Professional - Enterprise Risk Magazine
Transcription
Professional - Enterprise Risk Magazine
Professional RISK MANAGEMENT www.rmprofessional.com | June 2012 Corporate Japan “is a perverted golf club” Former Olympus CEO-turnedwhistleblower Michael Woodford talks about his experiences •Olympic threats •ERM - a perfect recipe? • Police service risks •Women on boards •Information risk roundtable •IRM forum review •Zurich and IRM join forces Risk Management Professional: the official magazine of the Institute of Risk Management Professional RISK MANAGEMENT Published on behalf of IRM, Risk Management Professional is the leading quarterly title for risk managers and enterprise risk For advertising opportunities please contact Steve Good: Tel: +44 (0)20 7562 2435 or email: steve.good@rmprofessional.com www.rmprofessional.com contents Cover story Professional RISK MANAGEMENT IRM CHAIRMAN: Richard Anderson FIRM Ahead of his keynote speech at November’s IRM Risk Leaders’ Conference, ex-Olympus CEO Michael Woodford tells us why he spoke out against wrongdoing at the firm, and the impact it had on him and his family. CHIEF EXECUTIVE OFFICER: Steve Fowler FIRM Deputy chief executive: Sophie Williams MIRM head of marketing: Fiona Duhig fiona.duhig@theirm.org Tel: +44 (0)207 709 9808 editor: Tom Bovingdon tom.bovingdon@rmprofessional.com Tel: +44 (0)207 562 2420 design & production: Keem Chung Tel: +44 (0)207 562 2405 keem.chung@perspectivepublishing.com 12 INDUSTRY FOCUS News 4 Editor’s letter 8 Letters9 Olympic risks 14 advertising manager: Steve Good Tel: +44 (0)207 562 2435 steve.good@rmprofessional.com ERM - age of enterprise 20 accounts: Marilou Tait Tel: +44 (0)207 562 2432 marilou.tait@rmprofessional.com Thin blue line 22 Women on boards 24 Area focus: Australasia 28 ISO 31000: the debate 30 circulation: Joel Whitefoot Tel: +44 (0)208 950 9117 perspective@alliance-media.co.uk managing director: John Woods Publishing director: Mark Evans Risk Management Professional is the official publication of the Institute of Risk Management (IRM). ISSN 2042-4078 IRM is the world’s leading enterprise-wide risk education institute. We are independent, wellrespected advocates of the risk profession, owned by practising risk professionals and operate internationally, with members and students in over 90 countries. feedback: Fiona Duhig Tel: +44 (0)20 7709 9808 Roundtable: IT security 34 Chairman’s column IRM FOCUS 11 Professional Development Forum review 40 SIG and RG news 44 Institute of Risk Management 6 Lloyd’s Avenue, London EC3N 3AX Tel: +44 (0)20 7709 9808, Fax +44(0) 20 7709 0716 www.theirm.org, enquiries@theirm.org News45 New memberships 46 Copyright © 2012 Institute of Risk Management. All rights reserved. Thought leadership 47 Reproduction without written permission is strictly forbidden. The views of outside contributors are not necessarily the views of IRM, its editor or its staff. Exam results 48 www.theirm.org enquiries@theirm.org | Risk Management Professional | June 2012 | www.rmprofessional.com | 03 news A governance standard demonstrating best practice is being developed by the British Standards Institute (BSI). The standard, aiming to launch in early 2013, will be developed through work with professional bodies, government and business. Carolyn Williams MIRM, head of thought leadership at IRM, said: “We already have the UK Corporate Governance Code covering this area and it will be interesting to see what value the proposed new standard would add.” Security professionals “over-confident” on ERM IT professionals have “significant gaps in their enterprise risk management (ERM) strategies despite thinking they are on track”, according to research by HP. Research published in May showed that just 14 per cent of security professionals are very confident that their current IT solutions are giving them a complete picture of their ‘risk state’. Jennifer Lake, security product marketing manager for HP DVLabs, said intelligent approaches are required to combat “a new breed of cyber threats”. The research also showed that cyber attacks are becoming more frequent, staff are often inadvertently breaching security, and less than half of survey respondents (41 per cent) carry out asset analysis and prioritisation as part of their security programme. For more information on IT security risks, turn to our expert roundtable on pages 34-39. 04 | Olympus fraud “could happen anywhere” Fraud comparable to events at Olympus “could happen anywhere”, the former president and CEO turned whistleblower Michael Woodford has exclusively told Risk Management Professional. Woodford, who will be speaking at IRM’s Risk Leaders’ Conference on 20 November, said any organisation could suffer from the scenario that led to $1.7 billion losses being hidden. “It can happen anywhere where you get power. We’ve all got bosses. We’ve got mortgages. You may have children. In any hierarchical structure – and it comes down to the tone at the top, how far people are prepared to look the other way or keep well away – that psychology of how fraud or wrongdoing takes place is interesting to examine”, he said. As we went to press (28 May), Woodford was launching a five-day unfair dismissal case against Olympus at a London tribunal. He is attempting to sue the company for up to ten years of lost pay, citing UK laws on unfair dismissal for whistelblowing and discrimination. Olympus previously said Woodford left because he was “causing problems”. Woodford is currently finishing the British version of his book and is in talks with film companies about taking his story to the silver screen. Asked who he would like to play him, he said: “Colin Firth, Kevin Spacey, some people have even said George Clooney, but he’d have to put a bit of weight on and shave his head.” Olympics to raise flu risk in travel-hub UK An influx of Olympic tourists will raise the risk of a flu pandemic across the UK, according to risk analysis firm Maplecroft. The UK’s highly urbanised and transient population, and its prominence as a travel hub, make it the second highest-ranked country where a flu pandemic is likely to spread fastest, behind Singapore, the Influenza pandemic risk index found. With tourists numbers expected to surge by around 5.3 million during the Olympics, the researchers warned of the potential to “exacerbate the already significant risk of spread in the country, particularly since visitors from countries most at risk of a pandemic emergence will feature high in these influxes”. However, the report also found that the UK’s strong governance, highly developed infrastructure, well educated population and advanced health system also places it among the 10 countries with the highest capacity to contain a potentially lethal outbreak of a strain of flu, Maplecroft found. After Singapore (1) and the UK (2), the highest ranked countries were South Korea (3), the Netherlands (4) and Germany (5). mcfarlandmo BSI to launch governance standard www.rmprofessional.com | June 2012 | Risk Management Professional | news INDUSTRY FOCUS Olympics “safer than home” london 2012 Visiting the Olympic Park to watch the world’s biggest sporting event will be safer than staying in your house, the incident and business continuity manager for the Olympic Park has claimed. Andy Tomkinson, pictured (right), said he will feel “very safe” during the London 2012 Olympic and Paralympic Games because the organisers will have “made their own luck through planning and risk mitigation”. He said: “If you asked me where would be the safest place to be in London during the Olympics, I would say the Olympic Park. And I’d like my mum and dad to be there too. They would be safer at the Olympic Park than they are in their home.” Tomkinson believes London 2012 will be the “best Games ever” and is satisfied that contingency measures are in place for any eventuality. He said: “Every single kick-off, every single weight-lift, every single backflip, there is a contingency plan. It’s been a massive job.” But he stressed that there is no room for complacency. He added: “No one is resting on their laurels. Nobody is going to take their foot off the pedal.” Heathrow Airport will be able to cope with the extra traffic caused by the Olympic Games, BAA has said. At a briefing in London, BAA bosses assured the public that the airport would be able to manage the influx of visitors and