Fundamentals of Risk Management

Fundamentals of

Risk Management

i

To a safe, secure and sustainable future

ii

Fundamentals of

Risk Management

Understanding, evaluating

and implementing effective

risk management

Paul Hopkin

FOURTH EDITION

iii

Publisher's note

Every possible effort has been made to ensure that the information contained in this book is accurate

at the time of going to press, and the publishers and authors cannot accept responsibility for any

errors or omissions, however caused. No responsibility for loss or damage occasioned to any person

acting, or refraining from action, as a result of the material in this publication can be accepted by

the editor, the publisher or any of the authors.

First published in Great Britain and the United States in 2010 by Kogan Page Limited

Second edition 2012

Third edition 2014

Fourth edition 2017

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted

under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or trans￾mitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of

reprographic reproduction in accordance with the terms and licences issued by the CLA. Enquiries concerning

reproduction outside these terms should be sent to the publishers at the undermentioned addresses:

2nd Floor, 45 Gee Street

London EC1V 3RS

United Kingdom

www.koganpage.com

c/o Martin P Hill Consulting

122 W 27th St, 10th Floor

New York, NY 10001

USA

4737/23 Ansari Road

Daryaganj

New Delhi 110002

India

© The Institute of Risk Management, 2010, 2012, 2014, 2017

The right of The Institute of Risk Management to be identified as the author of this work has been asserted

by them in accordance with the Copyright, Designs and Patents Act 1988.

ISBN 978 0 7494 7961 9

E-ISBN 978 0 7494 7962 6

British Library Cataloguing-in-Publication Data

A CIP record for this book is available from the British Library.

