Publisher’s note Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and authors cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the editor, the publisher or any of the authors.
First published in Great Britain and the United States in 2010 by Kogan Page Limited Fifth edition 2018
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licences issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned addresses:
2nd Floor, 45 Gee Street London EC1V 3RS United Kingdom
c/o Martin P Hill Consulting 122 W 27th St, 10th Floor New York, NY 10001
CONTENTS
Cover Title Page Copyright Contents List of figures List of tables Foreword Acknowledgements
Introduction
Risk management in context Nature of risk Risk management Risk management terminology Benefits of risk management Features of risk management Book structure Risk management in practice Future for risk management Changes for the fifth edition
PART ONE Introduction to risk management
Learning outcomes for Part One Part One further reading Part One case studies
Rank Group: How we manage risk ABIL: Risk management overview BIS: Approach to risk
01 Approaches to defining risk
Definitions of risk Types of risks Risk description Inherent level of risk Risk classification systems Risk likelihood and magnitude
02 Impact of risk on organizations
Level of risk Impact of hazard risks Attachment of risks Risk and reward Attitudes to risk Risk and triggers
03 Types of risks
Timescale of risk impact Four types of risk Embrace opportunity risks Manage uncertainty risks Mitigate hazard risks Minimize compliance risks
04 Scope of risk management
Revised ISO 31000 [2018] Updating of RM terminology
07 Establishing the context
Scope of the context External context Internal context Risk management context Designing a risk register Using a risk register
08 Enterprise risk management
Enterprise-wide approach Definitions of ERM ERM in practice ERM and business continuity ERM in energy and finance Integrating strategy and performance
09 Alternative approaches
Changing face of risk management Managing emerging risks Increasing importance of resilience Different approaches Structure of management standards Future of risk management
PART THREE Risk assessment
Learning outcomes for Part Three
Part Three further reading Part Three case studies
AA: Risk governance British Land: Our assessment of risk is a cornerstone Guide Dogs NSW/ACT: List of major residual risks
10 Risk assessment considerations
Importance of risk assessment Approaches to risk assessment Risk assessment techniques Nature of the risk matrix Risk perception Attitude to risk
11 Risk classification systems
Short-, medium- and long-term risks Nature of risk classification systems Examples of risk classification systems FIRM risk scorecard PESTLE risk classification system Compliance, hazard, control and opportunity
12 Risk analysis and evaluation
Application of a risk matrix Inherent and current level of risk Control confidence 4Ts of hazard risk response Risk significance Risk capacity
Tolerate risk Treat risk Transfer risk Terminate risk Strategic risk response
16 Risk control techniques
Types of controls Hazard risk zones Preventive controls Corrective controls Directive controls Detective controls
17 Insurance and risk transfer
Importance of insurance History of insurance Types of insurance cover Evaluation of insurance needs Purchase of insurance Captive insurance companies
18 Business continuity
Business continuity management Business continuity standards Successful business continuity Business impact analysis [BIA] Business continuity and ERM Civil emergencies
PART FIVE Risk strategy
Learning outcomes for Part Five Part Five further reading Part Five case studies
AMEC Foster Wheeler: Principal risks and uncertainties BBC: Internal controls assurance Emperor Watch & Jewellery: Risk management
19 Core business processes
Dynamic business models Types of business processes Strategy and tactics Effective and efficient operations Ensuring compliance Reporting performance
20 Reputation and the business model
Components of the business model Risk management and the business model Reputation and corporate governance CSR and risk management Supply chain and ethical trading Importance of reputation
21 Risk management context
Architecture, strategy and protocols Risk architecture
24 Risk-aware culture
Styles of risk management Steps to successful risk management Defining risk culture Measuring risk culture Alignment of activities Risk maturity models
25 Importance of risk appetite
Nature of risk appetite Risk appetite and the risk matrix Risk and uncertainty Risk exposure and risk capacity Risk appetite statements Risk appetite and lifestyle decisions
26 Risk training and communication
Consistent response to risk Risk training and risk culture Risk information and communication Shared risk vocabulary Risk information on an intranet Risk management information systems [RMIS]
27 Risk practitioner competencies
Competency frameworks Range of skills Communication skills Relationship skills
Analytical skills Management skills
PART SEVEN Risk governance
Learning outcomes for Part Seven Part Seven further reading Part Seven case studies
Severn Trent Water: Our approach to risk Tim Hortons: Sustainability and responsibility DCMS: Capacity to handle risk
28 Corporate governance model
Corporate governance OECD principles of corporate governance LSE corporate governance framework Corporate governance for a bank Corporate governance for a government agency Evaluation of board performance
29 Stakeholder expectations
Range of stakeholders Stakeholder dialogue Stakeholders and core processes Stakeholders and strategy Stakeholders and tactics Stakeholders and operations
30 Operational risk management
Operational risk
Sainsbury’s and Tesco: Principal risks and uncertainties
33 The control environment
Nature of internal control Purpose of internal control Control environment Features of the control environment CoCo framework of internal control Good safety culture
34 Risk assurance techniques
Audit committees Role of risk management Risk assurance Risk management outputs Control risk self-assessment Benefits of risk assurance
35 Internal audit activities
Scope of internal audit Role of internal audit Undertaking an internal audit Risk management and internal audit Management responsibilities Five lines of assurance
36 Reporting on risk management
Risk reporting
Sarbanes–Oxley Act of 2002 Risk reports by US companies Charities’ risk reporting Public-sector risk reporting Government report on national security
Appendix A: Abbreviations and acronyms Appendix B: Glossary of terms Appendix C: Implementation guide Index Backcover