athletes after concerns were raised over queues and delays at Britain’s busiest airport. Heathrow will open a temporary terminal, 31 check-in desks and five security lanes solely for the use of athletes to cope with the demand, bosses said. The airport will see its busiest ever day on 13 August when handling 138,000 departures and 200,000 bags. Meanwhile, Marc Owen, director of the UK Border Agency, promised that hundreds of extra trained border guards will be drafted in. Their assurances come after the House of Commons culture select committee warned that Heathrow may struggle Arenamontanus Heathrow “ready for olympic traffic” to cope with long immigration queues during the Games. In a letter to culture, media and sport secretary Jeremy Hunt, the committee said: “While visiting tourists will understand that the Olympics is a busy time, if the wait [at immigration] is in excess of an hour it may deter tourists from returning.” London 2012 to be “the BCI Olympics” The Olympic and Paralympic Games in London this summer will be “the business continuity Olympics”, an incident and business continuity manager for the Olympic Park has exclusively told Risk Management Professional. Andy Tomkinson, who works for London Organising Committee of the Olympic Games and Paralympic Games (LOCOG), says London 2012 “has gone further than other Olympics have before in engaging with society and business” to minimise disruption. Speaking outside the Olympic Park, Tomkinson said: “There will be disruption, but it will be managed and predictable and we’ve got plans and procedures in place to help mitigate that.“ He added: “This is the first time that business continuity for small business, freight management and the Olympic network have really drawn together – across society, commerce and the Games – into one package. An overwhelming majority of businesses are creating plans and procedures to be Games ready.” | Risk Management Professional | June 2012 | www.rmprofessional.com | 05 news X chromosome marks risk appetite spot One third of companies not reporting key risks Over one third of companies scored zero points when rated for their reporting on child labour, climate or water risks. In an analysis of 1,078 companies carried out by Norges Bank Investment Management (NBIM), 41 per cent of firms failed to receive any points for their reporting of these risks, compared with 44 per cent the year before. Anne Kvam, NBIM’s global head of ownership policy, said the report looked at areas of “particular concern that companies need to address – children’s rights, climate change and water scarcity”. She added: “While our findings show a slight improvement in how businesses reported on risks in these areas in 2011 compared with 2010, the overall level of reporting is still far too low.” Adidas, Air France-KLM and Nestlé were among the companies to receive top marks for their reporting on social or environmental risks. ISO 31000 under discussion Nearly 100 delegates from around the world gathered in Paris, France, on 21-22 May for the first international conference to discuss the ISO 31000 risk management standard, two years after its launch in 2009. IRM was represented by chief executive Steve Fowler FIRM and head of thought leadership Carolyn Williams MIRM, who spoke at a seminar session on how ISO 31000 should be addressed in educational development. For information on IRM qualificiations visit: www.theirm.org. For more information on the conference, visit: www. g31000conference2012.org/ 06 | Report calls for “off-therecord” risk reports Auditors and audit committees should have informal meetings where potential and emerging risks to banks can be discussed, a report from the Chartered Institute of Internal Auditors (CIAA) has said. The report, Enhancing the dialogue between bank auditors and audit committees: good practice for bank auditors, audit committees and executive management, said that informal meetings should take place where ideas can be “tested in an environment which does not demand written reporting or precise conclusions”. “In these meetings, the necessary formality and protocol which surrounds audit committee meetings can be temporarily set aside, replaced by offthe-record conversations which seek to identify potential and emerging risks to the business”, the report added. Such discussions would allow “much more of the flavour of debates to be presented”, the report said, and allow auditors to communicate “as if they were telling a story to a friend”. www.rmprofessional.com | June 2012 | Risk Management Professional | Having more women at board level could help firms strike the right risk appetite, a business psychologist has claimed. Grace Walsh, of Psychological Consultancy (PCL), a firm working with IRM to examine the importance and impact of risk culture on organisations, told Risk Management Professional that having more women at board level “may not just be beneficial but also necessary in order to get the risk appetite balance right”. She added: “It is not just that more women should be in more senior executive positions, it is that it is needed.” PCL recently compiled research finding “very significant” gender differences between attitudes to risk, revealing that females are generally more prudent and wary in their approach to risk while men tend to be adventurous, carefree and spontaneous. The report stated: “Differences in risk-taking may be a distinctive feature on gender”. Sharon Constançon, chief executive of board evaluation consultancy Genius Methods, told Risk Management Professional that the presence of women on boards “improves the communications between directors and allows for a natural inclusion of softer issues at the forefront of board effectiveness like culture, ethics, style and behaviour”. She said: “In my experience women are less political and more open. They are willing to ask questions, even the simple (or stupid) ones and persevere as they need to get a satisfactory answer.” For further thoughts about women on boards, see All trousers, no skirt? (pages 24-25). news INDUSTRY FOCUS Bahrain businesses make risk “key priority” Risk management “crucial” for Arctic exploration Organisations must put “robust” risk management in place if they are to succeed in exploring the $100bn Arctic frontier, according to a report by insurance market Lloyd’s. The report, Arctic opening: opportunity and risk in the high North, said that “risk management is fundamental for companies to work safely, sustainably and successfully in the Arctic”, as expected investment in the region is predicted to reach £100bn over the next decade. “Companies operating in the Arctic require robust risk management frameworks and processes that adopt best practice and contain worst case scenarios, crisis response plans and fullscale exercises. There are many practical steps businesses can take to manage risks effectively, including investing in Arctic-specific technologies and implementing best-in-class operational and safety standards, as well as transferring some of the risks to specialist insurers”, the report said. Richard Ward, CEO of Lloyd’s, said Arctic opportunities will only be realised “if the businesses involved are able to manage the substantial and unique risks which exist in the region”. He added: “The Arctic is a frontier unlike any other, and the industries and companies it attracts will need to develop and implement robust risk management systems to meet these challenges.” Over half of Bahrain-based business leaders are making risk management their primary focus, according to a survey carried out by KPMG. A European and Middle East survey released this week by the audit, tax and advisory services firm found “many similarities” between Bahrain organisations and their regional and European counterparts, but said that the emphasis on risk management is a difference. Addressing risk throughout their organisation was a priority for 51 per cent of Bahrain respondents, compared to the survey average of 21 per cent. Narayanan Ramachandran, KPMG’s Bahrain advisory head, said: “Perhaps the biggest difference is the emphasis Bahrain-based business leaders are placing on risk management.” Audit and risk “must speak same language” Middle East war “bigger risk than debt crisis” Conflict in the Middle East poses a greater danger to the economy than the Greek debt crisis, according to Henkel