Library of Congress Cataloging-in-Publication Control Number

2016046147

Typeset by Graphicraft Limited, Hong Kong

Print production managed by Jellyfish

Printed and bound by CPI Group (UK) Ltd, Croydon, CR0 4YY

iv

Contents

List of figures xv

List of tables xvii

Foreword xx

Acknowledgements xxi

Introduction 1

PART ONE Introduction to risk management 11

Learning outcomes for Part One 11

Part One further reading 11

Part One case studies 12

Rank Group: How we manage risk 12

ABIL: Risk management overview 12

BIS: Approach to risk 13

01 Approaches to defining risk 15

Definitions of risk 15

Types of risks 17

Risk description 18

Inherent level of risk 20

Risk classification systems 20

Risk likelihood and magnitude 21

02 Impact of risk on organizations 24

Level of risk 24

Impact of hazard risks 25

Attachment of risks 26

Risk and reward 29

Attitudes to risk 30

Risk and triggers 32

03 Types of risks 35

Timescale of risk impact 35

Four types of risk 36

Embrace opportunity risks 39

Contents

Introduction

Risk management in context

Nature of risk

Risk management

Risk management terminology

Benefits of risk management

Features of risk management

Book structure

Risk management in practice

Future for risk management

Changes for the fourth edition

Part One

Introduction to risk management

Learning outcomes for Part one

Part One further reading

Part One case studies

Rank Group: How we manage risk

ABIL: Risk management overview

BIS: Approach to risk

01

Approaches to defining risk

Definitions of risk

Types of risks

Risk description

Inherent level of risk

Risk classification systems

Risk likelihood and magnitude

02

Impact of risk on organizations

Level of risk

Impact of hazard risks

Attachment of risks

Risk and reward

Attitudes to risk

Risk and triggers

03

Types of risks

Timescale of risk impact

Four types of risk

Embrace opportunity risks

Heart disease risk factors

Manage uncertainty risks

Mitigate hazard risks

Minimize compliance risks

04

Scope of risk management

Origins of risk management

Development of risk management

Specialist areas of risk management

Simple representation of risk management

Enterprise risk management

Levels of risk management sophistication

05

Principles and aims of risk management

Principles of risk management

Importance of risk management

Risk management activities

Effective and efficient core processes

Implementing risk management

Achieving benefits

Part TWO

Approaches to risk management

Learning outcomes for Part Two

Part Two further reading

Part two case studies

United Utilities: Our risk management framework

Birmingham City Council: Scrutiny, accountability and risk management

Tsogo Sun: Risk management process

06

Risk management standards

Scope of risk management standards

Risk management process

Risk management context

COSO ERM cube

Features of RM standards

Updating of existing standards

07

Establishing the context

Scope of the context

External context

Internal context

Risk management context

Designing a risk register

Using a risk register

08

Enterprise risk management

Enterprise-wide approach

Definitions of ERM

ERM in practice

ERM and business continuity

ERM in energy and finance

Future development of ERM

09

Alternative approaches

Changing face of risk management

Managing emerging risks

Increasing importance of resilience

Different approaches

Structure of management standards

Future of risk management

Part THree

Risk assessment

Learning outcomes for Part Three

Part Three further reading

Part three case studies

AA: Risk governance

British Land: Our assessment of risk is a cornerstone

Guide Dogs NSW/ACT: List of major residual risks

10

Risk assessment considerations

Importance of risk assessment

Approaches to risk assessment

Risk assessment techniques

Nature of the risk matrix

Risk perception

Attitude to risk

11

Risk classification systems

Short-, medium- and long-term risks

Nature of risk classification systems

Examples of risk classification systems

FIRM risk scorecard

PESTLE risk classification system Compliance, hazard, control and opportunity

12

Risk analysis and evaluation

Application of a risk matrix

Control confidence

4Ts of hazard risk response Risk significance

Risk capacity

13

Loss control

Risk likelihood

Risk magnitude

Hazard risks

Damage limitation

Cost containment

14

Defining the upside of risk

Upside of risk

Opportunity assessment

Riskiness index

Upside in strategy

Upside in projects

Upside in operations

Part FOUR Risk response

Learning outcomes for Part FOur Part Four further reading Part four case studies

Intu Properties: Insurance renewal

The Walt Disney Company: Disclosures about market risks

Australian Mines Limited: Risk assessment and management

15

Tolerate, treat, transfer and terminate

The 4Ts of hazard response Tolerate risk

Treat risk

Transfer risk

Terminate risk

Strategic risk response

16

Risk control techniques

Types of controls

Hazard risk zones

Preventive controls

Corrective controls

Directive controls

Detective controls

17

Insurance and risk transfer

Importance of insurance

History of insurance

Types of insurance cover

Evaluation of insurance needs

Purchase of insurance

Captive insurance companies

18

Business continuity

Business continuity management

Business continuity standards

Successful business continuity

Business impact analysis (BIA)

Business continuity and ERM

Civil emergencies

Part five

Risk strategy

Learning outcomes for Part five

Part five Further reading

Part five case studies

AMEC Foster Wheeler: Principal risks and uncertainties

BBC: Internal controls assurance

Emperor Watch & Jewellery: Risk management

19

Core business processes

Dynamic business models

Types of business processes

Strategy and tactics

Effective and efficient operations

Ensuring compliance

Reporting performance

20

Reputation and the business model

Components of the business model

Risk management and the business model

Reputation and corporate governance

CSR and risk management

Supply chain and ethical trading

Importance of reputation

21

Risk management context

Architecture, strategy and protocols

Risk architecture

Risk management strategy

Risk management protocols

Risk management manual

Risk management documentation

22

Risk management responsibilities

Allocation of responsibilities

Range of responsibilities

Statutory responsibilities of management

Role of the risk manager

Risk architecture in practice

Risk committees

23

Control of selected hazard risks

Cost of risk controls

Learning from controls

Control of financial risks

Control of infrastructure risks

Control of reputational risks

Control of marketplace risks

Part six

Risk culture

Learning outcomes for Part six

Part Six further reading

Part six case studies

Network Rail: Our approach to risk management

Ekurhuleni Metropolitan Municipality (EMM): Risk management

Ericsson: Corporate governance report

24

Risk-aware culture

Styles of risk management

Steps to successful risk management

Defining risk culture

Measuring risk culture

Alignment of activities

Risk maturity models

25

Importance of risk appetite

Nature of risk appetite

Risk appetite and the risk matrix

Risk and uncertainty

Risk exposure and risk capacity

Risk appetite statements

Risk appetite and lifestyle decisions

26

Risk training and communication

Consistent response to risk

Risk training and risk culture

Risk information and communication

Shared risk vocabulary

Risk information on an intranet

Risk management information systems (RMIS)

