Professional Documents
Culture Documents
The ofcial magazine of the Institute of Risk Management www.rmprofessional.com | Summer 2013
Faking it?
Discover a less stressful route to recovery and request a free consultation by calling 0800 143413 or nd out more at www.sungard.co.uk/MRP
SunGard and the SunGard logo are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. All other trade names are trademarks or registered trademarks of their respective holders.
IRM CHAIRMAN: Richard Anderson FIRM CHIEF EXECUTIVE OFFICER: Steve Fowler FIRM DePutY chief executive: Sophie Williams MIRM head of marKetinG: Fiona Duhig ona.duhig@theirm.org Tel: +44 (0)20 7709 9808 manaGinG editor: Tom Bovingdon tom.bovingdon@theirm.org Tel: +44 (0)20 7709 9808 editor: Phil Lattimore phil.lattimore@ rmprofessional.com Tel: +44 (0)7802 870008 deSiGn and Production: CPL (Cambridge Publishers Ltd) 275 Newmarket Road Cambridge CB5 8JE Tel: 01223 477411 Web: www.cpl.co.uk advertiSinG manaGer: Richard Walters Tel: +44 (0) 1223 477 428 richard.walters@ rmprofessional.com
Risk Management Professional is the ofcial publication of the Institute of Risk Management (IRM). ISSN 2042-4078 IRM is the worlds leading enterprisewide risk education institute. We are independent, well-respected advocates of the risk profession, owned by practising risk professionals and operate internationally, with members and students in more than 100 countries. InStitute of RiSK ManaGement 6 Lloyds Avenue, London EC3N 3AX Tel: +44 (0)20 7709 9808 Fax +44(0)20 7709 0716 www.theirm.org enquiries@theirm.org Copyright 2013 Institute of Risk Management. All rights reserved. Reproduction without written permission is strictly forbidden. The views of outside contributors are not necessarily the views of IRM, its editor or its staff.
EDITORIAL
Real deal?
ow many of us are pretending to be something were not? Can you, hand on heart, say you practise everything you believe in? Can you faithfully attest that you stay true to your convictions? Will you draw your last breath without any regrets? Do you always speak out when something is wrong? The overwhelming reaction to Edward Snowden, the whistleblower who exposed US government-agency snooping on an unprecedented scale, has been to laud him as a hero. Be it ex-Olympus CEO Michael Woodford, who spoke at last years IRMs Risk Leaders Conference, or ex-HBOS head of group regulatory risk Paul Moore, who will speak at this years event on 4 November, our reaction is to shake their hand, congratulate them on their courage and admire their bravery. Is this because they do what we would not, or because they have acted as we would? Snowden exposed the US National Security Agencys state surveillance and is now seeking refuge in Hong Kong. But how many other organisations have secrets to hide? How about your rm? Does it take risk management seriously or is its interest counterfeit, a sham and fabrication? One risk professional wants to nd out if your rm is faking it (p12-14). And, in an age of villains and heroes, we look ahead to IRMs Risk Leaders Conference, where Paul Moore is joined by Sharon Shoesmith, the former head of childrens services at Haringey Council (p42-43), to discuss integrity and doing the right thing. Our features also include a report on operational risk (p16-17), a discussion around the Mars One mission (p18-21), an examination of the semantics of risk (p22-25) and an area focus on Malaysia (p26-29). Enjoy the magazine. Tom Bovingdon Managing editor RMProfessional
Regulars
6 News
The latest risk management news and views, from cyber risks and telecoms security to climate change impact studies and food shortage forecasts
36 News
11 Chairmans column
IRM chairman Richard Anderson FIRM explains how risk management professionals can help organisations prepare for the future
IRM updates, including the launch of the Pan-Asian Risk & Insurance Management Association (PARIMA); developments in the Gulf; calls for member involvement; plus the latest news from IRMs special interest and regional groups
We report on the recent IRM Forum, which saw hundreds of leading risk professionals gather to discuss reputation, brand management and survival
48 Appointments/careers
41 Learning evolution
34 Book reviews
Featuring Enterprise risk management: straight to the point an implementation guide function by function by Al Decker and Donna Galer, and Risk management by Paul Hopkin FIRM
Exploring the shifting educational landscape for the risk profession and outlining IRM's aims for the future
Members taking on new roles, plus a Q&A with businesswoman and author Margaret Heffernan a keynote speaker at IRM's Risk Leaders Conference
49 Welcome to IRM
IRM Focus
35 CEOs message
IRMs chief executive, Steve Fowler FIRM, asks what the future may bring for the risk profession
Preview of IRM's Risk Leaders Conference 2013 an event that promises insights on risk and integrity and access to key risk experts
44 Forward thinking
The latest issues, ideas and initiatives from IRMs thought leadership activities
12
18
Features
12 Is your rm faking it?
Many organisations and their leaders talk about the importance of risk management, but for some it is a faade. So how do you tell the fakers from those that really care? rather than simply focusing on their own interpretation
26 Building up
16 Lessons learned?
Organisations must question their cultures and learn lessons from risk events to reduce their operational losses, according to a study from ORIC
This issue, our regular regional overview spotlights Malaysia and explores how risk management culture is becoming increasingly important to its buoyant economy
30 Keeping it simple
IRM chief executive Steve Fowler FIRM outlines his vision for developing a comprehensive risk management certication framework
The rst sign that all may not be as it seems is an inconsistent approach to risk
Page 12
As Mars One starts accepting applications for a one-way trip to the Red Planet, we consider whether the dangers posed by the mission are outweighed by the threat of global catastrophe
31 Euro vision
IRM board member Dr Marie Gemma Dequae discusses the institute's work with continental Europe
22 Tower of Babel
33 Breaking barriers
How risk managers can address employee resistance to implementing a new ERM culture
22
26
| Summer 2013 | www.rmprofessional.com | 5
VLADGRIN / sHUTTErsTOCK
EMran/sHUTTErsTOCK
APP / GETTY
Risk management reporting by UK companies can be opaque, lacking in detail and detached from overall corporate strategy, a joint report by the Association of Insurance and Risk Managers (Airmic) and the Institute of Chartered Secretaries and Administrators (ICSA) has found. Finding a wide disparity in the quality of risk reporting by companies on the London Stock Exchange, the two bodies will urge the Financial Reporting Council (FRC) to tighten risk reporting
when it updates the UK Corporate Governance Code later this year. If youre good at risk then why hide the fact? said Airmic technical director Paul Hopkin FIRM. The impression is that many rms with strong stories to tell see risk reporting as little more than a compliance exercise. Yet the exercise can underpin condence in the company. Seamus Gillen, director of policy at ICSA, said that stakeholders and shareholders need to clearly see how risk management relates to
strategy and opportunity. We need to see a more compelling, linked-up narrative, he said. The review of 24 companies from the FTSE 100 and FTSE 250 found that rms in the leisure industry have a higher standard of risk reporting, while reports emanating from the food and drink sector were said to be uninformative. Reporting from chemical and pharmaceuticals companies, along with mining and energy rms, were found to be not generally of a high standard.
STOCKLITE / sHUTTERsTOCK
S.BORIsOV / sHUTTERsTOCK
The good news is that banks seem to be erring on the side of caution
Simon Samuels, the bank analyst who led the study, said: The good news is that banks seem to be erring on the side of caution. The bad news is that the forecasting error is quite substantial. The paper says that the research highlights a problem for regulators and investors because default probabilities are critical when working out risk-weighted assets, which in turn are used to calculate the basic measure of bank safety: the core tier one capital ratio.
Distance Learning
Institute of Lifelong Learning, Civil Safety and Security Unit, Tel: +44 (0)116 229 7575 Email: riskmanagement@le.ac.uk www.le.ac.uk/cssu
Sa
7 2 e t a d e h t e v
1 0 2 y r a Febru
Presented by
leading the risk profession through delivery of education and lifelong learning
SLIDING DOORS
IRM CHAIRMAN RICHARD ANDERSON FIRM EXPLAINS HOW RISK MANAGEMENT PROFESSIONALS CAN HELP ORGANISATIONS PREPARE FOR THE FUTURE
In the heady days prior to the global nancial crisis, risk managers were ignored when they asked doomladen questions implying that house prices might one day fall rather than continue to increase, or were sacked (as in the case of Paul Moore, a speaker at our Risk Leaders conference in London, UK, in November) for doubting the sustainability of the pace of growth at HBOS. And yet, that is the biggest single contribution risk management can make to society: to ask the questions that make us reect on the benets (or otherwise) of running with the crowd. I have described this elsewhere as being the disruptive intelligence that pierces perfect-place arrogance. I think that makes a good motto for the profession, and it dovetails neatly into the exhortation from Ren Carayol at our recent IRM Forum that we, as risk management professionals, should be focused on delivering leadership. That gives us an important role in all organisations; we should be inuencing at boardroom level, as well as in the engine room. you can inuence the debate, then the whole remit of the profession is enhanced. Our aim at IRM is to help people walk tall in their organisations. We are proud to be in risk management, and we are proud to be the organisation that provides the underpinnings for the profession: training, competence and ongoing leadership. That is why we are focused on the boardroom debate, focused on ensuring that our profession has global recognition and focused on providing the best training available. This is your profession. Please come along and support us. We welcome your help in a multitude of ways, and we always value your opinions. s I was stepping on to the train the other day, I had a sense of dj vu, which is of course a well-trodden path for lmgoers familiar with the movie Sliding Doors. But putting romantic comedies aside, we all have just one past, whereas we face multiple possible futures each of which depends on a vast number of imponderables, many of which are beyond our control or even imagination. And that bewildering complexity is exactly what we face in our organisations as well. So, what does that have to do with risk management professionals? It seems to me that one of the really important competencies for risk management professionals is to be among those that help the organisation deal with the multiple complexities of the future.