AG chief executive officer Kasper Rorsted. Rorsted was quoted by Reuters news agency as saying that conflict in the region is the “least manageable scenario” and would increase volatility in raw material prices. He was quoted as saying: “The biggest risk in 2012 is not Greece, it is war in the Middle East.” Recent clashes on 4 May between protestors and security forces in Cairo left one dead and hundreds injured with anxiety increasing as the results of the 23-24 May elections were counted. But Rorsted told Reuters that the Middle East continues to offer a “huge opportunity” for long-term investment in region, adding: “The price you pay for presence in the region is volatility.” Internal audit and risk management are more effective when they work together and share a common understanding, according to a joint report from the Risk and Insurance Management Society (RIMS) and The Institute of Internal Auditors (IIA). The report, Risk management and internal audit: forging a collaborative alliance, found that collaboration between the two can lead to “stronger, more efficient decisionmaking and enhance an organisation’s overall risk management capability and value”. Hal Garyn, vice-president of North American services for IIA, said: “Having these vital risk management and assessment functions collaborate, speak the same language, and leverage one another’s perspectives on the business is crucial. The sum is truly greater than their parts.” | Risk Management Professional | June 2012 | www.rmprofessional.com | 07 Editor’s Letter letters Roll up! The circus is coming 08 | www.rmprofessional.com | June 2012 | Risk Management Professional | 40-43. As usual, the event was a blend of networking and new insights, but with a twist. As well as speeches on green pigs and meerkats, there was dancing, comedy and the surreal moment when one risk professional serenaded me with some John Denver. Something else worth celebrating is the recent agreement between Zurich and IRM, whereby all Zurich risk engineers now automatically become IRM members to at least affiliate level. For more information turn to page 44. When recently watching The Apprentice, a BBC reality show where contestants compete to become business partners with famous British entrepreneur Lord Sugar, I came across risk analyst Bilyana Apostolova. Here was a chance for the British public to see the face of risk management. But how quickly it went downhill! By the end of the first episode Apostolova had rubbed Lord Sugar up the wrong way. As he decided who to sack from the losing team, Apostolova continuously interrupted the bearded face of British business until his patience collapsed and he fired her. With that in mind, we plan to examine soft skills in our next issue. In the meantime, expectation continues to build ahead of the Olympics. Fingers crossed the event lives up to expectations. And finally, some of may have noticed that we have launched a digital version of the magazine that can be read online or on your smartphone or tablet. We hope this improves your reading experience. Tom Bovingdon, editor london 2012 L ondon is unfurling the banners and flags and the media circus is gearing up ahead of an enormous July and August. But none of this is, as you might expect, to commemorate my first year on the magazine. Instead, the Olympics and Paralympic Games are coming to town, bringing with them some of the biggest risk management challenges to date. We cover the Olympic bases on pages 14-17, but as usual have cast our net far and wide to bring you a wealth of risk research, news and debate on various other topics. Following on from our last issue, where we asked if enough is being done to encourage and protect whistleblowers, we speak to Michael Woodford, the former president of Olympus who was shooed out the back door when he started posing questions about “murky transactions”. Turn to pages 12-13 to find out why it felt like he had brought “a curse upon our family”. Two risk monoliths go head to head in our debate column as we ask if ISO 31000 is fit for purpose. Lots of virtual blood has been spilt on this subject, so see what happens when we bring the debate to RMP on pages 19-21. We also check which sectors are excelling in embedding enterprise risk management, examine the role of risk managers within the police service, a focus on risk in Australasia, and a roundtable full of expert insight on IT security. And we still had to find room for the main event of the quarter – IRM’s Professional Development Forum. Three hundred risk practitioners attended the event in Manchester, UK, in April, and we bring you our review of proceedings on pages letters End of the road for “risk”? C hristopher Day MIRM wrote [in RMP March 2012] that “the whole principle of worrying about the precise meaning of words is complete anathema to me” – in response to my concerns about the definition of “risk”. But if we do not consider what others mean by a word, we are unable to communicate. “Use the normal terminology” says Day, but what is “normal?” I agree the predominant English connotation of “risk” is the chance of an unfavorable outcome, but many other English readers consider ‘risk” to be the adverse event itself, while a few see it as a measure of probable likelihood and consequence. If, as Norman Marks FIRM argues, our critical needed skill is that of a “communicator,” then we need to acknowledge the word “risk” creates confusion! I accept that “risk is overwhelmingly negative”, but if the discipline of risk management focuses only on negative outcomes, it cannot affect strategy. Yes, a risk manager can keep an “opportunity register”, as Day does, but then shouldn’t we call what we do “opportunity and risk management?” Words and their meanings do matter. In the same issue, Marks said our problem is that there is ‘no common understanding, or even a common language, for risk management or risk”. Later in the same issue Steven Shackleford appears to agree with Day: ”Clients believe it is right that risk professionals should be naturally averse to taking risks” - but others quoted in your pages see a broader responsibility. Woolfson and Evans: “What makes some people ignore the upside of risk?” And Marks: “As long as risk management is associated with threats rather than making better decisions, you aren’t really adding value.” And Johannes Arreymbi: “I see risk as being about managing uncertainties.” And the Risk Decisions article: “…Recording the risks (threats and opportunities)”. If “risk” is generally understood to mean something negative, and if we can agree that our role is to anticipate future uncertainties, building coherent response capabilities, then perhaps we must rename what we do. I see it as “a discipline for dealing with uncertainties”. The continuing confusion around the word “risk” itself suggests that this word has outlived its usefulness. Felix Kloman FIRM, head of Seawrack Press Book review MEGACHANGE : The World in 2050 (Economist) T hose expecting this book’s views on the future to live up to the title “MEGACHANGE” may be in for some disappointment. “More of the same, but faster”, might be a more apt title. That said, the experts bring great credibility, present well argued detail and are likely to be right in many of their predictions. There is much to recommend of real value to risk professionals and students of risk, such as the transformational power of increasing rates of change (if a competitor is taking your market share at 10% a year…you will soon be out of business). Other useful topics include the increas- ing power and immediacy of social media and its role in consumer decisionmaking – this will probably make attention to reputation risks ever more relevant in the boardroom. Also, the focus on the vulnerabilities of supply chains will be grist to the mill of many risk managers. But there is little radical thought here and rather too much extrapolation of current trends. So, no onset of a little Ice Age, no impact of pandemics, no birth of the first person to live to 500 In short, little mention of the unlikely scenarios that might trigger “MEGACHANGE”. Risk professionals may also be dismayed at some of the “certainties” such as ever increasing global population; something that is very likely, but is not certain. The book argues cogently that the doomsayers are often proved wrong but spaceship earth