27

Risk practitioner competencies

Competency frameworks

Range of skills

Communication skills

Relationship skills

Analytical skills

Management skills

Part seven

Risk governance

Learning outcomes for Part seven

v

vi Contents

Manage uncertainty risks 40

Mitigate hazard risks 41

Minimize compliance risks 43

04 Scope of risk management 45

Origins of risk management 45

Development of risk management 48

Specialist areas of risk management 49

Simple representation of risk management 50

Enterprise risk management 53

Levels of risk management sophistication 54

05 Principles and aims of risk management 57

Principles of risk management 57

Importance of risk management 59

Risk management activities 60

Effective and efficient core processes 61

Implementing risk management 62

Achieving benefits 63

PART TWO Approaches to risk management 67

Learning outcomes for Part Two 67

Part Two further reading 67

Part Two case studies: 68

United Utilities: Our risk management framework 68

Birmingham City Council: Scrutiny, accountability and risk

management 68

Tsogo Sun: Risk management process 69

06 Risk management standards 71

Scope of risk management standards 71

Risk management process 74

Risk management context 75

COSO ERM cube 76

Features of RM standards 78

Updating of existing standard 79

07 Establishing the context 82

Scope of the context 82

External context 84

Contents vii

Internal context 85

Risk management context 87

Designing a risk register 88

Using a risk register 92

08 Enterprise risk management 96

Enterprise-wide approach 96

Definitions of ERM 98

ERM in practice 99

ERM and business continuity 100

ERM in energy and finance 101

Future development of ERM 102

09 Alternative approaches 104

Changing face of risk management 104

Managing emerging risks 105

Increasing importance of resilience 107

Different approaches 109

Structure of management standards 111

Future of risk management 113

PART THREE Risk assessment 115

Learning outcomes for Part Three 115

Part Three further reading 115

Part Three case studies: 116

AA: Risk governance 116

British Land: Our assessment of risk is a cornerstone 116

Guide Dogs NSW/ACT: List of major residual risks 117

10 Risk assessment considerations 119

Importance of risk assessment 119

Approaches to risk assessment 120

Risk assessment techniques 122

Nature of the risk matrix 125

Risk perception 127

Attitude to risk 128

11 Risk classification systems 132

Short-, medium- and long-term risks 132

Nature of risk classification systems 134

viii Contents

Examples of risk classification systems 135

FIRM risk scorecard 137

PESTLE risk classification system 138

Compliance, hazard, control and opportunity 140

12 Risk analysis and evaluation 143

Application of a risk matrix 143

Inherent and current level of risk 145

Control confidence 147

4Ts of hazard risk response 148

Risk significance 149

Risk capacity 150

13 Loss control 152

Risk likelihood 152

Risk magnitude 153

Hazard risks 154

Loss prevention 156

Damage limitation 157

Cost containment 157

14 Defining the upside of risk 159

Upside of risk 159

Opportunity assessment 162

Riskiness index 163

Upside in strategy 167

Upside in projects 168

Upside in operations 169

PART FOUR Risk response 171

Learning outcomes for Part Four 171

Part Four further reading 171

Part Four case studies: 172

Intu Properties: Insurance renewal 172

The Walt Disney Company: Disclosures about market risks 172

Australian Mines Limited: Risk assessment and management 173

15 Tolerate, treat, transfer and terminate 175

The 4Ts of hazard response 175

Tolerate risk 177

Contents ix

Treat risk 180

Transfer risk 181

Terminate risk 181

Strategic risk response 182

16 Risk control techniques 186

Types of controls 186

Hazard risk zones 190

Preventive controls 192

Corrective controls 192

Directive controls 193

Detective controls 194

17 Insurance and risk transfer 196

Importance of insurance 196

History of insurance 197

Types of insurance cover 198

Evaluation of insurance needs 200

Purchase of insurance 200

Captive insurance companies 203

18 Business continuity 206

Business continuity management 206

Business continuity standards 208

Successful business continuity 211

Business impact analysis (BIA) 214

Business continuity and ERM 214

Civil emergencies 216

PART FIVE Risk strategy 219

Learning outcomes for Part Five 219

Part Five further reading 219

Part Five case studies: 220

AMEC Foster Wheeler: Principal risks and uncertainties 220

BBC: Internal controls assurance 220

Emperor Watch & Jewellery: Risk management 221

19 Core business processes 223

Dynamic business models 223

Types of business processes 226

x Contents

Strategy and tactics 227

Effective and efficient operations 228

Ensuring compliance 229

Reporting performance 230

20 Reputation and the business model 232