Of course we must learn from the past, but by learning from the past we do not need to be relentlessly tied to our history. That frees us to explore the options that are open to us. While the media talks about signs of growth in the economy (ngers crossed and touching wood while I write that, like a good risk manager), there is a risk that organisations many of which have been relentlessly hit by gloom and doom since the onset of the global nancial crisis all those years ago will face this new future with a less-thancondent spring in their step, with the consequence that they might not grasp the new and emerging opportunities.
Walking tall
Some people tell me that I am talking too much about the boardroom and not enough about our day job. That is because I think we have already proved, without a doubt, that we are technical masters of the day job. Very few people say to me that their risk managers are not up their job from a technical viewpoint, but I still get negative comments about our ability to inuence the leadership of our organisations. And yet, when you talk strategy with your board and
SHUTTERSTOCK / ALPHASPIRIT
The rst sign that all may not be as it seems is an inconsistent approach to risk
ANALYSIS CULTURE
R
SYDA PRODUCTIONs / sHUTTERsTOCK
Are we complicit?
Which begs the question: why employ a risk manager? The simple answer is that, in 2013, in a medium-to-large size company, the board expects the organisation to have one. Ratings agencies expect to see robust enterprise
risk management (ERM) practices, so companies create risk positions that nominally exist but whose work is conspicuous by its absence. The risk manager is not there to reduce risk or uncertainty, or to effect a change in the risk-taking culture. They are there because management cannot fake it without them. As one of my risk professional peers revealed, there was no desire to identify risk within their organisation, just a supercial attempt to pretend it was being addressed. The CEO would remove a number of their entries from the monthly board report prior to publication. When the risk manager challenged the CEO, they were told off for reporting too many risks. And the CEO, citing their 20 years of experience, said they did not want to see any risks you would expect any normal company to face because, as an experienced leader, they had already foreseen these risks. The risks deemed irrelevant involved the leadup to the Olympics, an untested business continuity management IT plan, European uncertainty impacting on supply chain exposure, and the traditional loss of key staff and lack of any succession planning. All of these were removed or altered to read as a positive for the organisation. It would appear that the lessons from HBOS and the sacking of Paul Moore, the head of group regulatory risk removed for raising concerns about excessive risk-taking [and a speaker at IRMs Risk Leaders Conference in London, UK, on 4 November], have not been learned. But what is more worrying is that this organisation is not alone in its actions.
ANALYSIS CULTURE
Fear culture
A culture of fear, characterised by the boardroom belief that the threat to the organisation is not the risk itself but the market perception of the risk exposure, is haunting our businesses. Some say this is down to the egos at the top, but there appears to be a belief that if an organisation becomes too honest with their risk exposure, it is an admission of guilt, acceptance of failure or an acknowledgement that there is doubt in its business strategy. Look at the local high street. Where have Borders, Comet, JJB Sports, Jessops and Woolworths gone? There is a universal belief among the public that all the big name companies have failed due to the global economic recession but this is an excuse. These failures were many years in the making. Borders closure was the result of rapid changes in the marketplace coupled with their unwillingness and/or inability to react in time to them. If your industry is selling books and CDs, you do not have to look far back to see that people and cars no longer use cassettes, and that CDs were already on the way out by 2005.
Richard Mackie FIRM is manager, risk advisory, RSM Tenon richard. mackie@ rsmtenon.com
inconsistent approach to risk. Does the organisation use numerous styles or outdated formats for risk reporting? Is there poor risk communication between the different functions? Poor reporting and ineffective communication is often a deliberate method to prevent the risk manager from getting a true picture of the risks. When management does not see the value in an efcient reporting system, we need to be asking what the motivation is behind that view. As a risk professional, you should know if the manner in which your organisation reports risks is outdated and stagnant. If you are trying to drive risk reporting forward and hitting a wall, it probably means there is no desire to streamline the risk process for fear of uncovering the family secrets.
So how can you spot a fake? Unlike a watch, or a pair of suspicious-looking Karen Klein sunglasses, this is probably harder to identify. The rst sign that all may not be as it seems is an
The rapid rise in popularity of e-readers, MP3s and IPods makes you wonder what the risk manager was doing. Agreed, it is not the risk managers place to be designing new technology, but it is the risk managers role to ensure that the impact of game-changing products coming onto the market is on the radar. Prior to the recession, when times were good, Comet, JJB and Woolworths experienced nancial difculties; all were slow to react to changes in the business environment and adapt their business model accordingly. The internet did not kill these big names. Neither did the competition, or even new products. It was the failure of the senior management team to acknowledge the risks to the organisations strategy. Failure is still unmentionable in some high-level meetings, so much so that if the risk manager does raise the possibility, they are seen to be challenging the competence and the leadership of management. Risk professionals are effectively being ostracised. We talk of the risk culture and a bottom-up, top-down or universal approach, but what does that all mean if, behind the meeting room doors, your organisation only centres on the positive aspects of their strategy?
Has the time come to enhance the focus from embedding a risk culture to changing the corporate risk environment from one of concealment to honesty? Senior managers must understand that, effectively, risk management can only come by acknowledging risk and embracing an honest approach, including highlighting any uncertainty that threatens the achievement of the corporate objectives. When the risk manager or risk function challenge the assumptions that are the foundations of management decisions, they are not stiing opportunity. They are actually increasing the likelihood of success. Only by identifying, understanding and recognising the potential for failure can failure itself be avoided. Having reviewed a number of corporate failures and big losses recently, the main questions we all have to ask ourselves are: is there a risk management facade festering within your business? Is your rm a faker?
n 16 April, the European Parliament overruled UK opposition and adopted new legislation under the Capital Requirements Directive IV (CRD IV), which puts a cap on bankers bonuses. It is expected to be effective from 1 January 2014. The rules seek to limit bonuses to the amount of the individuals salary (the so-called 1:1 ratio) although, with shareholder approval, the ratio could rise to 2:1. The rules will apply to EU banks including their overseas subsidiaries as well as foreign units operating in the EU, and will affect material risk-takers such as senior management and major traders. Banks have some discretion over which employees are considered material risk-takers, although the European Banking Authoritys latest proposal seeks to expand the category to include those earning more than 500,000. The legislation aims to improve stability in the global nancial sector by limiting the incentive for senior management/traders to take short-term risks, which might benet them personally but which are imprudent in the long term. It also responds to public outrage at banker remuneration following the 2008 credit crisis. Continuing negative publicity has fuelled public hostility: in Europe, the sovereign debt crisis has seen ve EU member states bailed out, while UK examples include the part-nationalisation of HBOS, Lloyds TSB and the Royal Bank of Scotland the latter sparking a furore over the severance package of chief executive, Fred Goodwin. Additionally, the multi-billion dollar rogue-trading scandals of Jrme Kerviel at Socit Gnrale and UBSs Kweku Adoboli have intensied the perception of banking greed.
Legally, there is concern that the rules may violate international trade agreements, since they extend to EU subsidiaries operating outside the EU. Furthermore, the legislation arguably goes beyond the powers vested in the EU. Article 153(5) of the Lisbon Treaty 2007 provides that any attempts made by the European Parliament and Council to modify social policy shall not apply to pay. The counter-argument is that the legislation does not seek to limit total pay just the proportions of xed to variable pay and addresses systemic risk, not social policy.
Strategies
Disincentive
These examples suggest an unstable banking sector, exacerbated by a combination of recklessness and an emphasis on short-term gain. The EU considers that the common denominator is remuneration of key executives, with personal nancial incentive closely correlated to risk appetite. The EU hopes that the bonus cap will de-incentivise high-risk short-term transactions, create greater transparency and accountability, and enable banks to safeguard deposits and investors returns. However, there is considerable speculation that the bonus cap is, at best, a blunt tool and, at worst, will have a signicant detrimental effect on the sector.
In order to retain top talent, banks will probably come up with various strategies to moderate the impact of the rules. The most obvious method will be to increase basic salaries (xed pay). Other possibilities include restructuring packages to offer individuals greater shareholdings; withholding salary over the course of the year and allocating it according to performance; or introducing allowances such as grants. While some of these strategies may be treated as bonuses, there is likely to be a grey area that could be creatively exploited. There is a risk that these measures will drive banking talent out of the EU, damaging its nancial sector and resulting in senior banking positions being occupied by less-qualied people. This outcome is contradictory to the aim of the rules and will affect the UK signicantly, given the size of the City of London nancial sector. In particular, there is speculation that international banks may move Europe, Middle East and Africa business from London to the Gulf, which would be damaging to the UK and EU, possibly prolonging the European sovereign debt crisis and regional nancial instability. The ultimate impact of these rules will become clearer in time. However, if the bonus cap fails to deliver the expected reform, perhaps banks should consider incentivising those in compliance roles in the same way as front ofce staff. This would encourage closer monitoring of risk, resulting in greater clarity and accountability, and also provide a degree of reassurance. While prots may be hit in the short term, overall, such an initiative might help to stabilise the banking sector and renew public trust in EU banks, thereby generating growth.