should not be considered unsinkable, even by economists. Charles Toomer FIRM Letters, which may be edited, should be submitted to the editor, Risk Management Professional, Perspective Publishing, Sixth Floor, 3 London Wall Buildings, London EC2M 5PD or emailed to tom.bovingdon@rmprofessional.com | Risk Management Professional | June 2012 | www.rmprofessional.com | 09 Risk Leaders Conference 2012 Practical strategies for risk at board level Tuesday 20 November Dexter House, Royal Mint Court, London EC3N 4QN RISK LEADERS CONFERENCE - 20 NOVEMBER 2012 - LONDON IRM’s Risk Leaders conference is designed specifically to meet the needs of chief risk officers, heads of audit, non-executive directors and others responsible for risk at board level. With speakers and seminars covering critical risk issues, as well as an outstanding networking opportunity, the fast paced programme will cover topical risk issues such as: • Risk Culture • Developments in corporate governance • Emerging risks that boards need to be aware of • Risk and Strategy To find out more about this year’s conference call +44 Speakers include Michael Woodford, former President and Worldwide CEO of Olympus, and Jim Sutcliffe, Chairman of the new Codes and Standards Committee at the Financial Reporting Council (FRC). IRM’s Risk Leaders conference is the must-attend event for senior risk professionals and sells out quickly. To guarantee your place, pre-register your interest by emailing events@theirm.org. Sponsorship and partnership opportunities are available. Contact murray.barber@theirm.org for further details. (0) 20 7709 9808 go to www.theirm.org or email events@theirm.org The Institute of Risk Management, 6 Lloyd’s Avenue, London EC3N 3AX. Chairman’s column irm Conquering the conker misconceptions Richard Anderson FIRM examines the role of risk management in society I recall an interview some years ago when I was applying for a job. The interviewer said: “You don’t look like a risk manager. I mean, you don’t look like a man who would only say ‘no!’” Of course, I never thought that my role as a risk management professional was simply to say “no” but this did lead me to think about just what it is that the risk management profession offers to society. Are we a bunch of do-gooders and pleasure destroyers who stop children from playing conkers and remove hanging baskets from (formerly) pretty market towns? Or, as many people suspect, are we simply insurance folk dressing up as management consultants? Or is there possibly a greater benefit to society that we are able to provide? There has been considerable political interest in risk management recently. During the passage of the healthcare bill through parliament, the opposition party has been calling for the government to release the strategic risk register prepared by the NHS in anticipation of the new legislation. The government declined on the basis that sharing a risk register would “chill” thought-provoking advice from civil servants. Risk registers have arrived on the political agenda. Of course, the argument provided by the government is almost exactly why many American corporations prefer not to record their risks in a written format: they might be used against them. So how can risk management be anything other than a hindrance if it is only about saying “no”, stops children from playing conkers in the school playground and can then be used against you if you take it seriously? I believe that risk management can be an enormous power for good. Historically we have focused on control over that where we can exercise control: in other words things that are happening now, or recording things which have just happened. If we could not exercise control, or we could not record the event, then we were likely to put it down to forces of nature or to religion. But attitudes have changed. Citizens are expecting accountability from the state, and shareholders are expecting accountability from boards and managers. Risk management has a major role in facilitating that accountability. Risk management provides a framework for a new paradigm of control: establishing how one might act in the event of uncertain futures. This is not the bland budgeting and forecasting of yesteryear, but rather a new way of thinking. Risk management is about bringing a perspective to the management (rather than avoidance) of complicated issues in complex organisations. It helps to prioritise your work and that of others in a fastmoving context with an approach that is better than simple intuition and which facilitates communication between people. It is a style of thought, and is definitely not a paper chase. If this is truly the case, then risk management is much more about enabling new things to happen than simply stopping “bad stuff”; it is about reducing stress in society and in the workplace, because we will all feel much more “in control” of events if we have thought about how we are to manage them. If I am right, then we will see risk management providing a better balance between risk taking and risk avoidance, and a better balance between our performance culture and the ethics of both our society and our workplace. If we get those two balancing acts right then we will see a more sustainable (in all senses of the word) future. My guess is that public perception has a long way to go to catch up with modern thinking in risk management. As a profession it is our responsibility to pick up this challenge and to provide an explanation of why our work matters. Richard Anderson FIRM IRM chairman | Risk Management Professional | June 2012 | www.rmprofessional.com | 11 analysis I risk LEADERS’ KEYNOTE n July 20121, Woodford was relaxing at a hot springs resort when a friend translated an article from the Japanese FACTA magazine alleging wrongdoing and a cover-up of mysterious losses at Olympus. Woodford picks up the story: “When I saw that [article] I thought this was serious. I still didn’t believe this but when I challenged the chairman and vice-president on 2 August I could tell by their reaction – their discomfiture, unease and lack of any credible explanation. Then I knew there was something terribly, terribly wrong.” Woodford immediately confronted Olympus executives. They dismissed his concerns, Woodford claims, as they didn’t want to bother him with a domestic issue. “I’m the president of the company. I’m clearly very busy and they didn’t want me distracted by this. And I’m the person who signs off the accounts and the letter of representation with the auditors. “I asked whether it [the article] was true and they said: ‘Some of it is’. Which, again, I found an extraordinary response. They weren’t going to tell me anything”, he claims.” While other Japanese media ignored the emerging storm clouds, Woodford felt compelled to act after another FACTA article appeared. This time, Woodford decided to write a letter to the entire board. “FACTA published again on 20 September and this time it alleged links with anti-social forces. And that was enough. I said: ‘I’m going to formalise this.’ That was when the series of letters was written. ‘Anti-social forces’ is a euphemism for organised crime, which is the Yakuza in Japan. I knew I was passing a line as soon as I wrote those letters. There was no going back.” Olympus assured Woodford that the matter had been independently investigated in 2009, but Woodford was unsatisfied. “I saw the independent investigation and it was an utterly useless document… I said I wouldn’t go back to 12 | The wronged man Michael Woodford, former president and CEO at Olympus, was ousted from the company after publicly blowing the whistle on almost $2 billion of hidden losses. He talks to Tom Bovingdon ahead of his speech at IRM’s Risk Leaders’ Conference in November www.rmprofessional.com | June 2012 | Risk Management Professional | INDUSTRY FOCUS Japan unless I got some answers and that I would resign unless I got those answers. There were safety and legal reasons [for not returning to Japan]. “If I was the president I wasn’t going to manage the company blind unless I received a satisfactory answer. I wasn’t going to go back because my presence would make me complicit.” The backlash was immediate. “At the next board meeting I was criticised for writing those letters. The share price was down at 80 per cent and the institutional shareholders, still to this day, have