summer 2013 |

BRIAN A JACKsON / sHUTTERsTOCK

LEGAL ANALYSIS BONUSES

IF THE CAP FITS

| Summer 2013 | www.rmprofessional.com | 15

16 | www.rmprofessional.com | Summer 2013 |

FOCUS OPERATIONAL RISK

Risk event analysis, investigation and impact assessment

Learning and continuous improvement

| Summer 2013 | www.rmprofessional.com | 17

ONE SMALL STEP ,

18 | www.rmprofessional.com | Summer 2013 |

ANALYSIS MARS MISSION

18 One small step, one giant risk

Modern risk professionals must understand other denitions of risk,