HADRIAN / SHUTTERSTOCK
LESSONS LEARNED?
ORGANISATIONS MUST QUESTION THEIR CULTURES AND LEARN FROM RISK EVENTS TO REDUCE THEIR OPERATIONAL RISK LOSSES, AN EXCLUSIVE STUDY FROM THE OPERATIONAL RISK CONSORTIUM (ORIC) HAS CLAIMED
Contrast this with the North Sea approach, where all oil and gas companies openly share details of all safety and environmental risk events including near-misses in order to understand whether they could be exposed and to ensure that they are prepared for any events of a similar nature. These are just two examples from a new study published by the Operational Risk Consortium (ORIC), Creating value from risk events: leading practices in operational risk event reporting, analysis and investigation, learning and management, which calls for rms to question their risk cultures and learn lessons from risk events in order to survive and thrive in the modern world and to avoid situations such as that at UK Mid-Staffordshire NHS Trust. Alex Hindson FIRM, chairman of ORIC and a director of IRM, says the study fulls ORICs objectives to set leading practice for operational risk and inspires rms to improve their risk event capture, reporting and analysis.
SHUTTERSTOCK / JOSE GIL / DABARTI CGI
recent report into the UK MidStaffordshire National Health Service (NHS) Trust found that some 1,200 unnecessary patient deaths at hospitals in the area over a number of years were caused, to some degree, by a prioritisation of nancial performance over patient safety imposed by top management, and by a blame-laden culture where people at all levels were frightened to speak out.
Characteristics
According to ORIC, organisations can actively reduce operational risk losses by placing a strong focus on risk event reporting, analysis and learning. Firms that get this right typically exhibit the following characteristics/ actions: an open culture where people use risk events as an opportunity to improve; analysis of risk events to understand the root causes and establish whether other areas of the organisation could be exposed; and continuous improvement of control frameworks, using learning from internal and external risk events. After identifying best practice approaches, ORIC created
Education
The study states: Critically, these leaders avoid blaming those who report, or those who have made genuine mistakes, and place a high value on the opportunity to learn from risk events to drive value for their organisation. By focusing on risk event reporting including near-miss
Reactive Open environment for reporting Only significant risk events are reported Lack of leadership involvement Inconsistent reporting processes Fear of blame/reprimand impedes reporting People are unsure what to report and why Reporting delegated to the second line Near-misses not reported Compliant Coherent process for people to report events Most events reported Key people are risk aware Key people understand how to report a risk event Little focus on near-miss reporting
Focus on addressing recovery from loss events Leadership seek to identify responsibility and blame Root cause analysis (RCA) not conducted
Root cause analysis (RCA) conducted for priority events Focus on controls, processes and systems not behaviours Ad hoc and inconsistent approach to RCA few standard tools Little trained investigative capability
Action management
Actions for most loss events are not monitored or followed up Follow-up for major events is on an ad hoc basis
Actions often derived so that they can be delivered rather than make a difference Actions are managed, monitored and closed Approach and tools for action management are not consistent across company
Action management process integrated Actions derived to make a difference into company-wide continuous Actions are prioritised, based on resources improvement approach available and risk appetite Actions may involve replacing existing Actions clearly tracked and only closed controls that are not cost-effective, not on evidence just adding controls Top leadership review actions for major events Learnings from loss events and near Processes in place to prioritise and share misses used to deliver year-on-year learnings across the company from reductions in risk exposure internal risk events Rigorous approach optimises behaviours Learnings are derived from external risk and controls based on learning from events internal and external events Appropriate ORIC data shared with first line Proactive sharing and learning across the Multiple channels used to engage staff industry to reduce sector-wide operational in learnings and reputational risks The third line review learning effectiveness
Changes to policies and procedures occur No systematic approach in place to learn in response to significant internal risk from internal or external risk events events Learnings tend to be ad hoc and rely often Learnings not always shared across all on informal networks relevant parts of the company Review of major external risk events is not systematic
The risks associated with space travel in general, and the exploration of Mars in particular, are many and varied
through the Russian town of Chelyabinsk, sending glass and debris ying and injuring 1,500 people, many of who were staring through windows at the expanding smoke plume in the sky. For many, the events of January 2013 were a surprising wake-up call to the power of nature. But for others, this demonstration of the destructive impact of space-based objects was just another
reminder of the perilous hold that the human species has on its continued existence.
Sudden impact
Sixty-ve million years ago, a larger reball swept in across the Atlantic. The prehistoric witnesses to this meteor were instantaneously incinerated and many thousands of species, in the days and weeks that followed the impact, succumbed to extinction on a global scale. Such is the devastating effect that a meteor or comet impact would have on our fragile world. Yet it is not the only life-threatening risk that exists. Mega-volcanoes, such as the one found in Yellowstone Park in Wyoming, USA; coronal mass ejections from the sun; reversal of the Earths
magnetic poles; pandemic super-u; runaway nanotechnology (the so-called grey goo); climate change leading to methane release from the sea bed or suspension of the gulf stream; and any other number of global catastrophes all could destroy our species at any moment.
One-way ticket
However, for the rst time in the history of our planet, a species possesses the sophistication and technology to withstand such a global catastrophe. In recent decades, mankind has walked on the Moon, sent the Voyager probes beyond the furthest reaches of our solar system, and have begun to explore the Martian surface with robots. We are capable of placing people on Mars.
It is no longer a question of technology. However, it has not yet happened due to funding constraints, limited political will and, above all, a deep-seated expectation by the public and politicians alike that it should be a two-way journey. On 22 April 2013, a private Dutch company called Mars One opened the rst round of applications for prospective Martian colonists. Within two weeks, almost 80,000 people had indicated that they were interested in the one-way mission to the red planet. Many detractors identied the death sentence these individuals had signed up for. The risks associated with space travel in general, and the exploration of Mars in particular, are many and varied.
Mark Turner CIRM is head of internal audit UK at Selex ES. View his Mars One application video at http://tinyurl. com/mfav8es
bullets, threaten to puncture the hull of the spacecraft at any moment. With restricted rations and limited facilities for hygiene, the bodys defences will also be placed under extreme pressure. Provided that guidance and propulsion have worked correctly, once in orbit around Mars, the next challenge will be the descent. Over the years, NASA has used several methods to get probes onto the surface, including parachutes, airbags and sky cranes. Some have succeeded, while many others have failed. The lack of a dense atmosphere, and potentially high cross-winds, make Mars a formidable target to touchdown on.
Life on Mars
Extreme pressure
First, there are the problems associated with leaving the Earth. As spectacularly demonstrated by the Space Shuttle Challenger in 1986, the act of getting into orbit is not without risk. Once in space, the transition to Mars requires the spacecraft to leave the protection of the Earths magnetic shell. Without this defence, intense radiation from the Sun and other cosmic sources will begin to damage human DNA. The seven-month trip to Mars exposes the astronauts to a microgravity, which accelerates muscle wastage and is believed to increase the risk of osteoporosis. Micrometeorites, with the kinetic energy of
Mars does not possess a strong magnetosphere, and so the cosmic and solar radiation will continue to impact the explorers whenever they are not under cover. To prevent further exposure, the colonists will need to bury their habitats under two metres of Martian soil. The famous red dust that covers the planet has been analysed by Mars rovers such as Curiosity. The results indicate that it contains high levels of minerals that are harmful to human health. Not least of these are perchlorates, which are known to affect the thyroid gland, and gypsum, which affects the lungs in a similar way to coal-lung disease on coal miners. The Mars One mission is expected to land at the latitudes nearer one of the poles. This area is known to
SERGEYDV / sHUTTERsTOCK
Detractors identied the death sentence these individuals had signed up for
Basic instinct
However, the appeal to apply for the one-way trip may be deeper than this. Instinct for genetic survival drove our ancestral explorers to leave the broad savannah of Africa in search of new land, and this instinct may well be acting again. If mankind is to survive, then the colonisation of the solar system is the only action that can assure the continuation of our species, and Mars is the rst logical step. Going to Mars may be fraught with individual danger, but the threat to mankind for not going is a risk the species cannot ignore. possess sub-surface water. The extraction of this water will be a priority for the explorers if a self-sustaining colony is to be established.
However, it is not known what contaminants this water may contain. All food necessary for the rst two years will need to be transported to the planet with the travellers. While it is anticipated that they will begin to grow their own food, this will take months to bring to harvest. The effects of Martian gravity only 38 per cent that of the Earth may have an unpredictable impact on both yield and nutritional value of the crops grown. It is possible that sustaining a balanced diet may be difcult. Accidents, the effects of cosmic radiation, environmental disease and other bodily threats will all need to be self-treated. There will be no palliative care as the colonists age, and the safe disposal of corpses will need to be addressed.
BERTRANd BENOIT / sHUTTERsTOCK
Mars or mankind?