Components of the business model 232

Risk management and the business model 233

Reputation and corporate governance 235

CSR and risk management 235

Supply chain and ethical trading 238

Importance of reputation 240

21 Risk management context 244

Architecture, strategy and protocols 244

Risk architecture 247

Risk management strategy 247

Risk management protocols 248

Risk management manual 249

Risk management documentation 252

22 Risk management responsibilities 257

Allocation of responsibilities 257

Range of responsibilities 258

Statutory responsibilities of management 260

Role of the risk manager 262

Risk architecture in practice 264

Risk committees 267

23 Control of selected hazard risks 270

Cost of risk controls 270

Learning from controls 273

Control of financial risks 275

Control of infrastructure risks 277

Control of reputational risks 281

Control of marketplace risks 283

PART SIX Risk culture 285

Learning outcomes for Part Six 285

Part Six further reading 285

Contents xi

Part Six case studies: 286

Network Rail: Our approach to risk management 286

Ekurhuleni Metropolitan Municipality (EMM): Risk management 286

Ericsson: Corporate governance report 287

24 Risk-aware culture 289

Styles of risk management 289

Steps to successful risk management 290

Defining risk culture 291

Measuring risk culture 295

Alignment of activities 297

Risk maturity models 299

25 Importance of risk appetite 302

Nature of risk appetite 302

Risk appetite and the risk matrix 304

Risk and uncertainty 306

Risk exposure and risk capacity 308

Risk appetite statements 310

Risk appetite and lifestyle decisions 313

26 Risk training and communication 316

Consistent approach to risk 316

Risk training and risk culture 317

Risk information and communication 319

Shared risk vocabulary 321

Risk information on an intranet 322

Risk management information system (RMIS) 323

27 Risk practitioner competencies 325

Competency frameworks 325

Range of skills 326

Communication skills 328

Relationship skills 331

Analytical skills 332

Management skills 333

PART SEVEN Risk governance 335

Learning outcomes for Part Seven 335

Part Seven further reading 335

xii Contents

Part Seven case studies: 336

Severn Trent Water: Our approach to risk 336

Tim Hortons: Sustainability and responsibility 336

DCMS: Capacity to handle risk 337

28 Corporate governance model 339

Corporate governance 339

OECD principles of corporate governance 340

LSE corporate governance framework 342

Corporate governance for a bank 343

Corporate governance for a government agency 344

Evaluation of board performance 347

29 Stakeholder expectations 351

Range of stakeholders 351

Stakeholder dialogue 353

Stakeholders and core processes 354

Stakeholders and strategy 356

Stakeholders and tactics 357

Stakeholders and operations 358

30 Operational risk management 360

Operational risk 360

Definition of operational risk 361

Basel II and Basel III 363

Measurement of operational risk 364

Difficulties of measurement 366

Developments in operational risk 367

31 Project risk management 370

Introduction to project risk management 370

Development of project risk management 371

Uncertainty in projects 372

Project lifecycle 374

Opportunity in projects 377

Project risk analysis and management 378

32 Supply chain management 380

Importance of the supply chain 380

Scope of the supply chain 381

Strategic partnerships 382

Joint ventures 384

Contents xiii

Outsourcing of operations 384

Risk and contracts 387

PART EIGHT Risk assurance 389

Learning outcomes for Part Eight 389

Part Eight further reading 389

Part Eight case studies: 390

Unilever: Our risk appetite and approach to risk management 390

Colgate Palmolive: Damage to reputation 390

Sainsbury’s and Tesco: Principal risks and uncertainties 391

33 The control environment 393

Nature of control environment 393

Purpose of internal control 394

Control environment 395

Features of the control environment 397

CoCo framework of internal control 399

Good safety culture 401

34 Risk assurance techniques 402

Audit committees 402

Role of risk management 404

Risk assurance 405

Risk management outputs 407

Control risk self-assessment 408

Benefits of risk assurance 409

35 Internal audit activities 411

Scope of internal audit 411

Role of internal audit 412

Undertaking an internal audit 414

Risk management and internal audit 416

Management responsibilities 419

Five lines of assurance 420

36 Reporting on risk management 423

Risk reporting 423

Sarbanes–Oxley Act of 2002 425

Risk reports by US companies 426

Charities’ risk reporting 428

xiv Contents

Public-sector risk reporting 429

Government report on national security 430

Appendix A: Abbreviations and acronyms 433

Appendix B: Glossary of terms 436

Appendix C: Implementation guide 446

Index 449