not made one word of criticism - not one - of the incumbent board, after the Tobashi [financial fraud scheme] was exposed, and not one word that Mr Woodford did the right thing. Nothing. “You have the dichotomy of overseas shareholders up in arms saying it’s outrageous, then not one word from [Japan-based] others. They wouldn’t even see me.” Once ousted, Woodford started a proxy battle to unseat the management but later backed off because of the lack of domestic support. He tells Risk Management Professional: “I think we had a chance of winning the proxy but I wasn’t going to bring down the whole edifice. That’s for Japan to deal with.” Soon Woodford was concerned for the safety of his family, with the FBI and the Metropolitan Police Service advising him on how to stay safe. As he retreated to his London “bunker”, he received an email from Jake Aldestein, author of Tokyo Vice and a world authority on the Yakuza, warning him of the Yakuza’s ways and explaining how they had had someone assassinated in Thailand. Woodford’s wife saw it. “It was very frightening. My wife suffered terribly. My wife got that [email] and went to pieces. She was screaming, in a trance every night; waking around one o’clock and she would then fall back asleep once I’d calmed her. But I’m a light Woodford on Woodford: “I was a businessman. I was used to chairing meetings, maybe the marketing of a new product, or the quality, cost and delivery of our manufacturing, or spending time with our research and development groups. It was a conventional life as a businessman. And suddenly I found myself in a John Grisham novel.” “I wasn’t angry. I was just driven and persistent to get to the truth. I just wanted to be forensic in my follow-up and be factual.” “My hands still go cold when I tell the story.” sleeper so I was loaded with adrenalin. He adds: “It’s like a black comedy [now] but not when my wife was having a nervous breakdown and my daughter was in tears – my wife, particularly, is still getting over it emotionally. I don’t think she’ll get over it in its entirety. She’s a mother. What curse had I brought upon my family? We had our differences. I was zealot-like, particularly afterwards. I wouldn’t give up.” But surely he considered keeping quiet and having a quiet life? “The thing that’s surprised me most is that the overwhelming majority of people say: ‘Gosh, why did you do that?’ If enough people say it you think, ‘gosh, maybe I am mad’. I would have thought most people would have reacted in the same way but I’ve now come to a different opinion.” So what lessons can he impart to his audience of global risk professionals at IRM’s Risk Leaders’ Conference on 20 November in London, UK? “I will take the audience through what happened, look at the lessons learned and the generalised themes”, he says. “If you need any tale to reinforce the importance of risk management, this is the one. This is the perfect one.” He adds: “Risk management says what happens if there’s an earthquake, or with regards to currency exposure, health and safety. I don’t know how you risk manage the perverted golf club [culture]. You can’t. The people running the company were massively inadequate, in the case of Olympus, and incompetent. “The fundamental lessons to be learned are: why did the auditors miss it? How did they miss it? What role did the banks have? How could they not know the company was so indebted? All you are left with is that there’s something very strange and odd about the way Japan works.” Woodford on corporate Japan: “It is an Alice in Wonderland place, Japan. The absolute priority is to keep the clothes on the emperor, even if there are no clothes. Deference, total obedience. Not everyone, but a majority. I look at corporate Japan as a great big golf club that has become perverted and distorted.” “The whole priority is don’t rock the boat, don’t create any noise. I think Japan lost the last decade with no growth at all. There is huge concern over how many more organisations like Olympus are out there. Because if you have that cultural approach, if a company is in distress or not achieving what’s expected of it, you are likely to get positions where people compromise themselves. I am certain there are [others].” “I thought the lunatics had taken over the asylum.” | Risk Management Professional | June 2012 | www.rmprofessional.com | 13 sponsored feature olympics Olympian risks The world will be watching when the London 2012 Olympic and Paralympic Games commence next month. But, asks Tom Bovingdon, what potential risks do the Games bring with them? O lympic memories have a habit of etching themselves in the public’s imagination. Muhammad Ali lighting the flame; Jesse Owens’s trophy haul in 1936. On 27 July 2012 it will be all eyes on London and the regional UK host cities. And beyond the predictable opening ceremony fanfare – no doubt consisting of Routemaster buses, pillar-box phone boxes and iconic black cabs – lie the Olympic-sized risks that come with hosting Brand Will Jennings, author of Olympic Risks, a research associate at the centre for analysis of risk and regulation at the London School of Economics and Political Science, UK, and a senior lecturer in politics and international relations at Southampton University, says the Olympics are a “fascinating example of brand protection”. He adds: “It is the best known brand in the world. Market research has shown that the Olympic rings are up there with the symbols that everyone recognises.” The International Olympic Committee’s (IOC’s) concern stretches to the way the brand is ethically perceived, Jennings says, adding: “They had a wake-up call with the Salt Lake City corruption scandal that hit the IOC [where allegations of corruption were rife, but no evidence of illegality was found] and because of that they have been heavily influential in pushing protectionism of the brand and safeguarding their commercial sponsors.” Anthony Mundy, facilities director at the Ricoh Arena, where Olympic football matches will be held, knows how big an issue branding is as his workplace is being renamed to the City of Coventry Stadium for the duration of the Games. He says: “We have a huge amount of commercial branding from various organisations. We had to get agreement from these firms that their branding would be covered up during Games time. We have to cover every sign from the hand dryers in the toilets to the writing on the TVs. There is an Olympic ‘look and feel’ and then the commercial branding of the sponsors of the Games goes on top.” 14 | the biggest and oldest sporting event in the world. A wealth of risks exist around the event but we have chosen to examine five ahead of the main event - one to symbolise each Olympic ring. Legacy Contemporary expectations around Olympic legacies are “softer” than in the 1980s and 90s when there was an emphasis on economic impact, stimulating the economy and regeneration, Jennings says. He adds: “It is incredibly difficult for an organisation that is geared around a short time period to integrate legacy into its plans because as soon as the Olympics is over, a lot of the main staff move on.” One key issue is whether the Olympics will leave a trail of white elephant stadiums, Jennings warns. He says: “Even in a sports-mad country like Australia they struggled to fill some of the stadiums after the Olympics.” But Mundy says there are plenty of positive legacy issues, such as the Ricoh Arena benefitting from new staircases, modifications for extra footfall and extra CCTV. He adds: “And then there is the softer side. We have reviewed our health and safety policies and procedures, and held table-top exercises with local authorities, emergency services and security services. We were robust before but it’s made us look again and that’s a positive thing.” Andy Tomkinson, responsible for incident management and business continuity at the Olympic Park for London Organising Committee of the Olympic Games and Paralympic Games (LOCOG), says he believes his children and grandchildren will be using the venues for sport. And the legacy stretches to housing, crime and employment, he says, adding: “I don’t know anywhere else where the village has been converted into a mix of social housing, council housing and very highest level private housing. And all of that has been sold so the legacy has kicked off before the athletes have moved