With this array of known hazards, and the many yet to be discovered, why is it that so many people are willing to put their lives at such peril? Not all of them are uninformed glory seekers. Many are well-read scientists, technologists and professionals from all walks of life. For one thing, there is the personal challenge of leaving the Earth. For many people, growing up during
R
Inputs
Risk as an uncertainty
VLADGRIN / SHUTTErSTOCK
MODERN RISK PROFESSIONALS mUST UNDERSTAND OTHER DEFINITIONS OF RISK INSTEAD OF FOCUSING ON THEIR OWN INTERPRETATION, INSISTS Dr MiKE LaudEr
From here, usage of the word places risk in one of four categories: n Inputs n Transformation process n Outputs n Controls Inputs are where risk is dened as an event or a cause of an effect. A questionable assumption is perceived as borderline input/transformation process, while risk as uncertainty (it is seen as being an uncertainty or a probability within the transformation process) and risk as a form of rationality fell clearly within the transformation process category. Those that were perceived as falling in the output category were risk as an effect, an implication and failure. Finally, risk as exposure and volatility was deemed to t into the control box. Risk as exposure was interpreted as the level of risk or the amount of risk to which the organisation is being, or will be, exposed; this was seen as a control total and, therefore, placed within the control area. Risk as exposure has been interpreted as being consistent with the many other terms (such as risk appetite, risk tolerance and risk prole) that have been used to express the amount of risk that is expected or acceptable; these are all seen as being a control total. Risks can be seen to be present in any, and every, part of the system. The exact placing of each
isk is too ambiguous a term to be used on its own and must be simplied. When conducting research at Craneld University between 2008 and 2011, I concluded that there was no point in dening risk as I saw it. I needed to see risk from the other perspective.I collated 43 different risk denitions from academic and practitioner literature, aiming to identify whether denitions of risk fall into one sector or are spread across the spectrum.
Simple denitions
I plotted simple denitions, separating risk into the denitions in the box below.
Transformation process
Risk as form of rationality
Outputs
Risk as failure Risk as an implication
Risk as an event
Risk as uncertainty
Risk as an effect
Risk as volatility
Controls
Risk as exposure
VLADGRIN / SHUTTErSTOCK
n Risk = probability x magnitude (Slovic, 2000:232) n Risk = probability (of occurrence of loss) x magnitude (of possible loss) (Malik, 2008:48) n Risk = probability x impact (APRA, 2008) n Risk = probability x s (damage scale) (Stankiewicz, 2009:112) n Risk = threat + vulnerability (Kovacich and Halibozek 2003:26) n Risk = threat x vulnerability x consequence (Cox, 2008:1749) n Risk = probability x consequence (Van Well-Stam et al., 2004:45, Damodaran, 2007:6) n Risk = expected consequences + uncertainties (Aven, 2007:433) n Risk = exposure + uncertainty (which you care about) (Holton, 2004:22) n Risk is the possibility and quantum of loss [March and Shapira (1987) cited by Coleman, 2006:255)] n Risk is the probability of a material hazard circumstance occurring (Tullock in Lupton, 1999:36)
Table 1: Examples of complex risk denitions
Simple denitions
An uncertainty: Frank Knight (1921) cited by (Damodaran, 2008:5) An event: (Aven and Renn, 2009:1) Form of rationality: (Lupton, 1999:138) Questionable assumption: (Baxter 1996) Uncertainty: (Holton, 2004:20) Failure: (Malik, 2008:88) An implication: (Chapman and Ward, 1997:7) An effect: (Hillson and Simon, 2007:224) Exposure: (Holton, 2004:22) Volatility: (Hubbard, 2009:84)
concept is not considered to be as important as the fact that denitions fall within all four areas of the system boxes. Risk, then, should have its temporal dimension acknowledged and not be seen as a single concept.
Complex denitions
The next step in the analysis of risk is to examine a series of complex risk denitions (that is, those articulated as risk = A (x) B. The selection in Table 1 (below) demonstrates further complexity. These articulations of risk combine aspects from all four system boxes. However, they predominantly concentrate on the outputs (impact, consequence or magnitude)
and control boxes (probability, frequency, magnitude or severity). These, therefore, need further analysis. Such denitions of risk often suggest limits or control totals. This reinforces the place for a control box within the proposed framework. These scales articulate potential limits of what might be expected to happen, or what might be deemed to be acceptable should it happen. All these scales are features of management control. They, therefore, t into the control box within the framework. They are encompassed in the term risk exposure. This leaves only the construct of the outputs requiring further examination. The term output covers a more complicated construct. I identied ve, and dene these terms as: n Results the result is an initial outcome of the mechanism at play on an entity in creating the negative outcome. For example, if the mechanism is the continual exing of a structure due to natural phenomena, such as wind, the result of this may be that the structure becomes stressed n Effect the effect is the end product of the result on the entity causing the negative outcome. Building on the stress example, the effect of stress may be structural failure n Consequence a consequence is the automatic (cascade) effect that will occur as the end product. Continuing the example, the consequence of part of the structure failing may be the total collapse of the structure n Subsequence subsequence is dened as
Individuals dene the term to suit their own needs; communities or specialisms dene the word for their own purpose
within any organisation where the consequences of an action may be different from those intended [5] The unexpected the nal category embraces external inuences on the organisation that had not been foreseen or for which mitigation had not been planned.
Basic framework
Using a basic systems structure, the seven categories of risk may now be seen as: input risks (R1); transformation risks (R2); results (R3); effects (R4); consequences (R5); subsequence (R6); and as an expression of what is acceptable exposure (R7). This provides the structure in Figure 1 (below). Connecting the dimensions of risk are both pathways towards positive outcomes, as represented by the dotted line, and negative outcomes, represented by the solid line. There is coupling between the two.
The nal step is to combine the two dimensions. The result is Table 2, which can be seen to produce 35 problem spaces embraced by the term risk.
Table 2: Risk denition matrix
Nondelivery Input (R1) Transformation (R2) Results (R3) Effect (R4) Consequence (R5) Subsequence (R6) Exposure (R7) Barrier to delivery The The unknown expected The unintended
Second dimension
The process involved taking each use of the term risk and evaluating it for it context and concern. The result of the analysis was that ve categories emerged. These I labelled: [1] Non-delivery non-delivery covers what might be known as mission failure. This is where an organisation or group fails to deliver all or part of what was intended [2] Barrier to delivery this category encompasses anything that may prevent the organisation from delivering its intended output [3] The unknown this category covers both what is unknown and what is uncertain [4] The unintended the category of unintended includes the problems raised by the interactive complexity
Input risk (R1) Transformation (R2)
Conclusion
Impact
Result (R3)/ Effect (R4) Objective (Social good) Coupling Consequence (R5)
Exposure (R7)
Risk is a word that is used in many ways. Individuals dene the term to suit their own needs; communities or specialisms dene the word for their own purpose. But senior managers do not have this luxury. They are required to understand the word risk the way the user intends it to be understood. To do this, they must rst appreciate that it can be used in more than one way. I have looked to provide a method through which the word can be analysed and its meanings categorised. The grid that I have produced gives 35 ways that the term may be being used. I would suggest that any non-specialist who hears someone using the term risk should consider using the grid to improve understanding between the various disciplines required to manage any complex organisation.
Malaysian companies must be alert to these developments and consider the risks and opportunities affecting their own businesses
WITH ITS ECONOMY EXPERIENCING GLOBAL INVESTMENT AND GROWTH, LYNN STRONGIN DODDS EXPLORES HOW RISK MANAGEMENT CULTURE IS BECOMING INCREASINGLY IMPORTANT IN MALAYSIA
lthough risk management practices are well embedded for publicly listed companies in Malaysia, progress is slow for those outside the stock exchange realm. The government and trade organisations, such as Malaysian Association of Risk and Insurance Management (MARIM), the Malaysian Institute on Corporate Governance and Institute of Internal Auditors (IIA), are leading the charge, but it will take time for the word to spread across the industrial spectrum. According to the ndings of a report by Ernst & Young and the Institute of Internal Auditors in 2011, there was an increasing importance being
placed on identifying, understanding and managing risks but more work was needed. For example, while many organisations surveyed believed they had a formal and relatively mature governance, risk and compliance (GRC) framework in place, the majority needed to improve the interconnectivity between risk management, business strategies and key performance indicators. Organisations also needed to better align and coordinate their activities to ensure the best possible risk coverage.
EMRAN/SHUTTERSTOCK
Moving ahead
Fast-forward to today, and advancements have been patchy. In its latest global report Business pulse: exploring the duel perspectives of the top 10 risks
and opportunities in 2013 Philip Rao, partner, Ernst & Young, Malaysia and ASEAN risk leader, noted: As companies in developed markets continue to perform at low levels amid recession and sovereign debt problems, the world is now looking to new markets for expansion opportunities. Countries in rapid growth markets, including Malaysia, are now becoming the focus for investments and growth, as many global organisations rethink their business strategies. While this is encouraging for Malaysias economy, Malaysian companies must be alert to these developments and consider the risks and opportunities affecting their own businesses in an increasingly competitive market. It is not surprising, perhaps, that those companies listed or looking to join Bursa Malaysia are the farthest ahead on the risk management curve. They are required to adhere to the Malaysian Code on Corporate Governance, which was updated last year. It incorporates not only part of the 2007 Code, but also recommendations from the Securities Commission Malaysias ve-year Corporate Governance Blueprint (Blueprint) which was launched in July 2011 to raise the corporate governance bar in the country. Under the new Code, the prole of the board of directors has been raised with a greater emphasis on establishing clear roles and responsibilities. Other recommendations included strengthening the composition, as well as reinforcing its independence.
In addition, companies are advised to foster commitment, ensure integrity in nancial reporting and disclose information in a timely manner. Equally as important is establishing a sound structure to determine, manage and monitor a companys risks.