in. There will be a life-changing regeneration that the Olympics bring and over 300 qualified apprentices who now have jobs.” www.rmprofessional.com | June 2012 | Risk Management Professional | Transport An issue that Jennings says “has always been a concern”. He tells Risk Management Professional: “There were concerns ahead of Sydney over whether their airport would have the capacity. In Athens they were concerned about the trains. And Atlanta is a classic example of where transport really derailed things. “One can never tell quite how apocryphal the stories are but apparently there were bus drivers getting lost on the way to venues and athletes turning up late for events. It became known as ‘the glitch games’.” Keith Tilley, an expert in business continuity and disaster recovery services from SunGard Availability Services, says forward looking businesses should ensure that staff can work remotely during any disruptions. He says: “Businesses need to understand the importance of investing in business resilience and a comprehensive continuity plan.” Tomkinson says that “the transport services in London are ready” for the challenge of coping with a huge influx of visitors, adding: “The travel advice for business has had hundreds of thousands of downloads”. Mundy says the Ricoh Arena has had “unique” challenges in its position away from the city centre. He says: “Typically around 80 to 85 per cent of people travel here by car to our 2,000 on-site and 5,000 off-site parking spaces. The change for the Olympics is that we’re not allowed to use the former as the stadium has to be ‘clean’. We lose those spaces. So the Olympic Delivery Authority (ODA) is laying on free bus services during Games time for ticket holders and staff in a big push to get people to change their attitudes.” Security Tomkinson says it is “absolutely fundamental to provide a safe and secure Games”. He adds: “We have a security posture and an execution plan that meets the requirements to mitigate those risks that we have been informed of by intelligence.” Jennings agrees that security is “one of the most prominent issues”. He says: “The standard budget for securing the Olympics is now in excess of one billion pounds. This is an incredible cost. The risks of terrorism at the Olympics are not that different to the underlying risks that London faces on a day-to-day basis but the Olympics offer a symbolic platform for various groups who want to make a statement.” Political Jennings says the IOC attempts to defuse domestic disagreements by getting the main political parties in host countries to sign an agreement to support the event. But he concedes that international politics bring even greater risks. He says: “At the Moscow Olympics you had a US boycott because of the Soviet invasion of Afghanistan. If there is an outbreak of military intervention in the world by any major world powers, it will always create tension before the Olympics.” At a more local level, Mundy says that the Games has helped develop “excellent lines of communication and great networks” with people in the local council. He says: “We have been reporting twice every month to the council and they have been really supportive, helping us to tackle different issues that crop up. And it’s been fantastic to build a relationship for future working.” | Risk Management Professional | June 2012 | www.rmprofessional.com | 15 sponsored feature OlYMPICs Resilience - the real lasting legacy of The Games? In the wake of the Diamond Jubilee, the Olympic Games will focus the world’s attention on the UK, giving firms numerous challenges to overcome if they are to continue business as usual. Keith Tilley argues that businesses that use the Olympics as a catalyst to improve their resilience, not only for the duration of the Games but into the long-term, will come out winning. R esearch¹ commissioned by SunGard Availability Services shows that British businesses are taking this message on board to varying degrees. More than half of those that have taken steps to mitigate Olympics-related disruption believe that adopting these practices longer-term will make their businesses more efficient. Almost half say it will make them more resilient, over a third more competitive and one fifth a better place to work, while almost a fifth believe it will give them greater operating capacity. Almost two-thirds have made plans to reduce the disruptive effects – although only around a quarter have tested plans in place and feel ready for the Games. Three in four firms have learnt from bitter experience of previous business interruptions and intend to assess their business continuity plans before the Games, while just over half will evaluate the effectiveness of their plans afterwards. This appraisal process should naturally result in more effective organisational resilience and availability strategies. Increased threats With an extra one million visitors a day expected to use the tube network on the busiest days and widespread road closures throughout central London and around other Olympic venues, organisers are urging businesses in the affected areas to plan for the inevitable transport chaos. 16 | The ripple effect is likely to be felt across the UK with businesses outside London potentially affected by transport disruption, infrastructure strains, skeleton staffing, interrupted supply chains, protests and denial of access (or exit). The Games, which will be televised worldwide, present a golden opportunity for any terrorist group or lone wolf determined to stage a high profile terror spectacular. As anyone old enough to remember the horrors of the 1972 Munich Olympics will attest, this is not sensationalist scaremongering but a very real threat taken seriously by the Games’ organisers who have doubled the original security budget. For all these reasons, it is perhaps unsurprising that firms may view this year’s events as a major headache rather than cause for celebration. Differing priorities As might be expected, the SunGard-sponsored research revealed that organisational www.rmprofessional.com | June 2012 | Risk Management Professional | priorities differ according to each director’s area of functional responsibility. For instance, almost half of HR directors have focused on developing special flexible working policies to operate throughout the period and plan to introduce flexible working, shorter hours and remote working. These concessions are most likely to apply to those who are not in a customer-facing or location-specific role. IT directors, on the other hand, are relying on technology to see them through. More than half are increasing investment in technologies to help them counteract the worst effects of disruption. This includes infrastructure upgrades to allow employees to access documents from home and introducing tablet and smartphone devices. Over half of operations directors have already adapted their delivery schedule as a result of other major disruptions in the past two years. Forty per cent have introduced new systems or technology to enable them to manage supply chains in a more flexible way and almost a third have collaborated with other retailers and logistics providers to share loads and delivery slots. They are relatively well prepared for the likely disruption with 70 per cent having made contingency arrangements with suppliers and partners. These include adapting delivery schedules, stockpiling as much as possible beforehand and asking logistics staff not to take leave during the period. Practical plan of action The research showed employers expect only half of their workforce to be active immediately following a major disruption but today’s technological developments mean this need not be the case. So how can firms ensure that it is ‘business as usual’ when the Games return to the UK for the first time in 64 years? SunGard Availability Services has published a ten-step guide to Becoming Games Ready that recommends the following action plan: • Step 1: conduct a risk analysis – identify issues and critical processes at risk, understand staff commuting habits. Use own staff or consultancy to make up lost time • Step 2: evaluate options, solutions and establish workarounds, staff operational procedures and policies with the business; refresh incident management arrangements • Step 3: contract a third party provider if external expertise is