Strengthening
Separately, the IIA, the national body for the internal audit profession, published a new version of its Statement on Risk management and internal control guidelines for directors of listed issuers, after a year-long consultation with directors of public listed companies (PLCs), to better reect the current regulatory landscape and corporate governance. The aim is not only to enhance disclosures on risk management and internal controls in annual reports, but also to ensure directors conform to the listing requirements. They are also encouraged to strengthen the obligations of management, as well as the board on risk management and internal controls, including implementation and monitoring. According to Datin Josephine Low president of IIA Malaysia and chief audit executive of the group internal audit department of Tan Chong Motor Holdings Berhad, one of the largest automotive organisations in Malaysia the new guidelines incorporate the various amendments in the Malaysian Code of Corporate Governance and Bursas listing requirements. She noted that even though the key principles underlying the original guidance
are timeless, the rapid changes we have seen in todays business and operating environments have spurred us to undertake this vital revision to enable organisations to be more efcient in developing and maintaining a more robust and effective system of internal controls and risk management, which can enhance their long-term success. Low added: The revised guidelines have put in place the timely need for signicant evaluation of the effectiveness of the risk assessment processes that not only include the traditional internal controls over nancial reporting, but also ascertain that controls over risk management systems are being rmly put in place. For example, the CEO and chief nancial ofcer are now required to tell the board whether the companys risk management and internal control systems are operating adequately and effectively, while the board is responsible for establishing a sound framework to manage risk. It is not merely about preparing a statement on internal controls and risk management, but also about enhancing investor condence by providing comprehensive information about risk management practices, according to Low.
Banking
The other sector that is ahead of the pack is banks, although not all are listed on the stock exchange. Lessons had already been learnt from the 1998 Asian nancial crisis and, as a result, they are in much better shape than their Western counterparts. Overall, the risk management
Traditional dancers Kuala Lumpur city skyline at sunset
culture in the banking sector is very strong, although there is always room for improvement, says Jeroen Thijs, chief risk ofcer at Bank Islam Malaysia Berhad. The main trend we are seeing at the moment is compliance with Basel III. Unlike in the West, the regulator the Central Bank of Malaysia seems, at this stage, keen to implement it fully and not have it watered down. As for risks, there is concern over the increasing debt levels of the ordinary consumer, and the move towards regionalisation is introducing different geographical risk elements. Asia may be seen as homogenous, but the culture and products that people want differ. The push for regionalisation is being spearheaded by the Bank Negara Malaysia (BNM) as part of its tenyear nancial sector blueprint 2011-2020. The aim is to encourage greater regional and international participation of Malaysian nancial institutions. This includes facilitating cross-border nancial transactions, nancial integration, regional trade and investment, as well as the internationalisation of Islamic nance. However, BNM hopes it will be a two-way street, with foreign banks playing a bigger role in the countrys nancial services landscape. The door has been slowly opening since 2009, with several areas being liberalised namely, investment banking, the insurance and takaful (a type of Islamic insurance) sectors, as well as Islamic nance. Foreign investment in Malaysian commercial banks, however, remain restricted.
FOO WENG/sHUTTERsTOCK
SHAMLEEN/sHUTTERsTOCK
Adoption
Mohamad Mohamad Zain, vice president, group business assurance, Telekom Malaysia, and chairman of the Malaysian Risk Management Association (MARIM), concurs that the main challenge is to ensure that organisations across the industry spectrum adopt robust risk management practices. Most major projects initiated
Low Yat Plaza, Kuala Lumpur
by the public sector lack risk management and have ended up wasting taxpayers money, due to the escalation of a projects cost or extension of the deadline. This is because the risk management culture is still low, except for PLCs, because they have to comply with the Malaysian Code on Corporate Governance 2000, which is monitored and updated by the Bursa Malaysia and Securities Commission of Malaysia. One of the main problems is nding certied risk management personnel. Most risk managers in Malaysia start off their risk management careers in the insurance industry, says Zain. They may then end up as a risk manager in a PLC that requires immediate personnel to run their risk management programme in compliance with the Malaysian Code on Corporate Governance. There are moves, though, to rectify the situation. MARIM is trying to encourage the private sector to emulate its publicly-listed brethren by providing platforms and forums for risk managers, to enable exchange of ideas on how to implement and improve within their respective organisation. It is also spearheading the campaign to have ISO 31000 which provides guidelines, principles, a framework and process for managing risk adopted and converted to MS ISO 31000 (MS = Malaysian Standard). Using ISO 31000 can help organisations achieve objectives, improve the identication of opportunities and threats, and effectively allocate and use resources for risk treatment, according to Zain.
Street vendor in Kuala Lumpur
ENCIKTAT/sHUTTERsTOCK
IRM CERTIFICATION
KEEPING IT SIMPLE
AS THE DEBATE OVER CERTIFICATION RUMBLES ON, IRM CHIEF EXECUTIVE STEVE FOWLER FIRM CALLS FOR AN UNCOMPLICATED DISCUSSION
he issue of accreditation might seem terribly complex, but it is actually rather simple. Much work has already been done by many organisations around the world. The Risk Management Institution of Australasia (RMIA), for instance, has already carried out a tremendous amount of work on a professionalism system for risk management. The Federation of European Risk Management Associations (FERMA) is also carrying out some work as are, jointly, the Association of Insurance and Risk Managers in Industry and Commerce (Airmic) and The Chartered Insurance Institute (CII). But we need to look beyond insurance, and at what is being done elsewhere. I speak at conferences covering other areas of risk management, where exactly the same debates over certication are happening. Be it audit and compliance, occupational health and safety, or any of the various others, you hear the same refrain about the professionalisation of risk management, because each world sees risk management as belonging to them.
professional development; and a code of conduct/ethics. You cannot have a certication scheme that does not take experience into account. Qualications are equally important. I would refuse brain surgery from someone qualied as a lawyer, no matter how many operations they had previously performed. But, when it comes to risk management, this is effectively what we do. Continuing professional development the extension of experience into the future is crucial. And it goes without saying that a code of conduct or a code of ethics is absolutely critical to any profession.
Non-negotiable
The foundation
The above brings a number of points home. First off, if we are going to build something and I would suggest that we have to build a certication system it has to be global and it has to be enterprise risk management (ERM) focused. I know people argue about the detail of ISO 31000, but we stand every chance of looking stupid if we fail to build everything we do around that international standard. If we look at other professions accountancy, law, medicine and engineering they all have global systems of certication, where a certain small number of things are held in common. Clearly, there is individualism within each of the specialities in these professions. These professions have shown the way. In the US, the American National Standard Institute (ANSI) says that there are four elements belonging to a profession, and all professions operating within the States work to this principle. These are: experience; qualications; continued
SHUTTERSTOCK / SPECTRAL-DESIGN
These four elements are non-negotiable. Our certication framework will not stand up without them. It will look ridiculous, particularly when our boardroom colleagues comply with these four factors. But we also need to consider whether we should induct grey-hairs and no-hairs into our certication system. We might want to consider a way to get into that certication scheme that does not require taking a whole new set of qualications. So how do we go about doing all of this? It is simple. We must dene a common framework at a high level. At IRM, we have spent around nine months looking at all the major risk management certication frameworks. There are around 60 to 70 that we managed to nd. We then carried out a metalevel analysis of the common factors among them. We asked: what are the common core competencies between, for example, project risk management, insurable risk, market and credit risk, and so on and so forth? This has given us a base from which to develop a certication framework. And within the coming months, we will build on this and bring you the latest developments on certication. I Fowlers comments were adapted from a speech at Global Risk Frontiers, London, UK, a Commercial Risk Europe event.
EURO VISION
I
n moving beyond its UK home and becoming a truly international organisation, IRMs natural market has primarily been where English is the business language. English is increasingly the language of continental Europe, but I am still keen to encourage IRM to continue building a closer relationship with the rest of Europe. I see two principal benets. First, IRM can help to strengthen the position of enterprise risk management (ERM) in European directives. Second, IRM members need to be aware of how risk management in Europe works, even if they are outside the EU.
Marie Gemma Dequae is an honorary life member of IRM, a member of its board, and technical director at the Federation of European Risk Management Associations (FERMA)
IRM BOARD DIRECTOR DR MARIE GEMMA DEQUAE DISCUSSES THE INSTITUTES WORK WITH CONTINENTAL EUROPE
Through the development of its thought leadership projects, such as its white papers, IRM can add to the theoretical dimension of the case that risk managers put to the commission on specic proposals. In my experience, members of the commission appreciate an argument that has an academic grounding presented in tandem with the practitioners knowledge. Consider, for example, the draft directive on corporate social responsibility that will shortly go to the European parliament. It would require that all companies with more than 500 employees disclose information on policies, risks and results on issues such as the environment, social and employee-related aspects, and respect for human rights. But disclosure alone does not mean that the risks are controlled.
Anglo-Saxon origins
As a specic, professional function, risk management has strong Anglo-Saxon origins, but its practice within Europe takes place within a framework of EU-origin regulations. Beyond the member states, European directives are still inuential because the EU is the worlds largest trading block and the second largest economy in the world. At the same time, the business culture in each country in Europe is different, and we know how important culture is in the way a company deals with risk whatever the rules intend. You have to adapt your approach to the local business culture, as IRM is demonstrating through accreditation of local training bodies that can provide relevant material and local case studies.
Professional development
Thought leadership
The Federation of European Risk Management Associations (FERMA), of which I served as president for four years and now act as technical advisor, is the principal organisation lobbying the European institutions on risk management issues.
Second, when it comes to professional education, IRM is in close discussion with FERMA about the proposed European certicate in risk management. It is too early for me to say more than that now, but both organisations believe strongly in the value of a portable, international recognition of enterprise risk management competence. Whatever happens in terms of this certication, there is a strong community of interest between IRM and FERMA in risk management education and the professional development of young risk managers in Europe. We hope to see many of these young risk professionals join us at our biannual risk forum. This year the forum is taking place in Maastricht, in the Netherlands, from 29 September to 2 October. I believe IRM and FERMA can build on each others strengths to inuence the European regulatory framework and develop the knowledge that risk managers need to implement it. For more information on the FERMA Forum 2013, see www.ferma.eu/ferma-forum-2013.
www.theirm.org, email us at studentqueries@theirm.org or contact one of our team on +44 (0)207 709 9808
can help you, visit
BREAkiNG BARRiERS
GHISLAIN GIROUX DUFORT MIRM ASKS HOW RISK PROFESSIONALS CAN HANDLE EMPLOYEE RESISTANCE TO CHANGE
ost risk catastrophes are not due to decient policies and procedures but rather to wrong-headed behavioural norms: a blind adherence to rules at the expense of sensible risk judgement in the heat of a crisis or, at the other end of the spectrum, a casual and tolerated if not encouraged disregard for risk management rules. The way we do things around here the risk culture of the organisation is often more important than the formal risk management framework or system. That is why IRM published two documents on risk culture last autumn: guidance for boards and resources for practitioners. At the core of IRMs risk culture framework lies the individuals predisposition to risk. Personal ethics, group behaviours and organisational culture combine with this core personal attitude to risk, interacting with each other to form the companys risk culture. The guidance recommends that boards should request a diagnostic of their organisational risk culture and ask ten questions along four major aspects: tone at the top; governance; decisionmaking; and competency.
Ghislain Giroux Dufort MIRM is president of Baldwin Risk Strategies, a member of IRMs global education advisory board and a member of the strategic risk council of the Conference Board of Canada
The second case concerns an entrepreneurial consumer goods manufacturer. Facing revolutionary technological change, the chief nancial ofcer convinced colleagues that it would be appropriate to implement ERM. But the CEO, part of the family that ran the business, was lukewarm about the idea and fearful that it could neutralise the rms entrepreneurial and autonomous culture. In response to those concerns, ERM was implemented lightly, and at minimal cost, by only one person, providing mostly guidance through a top-down approach. The executive team identied about 50 risks that way, and decided quickly on the top 10. Managers and employees were entrusted with incorporating a few key risk management principles into their own decision-making processes, reporting only their top ve risks to the ERM function. It resulted in sound basic plans being implemented by business units with little supervision from the ERM function.
Tuning in
If you are a risk management practitioner or executive, you have to be attuned to the specicities of your organisation and adjust your ERM delivery platform accordingly. Of course, one could rightly argue that you should not dilute ERM principles too much to accommodate the companys culture. But, on the other hand, being pragmatic and able to implement ERM partly or slowly will benet your organisation much more than failing to do it altogether.
KOYA979 / sHUTTERsTOCK
BOOK REVIEWS
BE PREPARED
Enterprise Risk Management: Straight to the Point
An Implementation Guide Function by Function By Al Decker and Donna Galer A useful guide that does what it says on the tin. Enterprise Risk Management (ERM) can be a variety of things to different people, but this 142-page guide sets out useful denitions and, more importantly, helps give wellreasoned justication for implementing ERM. It notes the impact of Standard & Poors inclusion of ERM in its rating criteria, and goes much further in making the case. The strong focus on worked examples and practicalities makes for a comprehensive guide in all but a few areas. There is more here than just a methodology. The focus on strategy, ownership, brand value and prioritisation is appropriately unremitting. A heat map, for example, shows not merely top/greatest risks but rather the results of analysis that reveals those parts of key business strategy and goals thought to be most at risk a more helpful output for senior executives. The worked examples may sometimes focus on smaller enterprises, but there is no reason that these cannot be scaled-up to apply to larger concerns. Also, risks are not just seen in isolation and there are many references (but, frustratingly, no index or glossary) to correlated risks. The authors touch on plans and projections and make the case that risks change, but the book would benet from an additional chapter covering projects and joint ventures. They also seem to treat strategy as a given and give very little attention to the need for ERM outputs to inuence and modify corporate strategy. Similarly, there is less focus than many may like on those risks that any organisation may take, often unwittingly, by not pursuing new markets, products or means of communication that is, the risks of not.... Likely resistance to ERM is not overtly addressed, although a strong benets case is made throughout. ERM is shown to be of value to a wide variety of stakeholders, not least CEOs who may rarely see composite, unbiased data covering not just one function but the whole business and its strategy in a competitive and social/environmental context. Chance favors [sic] the prepared... is a favourite phrase adopted throughout the guide and a good mantra for ERM implementers. CHARLES TOOMER FIRM is head of risk management at GoodCorporation.
The focus on strategy, ownership, brand value and prioritisation is appropriately unremitting
34 | www.rmprofessional.com | Summer 2013 |
Adding value
Looking ahead
To ensure that risk professionals are an integral part of this future, we need to position ourselves correctly. If we want to be seen as a negative, as the people who always say no, as the people who are a drag on our businesses and do not add any value, then we need to go down the route of aligning risk as a profession with governance and compliance. This is something that is often called for, but whilst I can see some benets of alignment, I would ask: Why these two functions? We could invent another acronym:
VRI value, risk and innovation. There is just as strong a case in fact, possibly a stronger case for aligning risk with value management and with innovation in our businesses. Adding value to our organisations is one way that we will be seen as leaders. Tomorrows leading businesses are going to be the ones that innovate today those that can create value. If, as risk professionals, we can work alongside those value management people and the product and service innovators, it is going to get us a lot further than looking in the rear-view mirror all the time and asking how we can comply with laws or tick boxes. That is how we can ensure we are ready for Carayols VUCA times.
If you look at the worlds top 20 brands, half of them have only been around for fewer than 20 years. Half have history on their side, but the others exist not because of their history but because of the things they are doing now and the plans they are putting in place for the future. That is not to say that history is unimportant, but the world has changed from one where we are always looking in the rear-view mirror to one where what really matters is looking ahead and listening to what your customers want to buy, rather than what you want to sell them. There are still businesses out there that fail to see the value in social media.
AFP / GETTY
PARIMA PrEMIERES
IRM chief executive Steve Fowler FIRM presented a session on risk management competencies at the launch of the Pan-Asian Risk & Insurance Management Association (PARIMA) on 2 April. Held in Singapore, the event featured sessions on the rise of Asia, social media and cyber risks, and people risks. Fowler spoke about IRMs work in developing an overall view of the many risk competency frameworks around the world, and whether work by IRM, the Federation of European Risk Management Associations (FERMA) and others could work in Asia. Fowler said: With members in more than 100 countries and a signicant and growing presence in Asia, IRMs relationship with PARIMA can help us continue to educate people about the importance of effective risk management across the globe.
Singapore
IRMs relationship with PARIMA can help educate people across the globe
LEUNGCHOPAN/ sHUTTERsTOCK
Renewals reminder
Members are reminded that their annual subscriptions are due for renewal on 1 July. Renewal invitation letters were issued in early June and the online payment facility is now available. Details of the 2013/2014 subscriptions can be found on IRMs website at www.theirm.org.
Meetings round-up
IRM chief executive Steve Fowler FIRM attended meetings with the Chartered Institute of Internal Auditors (CIIA), the Institution of Occupational Safety and Health (IOSH), and the Association of Risk and Insurance Managers in Commerce (AIRMIC) in June. Fowler met the president and CEO of the CIIA, the president and new chairman of IOSH, and the CEO of AIRMIC. Fowler said: Meeting with these bodies enabled us to start, or continue, conversations about risk management and IRMs work that will benet all of us in the future. It has been a busy, but productive, month.
JOB SHARE
IRM has issued a call for members to submit their job descriptions to help the institute identify common roles and responsibilities in risk-related jobs. All condential information will be removed from submissions, with the content used to support and inform those developing their careers in risk management. If you are willing to share your job description, contact bhamini.ladani@theirm.org.
PREssMAsTER/ sHUTTERsTOCK
Survey ndings from IRMs enterprise risk management in insurance special interest group (ERM in insurance SIG) show that the majority of insurers have four or fewer staff in a group risk function and two or fewer in a local function. Risk professionals, the group found, are principally qualied or have a background in ERM/operational risk, or compliance/internal audit and accounting, and many risk functions have at least one actuary.
V. J. MATTHEw / sHUTTERsTOCK
sELLInGPIX / sHUTTERsTOCK
Turkey exchange
Sharing knowledge and experiences about implementing enterprise risk management (ERM), IRMs Turkey RG met on 6 May, with a mixture of English and Turkish presentations. The session covered annual report disclosures and corporate investment considerations.
Midlands meet up
IRMs midlands (UK) RG met on 9 May to discuss the set-up of the group and the new IRM committee structure, as well to cover regulation and risk topics, with input from the Solicitors Regulation Authority.
Sponsorship and partnership opportunities are available. For details, contact murray.barber@theirm.org
To nd out more about this years conference call +44 (0) 20 7709 988, email events@theirm.org or visit www.theirm.org
The Institute of Risk Management, 6 Lloyds Avenue, London EC3N 3AX.