needed or you lack the resources to prepare properly yourself • Step 4: source any additional resources: such as extra ports and VDIs and review business interruption insurance • Step 5: implement and test solutions or workarounds; identify any failings and correct them • Step 6: establish alternative suppliers for sundry items such as water, food, office consumables; order surplus to last two months. Test solutions and workarounds to ensure they work in practice • Step 7: communicate policies to staff and benefits to stakeholders • Step 8: implement proactive measures and be in a high state of incident management readiness to react to events • Step 9: stand down from a state of high alert • Step 10: review performance and exploit your new capability to deal with future disruptions The importance of communicating contingency plans effectively (Step 7) should not be underestimated as this is an area either frequently overlooked or done badly. In fact, the SunGard survey flagged a yawning gap between what employers and employees believe. While over half of bosses claimed to have communicated the business’s contingency plans, almost nine out of ten employees said they felt in the dark about Olympic working policies! Another point worth noting for firms drawing up policies relating to staff is that while the Games present great teambuilding opportunities, they also create potential for conflict. It would be wise to include an instruction to tone down overt nationalism in the workplace to minimise the risk of confrontation between colleagues supporting opposing nations. A stick and a carrot The clock is ticking loudly for businesses that have not yet put plans in place to avoid the huge upheaval caused by the Olympics. The fallout from disruption caused or exacerbated by poor or no preparation stands to affect not just operations, but customers, profits and reputation too, which means this is very much a director level concern. What CEO wants an Olympics-related disaster – that with planning could have been avoided – on their hands? This isn’t about creating unnecessary unease – developing, refining and testing business continuity plans can be a lengthy and time consuming process. But it’s a hugely important one; businesses need to see this as a golden opportunity to implement measures that will not just benefit them for two months in 2012 but will serve them for years to come. One thing is certain: having had four years to prepare, if they fail to do so and let customers down, goodwill is likely to be very thin on the ground indeed. Olympics aside, there are other, more compelling arguments for seizing this opportunity to build a resilient business. Business continuity today has evolved from being a reactive response primarily concerned with recovering from a disaster to become an integral part of an enterprise-wide quality management process that ensures the business is always available. In today’s global marketplace firms simply cannot to be ‘offline’ for any reason. If a newspaper misses its print slot, its space on the newsstand will be taken by a competitor publication. Should a supplier fail to deliver supplies to a supermarket’s distribution centre, its shelf space will be filled by rivals’ goods. If a call centre’s phone lines or website are down, consumers will simply buy their insurance, flights or utilities from someone else. In other words, rather than being a begrudging tick-box exercise to remain compliant or as insurance against a disaster scenario that may never occur, the strongest organisations make it a fundamental plank of their strategy to ensure they remain open for business, no matter what. After all, businesses that can demonstrate their ability to withstand potentially show-stopping events such as severe weather, industrial disputes, terror attacks and power or technical outages could find this a considerable advantage when it comes to attracting new business. So while the government hopes the huge cost of staging the Games will be justified by its sporting legacy, the 2012 Olympics may yet leave something even more valuable. By fostering increased understanding among British businesses of the importance of ensuring resilience in the face of disruption, the benefits of the Olympics will last well beyond the closing ceremony. ¹Independently conducted by Vanson Bourne and YouGov in February 2012 Keith Tilley, managing director UK & Ireland, executive vice president Europe, SunGard Availability Services. | Risk Management Professional | June 2012 | www.rmprofessional.com | 17 Fed up with the fight? AVAILABILITY SERVICES MAKE A RECOVERY, NOT WAR If getting the resources you need is a constant battle, we can help. Having completed more than 100,000 recovery tests, we found that some businesses just have a plan, while others continuously test and sync it with the rest of the business. But time and again, resource is the main issue. It’s impossible to test, or recover, without technical support from colleagues outside your department, but they will already be battling with their own priorities. At SunGard Availability Services, we can manage your entire testing and recovery environment, including the process, tasks and the recovery itself. Our experts work side-by-side with you to review and develop your plans and define procedures. Together, we make sure the plan is in line with your production environment from design to testing to change control. And we are ready to perform the test and carry out the recovery for your business 24/7/365. SunGard’s Managed Recovery Programme can help you focus your energy on building your business, rather than fighting over how to get up and running following a disaster. Discover a less stressful route to recovery and request a free consultation by calling 0800 143413 or find out more at www.sungard.co.uk/MRP SunGard and the SunGard logo are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. All other trade names are trademarks or registered trademarks of their respective holders. LEGAL VIEW INDUSTRY FOCUS Risk managers and vicarious liability Risk managers are not ‘vicariously liable’ for the misconduct of others, says law firm RPC, after a recent ruling relating to the UK Financial Services Authority (FSA). T he long awaited Upper Tribunal decision in John Pottage v. the FSA is a reminder from the regulated financial services sector of the test that applies when assessing whether an individual has committed misconduct. We consider what it means for risk managers. Pottage was appointed CEO of UBS’s wealth management business in September 2006, having been with the firm’s wealth management business since 1999. The FSA case The FSA alleged that on becoming CEO, Pottage failed to discharge his responsibility to carry out an adequate ‘initial assessment’ of the governance and risk management framework of the firm, including: the firm’s governance and risk management framework; operational risks; the quality of management information; the practical implications of the global matrix management structure adopted by the business; and the strengths and weaknesses of the individuals who reported to him. The FSA alleged that had Pottage carried out the initial assessment properly “it would have been apparent that there were serious flaws in the design and operational effectiveness of those [governance and risk management] frameworks”. Pottage should, the FSA said, then have instigated a ‘systematic overhaul’ - the kind of steps the FSA thought reasonably required to ensure compliance. The FSA’s complaint was that he should have done such a systematic overhaul earlier. The FSA did accept though that, upon his appointment, Pottage received assurances from certain individuals, including his predecessor, that there were no issues about which he needed to be particularly concerned. But the FSA concluded that Pottage had been “too accepting of the assurances he received...” and believed he: “should have questioned more vigorously the assumption that the frameworks were fit for purpose and that they had been implemented locally.” The tribunal’s decision The tribunal found serious flaws in the firm’s systems and controls but the critical question for the enforcement action for misconduct was whether Pottage personally failed to take reasonable steps (i.e. whether his failure to initiate a systematic overhaul sooner was unreasonable). The