LEARNING EVOLUTION
DR LYNN DRENNAN FIRM DISCUSSES THE SHIFTING EDUCATIONAL LANDSCAPE FOR THE PROFESSION
ver the last two decades the risk management profession has witnessed some dramatic changes. Once focused in some circles primarily on insurable risks and with its practice limited to the larger private sector companies, the discipline now crosses industries and sectors, and encompasses much broader aspects of business life, including governance, reputation and issues relating to globalisation. In short, risk management has become an accepted and critical part of mainstream business practice.
Dr Lynn Drennan FIRM is education programme director of IRM
Along the way IRM has changed too and in 27 years has grown from an initial membership enrolment of 79 students to a population of thousands. Our qualications have been regularly reviewed and revised a number of times since their inception, to ensure that they continue to offer the highest quality in professional risk management education, anywhere in the world. But despite the undoubted success and credibility of our educational offerings, with student numbers increasing year on year, and more students sitting risk qualications with IRM than across all of Europes universities combined, we cannot rest on our laurels. Our current review draws on the expertise of our newlyestablished global education advisory board a group of experienced risk professionals and academics whose role is to act as a sounding board during the development phase and provide information and advice as necessary. The rst question they addressed was: What are the major skills/competences that you believe need to be included in a professional risk management qualication in order to enable risk practitioners to deal effectively with current and future risks? This produced extensive and varied responses from our advisory board. Input has also been received from IRMs current module developers and examiners, who will be involved in further rening the proposed new programme.
POTOWIZARD / SHUTTERSTOCK
These competence frameworks cover to a greater or lesser degree areas of knowledge, skills and behaviours, and are useful resources for both employers and employees. There is, however, no denitive set of core competences and, for this reason, IRM commissioned an analysis of these documents identifying common knowledge and performance statements and mapping them to IRM modules. This information is also being used in the redesign of the international certicate/diploma qualications, enabling students to develop and demonstrate the achievement of a wide range of competencies, as well as gaining a post-graduate qualication.
Future opportunities
Aside from ensuring that the programme content remains relevant and attractive to new students, the plan also involves securing formal accreditation within the higher education sector, which will give further opportunities for credit to be gained against a number of postgraduate diploma and masters programmes. The aim is to launch the revised programme in the autumn of 2014, with transitional arrangements in place for those students who are already part way through the international diploma. Updates will be provided as the review progresses.
Core competencies
In recent years, an international standard in risk management (ISO 31000) has been published, along with a variety of documents from organisations in Europe, North America and Asia, outlining the core competencies that an effective manager of risk should possess.
I
GIORDANO AITA / SHUTTERsTOCK
f the police service reects the community it serves, what conclusion can you draw when the services monitoring body refuses to issue it with a clean bill of health? This was the situation when Her Majestys Inspectorate of Constabulary (HMIC), which oversees the UKs police forces, carried out a report into integrity in the police service. HMIC identied a lack of guidance around appropriate relationships between police and the media, a lack of clarity concerning acceptance of gifts and hospitality, and found that few forces had proactive and effective systems in place to identify, monitor and manage these issues. If this is the situation with the defenders of our societies, then what can we determine about the wider world?
So now IRMs Risk Leaders Conference 2013, taking place on 4 November, will ask: how do you ensure that you are doing the right thing? Held at the HI Kensington Forum hotel in Londons museum district, the Risk Leaders Conference is designed to meet the needs of chief risk ofcers (CROs) and those responsible for risk at board level. Following IRMs thought-leadership activities on risk culture and risk appetite, and this years earlier IRM Forum on reputation and brand, the Risk Leaders Conference will offer the chance to question those who have faced integrity issues head-on and equip yourself with the condence and skills to instil the right culture in your organisation. Touching on issues such as child safety, banking collapses, institutional corruption and gaining the courage to speak out against evil-doers, the event aims to tackle issues including: board effectiveness; lessons learned from recent disasters and events; and the implications of new codes and regulations.
Unresolved issue
HMICs report benchmarked the police against public, private and third sector organisations, and determined that few organisations have resolved these issues well for the modern world (in terms of managing controls around integrity issues). Issues of integrity dominate the news agenda be it the misbehaviour of politicians, the public reaction to bankers and journalists, or the shady activities of government agencies and inuence the way organisations are perceived by the public.
Keynote speakers at the Risk Leaders Conference will tackle issues ranging from zombie banks to rotten orchards, and promise to ask whether the longed-for global economic recovery will end in tears. Author and entrepreneur Margaret Heffernan (more on page 48) pledges to link the corrupted cultures of contemporary businesses to institutions such as the Nazi party and abuse within the Catholic Church, explaining why she believes in rotten orchards rather than rotten apples. The author of Willful blindness, a cautionary tale of why we ignore the obvious at our peril, and a highly-respected TED speaker, Heffernan will dene the difference between a cult and a culture. Prof Margaret Woods, co-ordinator of the European Risk Research Forum and a professor of accounting and
HANDOUT / GETTY
FORWARD
CAROLYN WILLIAMS MIRM PROVIDES HER REGULAR ROUND-UP OF THE LATEST ISSUES, IDEAS AND INITIATIVES FROM IRMS ACTIVITIES
Carolyn Williams MIRM is head of thought leadership at IRM
Review of Turnbull guidance at the time of going to press, there was no news from the UK Financial Reporting Council (FRC) about when they might release their draft of a revised and updated version of the 2005 Turnbull guidance on internal control for consultation. The scope of the guidance is likely to be extended to cover risk and internal control, to reect the focus of the latest version of the UK combined code. IRM will forward details of the consultation to members when it is received.
Risk in the extended enterprise the subject of risk across the extended enterprise was covered in discussions led by group leader Richard Anderson FIRM at the IRM Forum in Ashford in May. Their focus was on subjects like the nature of complexity, channels of communication, how to capture and leverage innovation within complex networks, models for governance and assurance and vulnerabilities arising from developments like cloud computing and BYOD (bring-your-own-device). The groups next milestone is an open workshop meeting on 21 June to expose some of the ideas and models being developed, with the intention of then releasing a document for a consultation period. Members who would like to be involved are welcome to get in touch. Cyber risk IRMs risk in information systems and e-commerce special interest group (RISE SIG) is currently producing guidance for organisations and risk practitioners on dealing with cyber risk issues. The group recently conducted a survey of cyber-awareness among IRM members and received more than 200 responses, which will help to shape the groups work. Some of the subjects that the group have been examining include: tools and models for assessment of cyber exposures; reaction, resilience and incident management; interpretation and understanding of the multiple standards, including IS27001; behaviour and the impact of social media; information security and the cloud; insurance options; the iceberg impact of a cyber-loss; skills, training and capability; return on investment; reputation and brand impacts; incident management; and mobile device security. Details of the groups meetings can be found on its web page at www.theirm.org/events/RISE.htm.
BS IEC 62198/Ed2 project risk management application guidelines a group of IRM members with project management experience, led by Ashley Milroy MIRM, prepared a joint response to the consultation on this standard from the British Standards Institute (BSI). They concluded that the proposals did not add sufcient new material not already covered in existing risk and project management standards to justify a separate standard. Further, they thought that a separate standard might be taken as an indication that project risk management
AMASTERPHOTOGRAPHER / SHUTTERSTOCK
THINKING
practice differs substantially from non-project risk management practice, whereas in reality there are no substantive differences. They argued that industry would be better served by risk skills commonly used in projects such as quantitative risk analysis being acknowledged as such within the current BS and ISO risk standards. The group also made a number of detailed suggestions on the text of the standard. The BSI dependability committee, nevertheless, decided to support the proposed standard, although the detailed comments made by the IRM members were favourably received. contributed to an initial consultation from the Engineering Council on this subject. IRM will forward details of the more general consultation to members when it is received.
UK Engineering Council during 2013, the Engineering Council is undertaking its periodic ve-year review of several key documents, including the UK standard for professional engineering competence (UK-SPEC), and their accreditation of higher education programmes. There is a suggestion that there could be an increased emphasis on risk management in both these documents. A small group of CEng-qualied IRM members have
IRMS FORUM SAW HUNDREDS OF LEADING RISK PROFESSIONALS GATHER TO DISCUSS REPUTATION, BRAND MANAGEMENT AND SURVIVAL
Keynote speaker Ren Carayol issued 10 top tips on leadership to Forum delegates. These were: I Learn the four most powerful words: what do you think? I Improve your relationships risks do not stand in isolation I Dene what you stand for I Tell stories I Communicate, communicate, communicate I Be clear about what you are great at I Remember that public relations is the truth told well I Share your plan and charge the hill I Inspire and challenge your people I Remember that the world is a stage and that you must perform on it
Rita Clifton
Risk professionals cannot do their jobs properly unless they understand the importance of brand and reputation, the president of the Market Research Society and former chairman of Interbrand told Forum delegates. Rita Clifton told delegates: Risk managers cannot truly do their job unless they understand branding. Claiming that good risk management is good brand management and vice versa, and that rms with strong brands would outperform their competitors regardless of the economic climate, Clifton argued that todays best businesses were closely aligning brand with their overall strategy. The best businesses of today are making their brand strategy the alter ego of business strategy, said Clifton. From the way you answer the phone to the way you set up your systems, because anyone and anything can be the weakest link [in your business].
Forum sponsors:
She said: This [risk and brand management] is all a bit immy-ammy, but there is nothing soft about the nancial results it can produce. Stressing the importance of clarity, communication and consistency, Clifton called on risk professionals to ensure a strong brand was in place in order to survive cock-ups. With a strong brand and a big cock-up you can survive. With a weak brand and a cock-up it could be curtains, she warned.
Ren Carayol
Smashing the land speed record next year can convince people of the benets of risk-taking and inspire a generation, the man who will attempt to travel at more than 1,000mph has claimed. Richard Noble OBE, in a keynote speech to almost 200 global risk professionals, said that the anticipated success of the BLOODHOUND supersonic car project would demonstrate the importance of risk-taking and inspire millions of children to become engineers. Weve created a country which is totally risk-averse and going nowhere at the moment, said Noble, adding: This country has lost condence. People dont think we can do these sorts of things any more. He went on to tell the audience that the City [of London] would never invest in such a high-risk project and that funding had come from a raft of sponsors instead. Noble, who joked that he was a risk pervert due to his long association with such ventures, said the UK was suffering from a huge decline in engineers and IT professionals but that projects such as BLOODHOUND had the potential to stimulate the interest of millions of schoolchildren. Theyre going to be studying this [project] for years after. Its going to have a huge effect, he said. Steve Fowler, chief executive of IRM, said: Whether you are looking to break records and seize opportunities
Leaders are all too rare in the risk management profession, delegates at the Forum heard. Ren Carayol, a leadership guru, who has worked with international statesmen including Bill Clinton and Ko Annan, told delegates that the risk management profession would become irrelevant unless it started breeding leaders. Those trained in yesterdays approaches are no longer relevant today, he said, asking the audience: How relevant are you? Why should anyone be led by you? How are you relevant for 2013? If you want a world of unambiguity, forget it. It [certainty] is not coming back. We cant wait for you. The world, Carayol claimed, had become VUCA volatile, uncertain, complex and ambiguous. To face this new world, risk professionals must manage a little less and lead a little more, he said. Hand on heart, I know everyone in this room is great at management, the leadership expert told delegates, but he called on risk professionals to become great leaders instead in order to put themselves at the hub of their organisations.
Forum feedback
Eighty-three per cent of Forum delegates reported that the overall event was excellent or good, survey results from the event show. One delegate commented that the keynote speakers were fantastic, and it was very easy to network with people, while another rated the theme, subjects covered, keynote speakers and conference chairman, Michael Jackson, as excellent. Another attendee reported that Forum was a high quality event with [a] good atmosphere of professional participation and good time for networking, with another praising the variety of speakers and good mix of seminars to attend.
ROLE CALLS
BUSINESSWOMAN AND AUTHOR MARGARET HEFFERNAN IS A KEYNOTE SPEAKER AT IRMS RISK LEADERS CONFERENCE ON 4 NOVEMBER IN LONDON, UK
What did your book on wilful blindness examine?
My book looks at scandals in the Catholic Church, the rise of Nazi Germany, the renery accident at BPs Texas City plant, and the poisoning of a town in Montana, US. And if I were updating the book, it would look at things like Libor-rigging, Jimmy Savile or Lance Armstrong. It could look at phone hacking. All of these are events that involved lots and lots of people. Our idea that risk is represented by a maverick individual is unsafe. The biggest disasters we encounter are very rarely secret or hidden. They are right out in the public eye and they require the passive participation of hundreds if not thousands of people. Im not talking about bad apples.
APPOINTMENTS
Christopher Heyes SIRM has become an independent consultant on risk, security and emergency management, leaving his position as risk management chief for aviation security operations at Transport Canada. Alex Hindson FIRM, an IRM board director and former chairman, and chair of the enterprise risk management in insurance (Solvency II) special interest group, has been promoted to chief risk ofcer at Amlin, becoming a member of the management teams of both Amlin Bermuda and Amlin Re Europe. Richard Mackie FIRM has left his position as risk manager at Eversholt Rail and is now working as a manager, risk advisory, for RSM Tenon. Ashley Milroy MIRM, formerly a risk analyst at Mott MacDonald, has joined Crowe Horwath Global Risk Consulting as a senior associate. Milroy, chair of IRMs west of Scotland regional group, recently achieved a distinction for her practical assignment in IRMs International Diploma in Risk Management. Charles Toomer FIRM, a former head of risk management at the BBC, has been appointed as senior manager/head of risk management at GoodCorporation. John Walton SIRM has joined Prudential UK as a Solvency II risk specialist.
In Europe, it tends to be more a sense of futility: if I do speak up then nothing will happen, so what is the point? I think some of it is born out of ignorance; some of it is experience. In some cases, it stems from this mythology around whistleblowers if you speak out you will be crucied. The happy endings do not get much press. I would argue that there is quite a lot in it for them [the whistleblower], but that is not always easy for them to see. When you dare to articulate your concerns, what you will almost invariably nd is that everyone else has those concerns too. So, in fact, youre rarely alone. And the fact you dared to speak out makes you a hero. And then youre in a position where things can be xed and you can move forward.
WELcomE TO IRM
The latest newcomers to the institUte
Fellows
Robert Kurau Neal Writer VocaLink Royal London Thomas Fay Sonja Folarin Andrew Glancy Laura Groom Brent Halazon Action For Children Caroline Holmes Jegbefume Itua Endurra Indonesia Willis Catlin Barnsley Metropolitan Borough Council Mitsui Sumitomo Insurance Group AIG Shell International International Insurance Company of Hanover Mikael Johansson Maureen Kelly Sheila Keogh Paul Lockett Sheila McCallion David McCarthy Peter McCormick Gavin Noyce Audrey OSullivan Heather Parkinson Florian Peter Lynsey Allen Rajib Banerjee Roger Belgrave George Valentin Bunea Alex Catleugh Charlene Causon Amanda Chapman Gillian Edworthy Laila Faraidooni AECI Dubai Health Authority QBE European Operations AVE European Group Department for Work and Pensions Saudi Aramco Total Rening and Petrochemical RAC Direct Line Group John Pulaski Gaetano Renato Timothy Rollett Valentina Russo Katherine Scanlan Martin Schepers James Shortland Benjamin Smith Theodoros Sofokleous NATO/International Security Assistance Force Generali International Leeds City Council Amlin Marsh Novelis WorldPay Bank of America Trust International Insurance & Reinsurance Jason Reynolds Linda Turner Nigel Whitehead Stephen Wynne Alcatel-Lucent Transport for London Direct Line Group Aspray 24 Bill & Melinda Gates Foundation Moore Stephens Consolidated Hallmark Insurance Ernst & Young AIG Health & safety consultant Bank of America DSD Social Security Agency Berwin Leighton Paisner The Co-operative Banking Group The Co-operative Banking Group Bank of America United Utilities Annika Thalin Robert Walker David Window Dan Wylie Mathew Wynn Richard Young Motor Insurers' Bureau Welland Medical Direct Line Group Ernst & Young Bank of America
Members
Peter Adams John Bates Paul Bravin Josephine Ann Foley Vanessa Hartley Adrian Hunt Andrew Jones Christopher Kelly Lisa Khan Allan Oxborrow
Specialists
Ashwini Amit Anslem Arulanandam Joan Burstow Nathaniel Cole Frank Andrew Davis Arun Dhyani Kins Ekebuike Pesh Framjee Patrick Gardiner Seamus Hughes David Potticary Gregory Ramsbottom Ace Insurance Consultants Marsh Emirates Insurance Brokerage & Consultancy Zurich Risk Engineering Forensics & Compliance Institute Trident Manor African Commodities UnityKapital Assurance Crowe Clarke Whitehill Diamond Offshore Governance Matters Imperial London Hotels Topaz Energy ECS Insurance & ECS Financial Services Brokers Tradex Insurance Company Prudential Regulation Authority Bank of America
Certicants
ZALINA JaFLUS
MEET THE MALAYSIAN mEmBER KNOWN TO HER FRIENDS AS THE RISKY LADY
Please describe your typical day
Waking around 6am, I do physio exercises as I slipped a disc last year (possibly because my work requires a lot of walking and I tend to walk too fast for my age). After a quick breakfast, I drive around 90km (one way) to my ofce near Kuala Lumpur International Airport, which takes less than one and a half hours. The best part of my job is that its not deskbound. A good risk manager must change their shoes frequently because of all the walking they must do. You must walk about to identify and assess risks and I am so passionate about it. I normally lunch with friends or staff; I would rather not eat than eat alone. Work consists of meetings, surveys and risk assessment activities at airports around Malaysia. I also facilitate enterprise risk management (ERM) and business continuity management (BCM) workshops, and meet with insurance brokers and insurers. food, like Japanese, Korean and Western. You can nd food from all over the world in Malaysia. At weekends, I cook or eat out with family or friends. Sometimes friends come over and I cook lunch for them. My famous home-cooked dish is Assam Laksa, a type of noodles with spicy soup made from shredded sh, cooked in chilli paste and onions.
TO ADVERTISE Here, CALL RICHARD WALTERS ON +44(0)1223 477 428 or eMail richard.walters@rmprofessional.com
| Summer 2013 | www.rmprofessional.com | 51
In todays global business environment, supply chain disruption is a growing concern. You need a commercial property insurer that helps you minimise exposure, not just in your own facility, but in places you cant even see areas where your suppliers operate and your suppliers suppliers operate. After all, no one knows your business like you, and no one knows all the places it needs protecting like FM Global. Learn how to make your business more resilient at fmglobal.co.uk/resilience. WHEN YOURE RESILIENT, YOURE IN BUSINESS.