tribunal decided that, on the facts of the case, Pottage had not behaved unreasonably. It took the view that two to three months from the start of a role would normally be appropriate for an initial assessment. No matter what the immediate exigencies of the business, those new to risk management of a firm should conduct an initial assessment of (to use the words of the FSA’s expert in the case) “his objectives; his authority; the character and quality of the senior executives on whom he depends; and the nature and condition of the organisation over which he now presides, including the adequacy of its controls”. Importantly, the tribunal noted “that no one [in the firm itself] or indeed the FSA, had suggested, prior to the initiation of the [systematic overhaul], that it was necessary or appropriate to carry out a wider review of systems and controls than had in fact been put in place”. Given the number of those in functions such as audit, risk, legal and compliance in such large organisations, and the informality with which ideas and recommendations can be instigated, directors with risk management responsibility need to address recommendations and state clearly why they are minded to follow them (or not, as the case may be). Is regulatory reform possible? The tribunal’s analysis is unremarkable but important; making clear that the test for personal culpability for misconduct under the FSA’s regime is essentially the same as that for negligence - reasonableness. The case produces no new law but serves as useful confirmation that a director cannot be ‘vicariously liable’ for breaches by a firm unless a causal link establishes personal culpability. Vicarious director liability – at least in the context of failing banks – has been discussed (for example) by Adair Turner, the FSA’s current chairman. If the test was one of vicarious liability for failures committed in parts of the organisation for which one has functional responsibility then Pottage would have been liable. True vicarious liability is appropriate for assessing an entity’s liability to pay compensation but does it really have any role to play when disciplining a human being? What is the point of disciplinary liability in the absence of genuine fault? We hope neither the law nor regulation will be reformed to invoke vicarious liability in misconduct cases. Steven Francis, partner; Robbie Constance, senior associate, RPC | Risk Management Professional | June 2012 | www.rmprofessional.com | 19 INDUSTRY FOCUS Enterprise risk management Age of enterprise Enterprise risk management (ERM) first gained prominence in the wake of the WorldCom and Enron scandals , reaching new heights after the collapse of Lehman Brothers in 2008 and the ensuing fallout. Lynn Strongin Dodds examines its current progress and the ingredients to a successful ERM strategy. D espite ERM’s burgeoning profile and well-documented attributes – it can significantly reduce an organisations’ net risk exposure and act as an effective tool in the decision making process – the strategy is still a hard sell in many corporate circles. One of the main reasons is cultural. “The biggest challenge is getting buy-in from people,” says Alex Hindson FIRM, previous IRM chairman and head of group risk at insurer, Amlin. “This is why implementing an ERM strategy is not just about the processes but also about changing behaviour and attitudes. Understanding the culture is very important because you need to develop an appropriate ERM [strategy] that fits the organisation.” Embedding ERM To gain a better understanding into the dynamics of an organisation’s risk culture, IRM is currently conducting research to determine how companies can effectively embed an ERM strategy. The institute is examining various international organisations as well as their employees and their interaction to identify the best practices. The aim, according to Carolyn Williams MIRM, head of thought leadership at IRM, is to “create awareness within a company about its risk culture and how that can be adapted when developing a risk management framework”. Changing attitudes, though, does not happen overnight, although regulation such as Basel III and Solvency II is focusing the collective minds of the financial 20 | services industry. Both sets of rules place greater emphasis on the quality of a company’s risk management and governance, as well as on the quantitative assessment of risk and capital. As a result, insurance companies and banks are gearing up, but for many other industries there seems to be more talk than action. This is supported by a recent study by Zurich Financial Services Group in collaboration with Harvard Business Review Analytic Services. It found: • that even though global companies have intensified their efforts on ERM over the past four years, many are struggling to build an effective, risk-aware culture • two-thirds of the 1,419 canvassed said that ERM had moved up the agenda • but only one in ten felt that their executive management was “highly effective” in creating a strong risk management environment • just 14 per cent believed that their companies linked risk information to www.rmprofessional.com | June 2012 | Risk Management Professional | strategic decision-making “extremely well”, despite this being identified as “extremely important” Risk reluctance The main barriers included an over emphasis on compliance rather than fundamental processes, lack of strong management support and a reluctance to take a holistic approach. These findings were echoed by a paper published earlier in the year by PriceWaterhouseCoopers (PwC) called Black swans turn grey: the transformation of risk. It showed that many companies did not have a comprehensive risk management programme in place and as a result were being outpaced by an era of catastrophic ‘black swan’ – low probability but high impact – events Like the Zurich and Harvard studies, the PwC report advocated a new, more flexible and holistic approach to risk management where the focus was much more on a company’s risk appetite. It also INDUSTRY FOCUS recommended that there needed to be a clearer ownership of risks at leadership levels, with risk awareness and accountability shared across the organisation through a common risk culture. This can provide a company with a competitive edge and there is also growing evidence that businesses seen to truly embed a riskaware culture are valued more highly by the markets. Although organisations have different approaches, there are common frameworks that can be applied across the spectrum. The starting point, according to Mike Wilkinson, an insurance management consultant at Towers Watson and IRM affiliate, is to understand the objectives, quantify the risk appetite, break down the silos, communicate and engage people throughout the organisation. “The cultural aspect comes from the top managers. They need to make sure people understand the value proposition with regard to ERM and why it is important to them. There is also a carrot and stick element in terms of performance measurement and remuneration. Increasingly, especially in banks, rewards are being aligned to risks and how they are managed. I expect to see this approach adopted more in other industries.” Tone from the top The most important factor is that the chief executive and board take responsibility and become the main key drivers of the ERM strategy. Companies may be hiring more chief risk officers but their role is to work in tandem with the CEO and not be the sole driver of ERM in an organisation. They should be advising and assisting, providing regular communication and tools to help manage and integrate risk awareness into the company’s strategic planning. But the ultimate responsibility for moving the strategy forward lies with a company’s top echelon. James Portelli FIRM, group commercial director at Lifecare International, notes: “The CEO can either be the greatest “ERM fails when companies don’t see the link to corporate objectives. In a carrot and stick scenario, ERM is still viewed in relation to the stick rather than the carrot of profit maximisation” champion or the greatest challenge. In the Middle East, for example, the constant challenge is the lack of regulation and enforcement. There is a certain opacity and lack of dissemination of industry information. “However, in general ERM fails because companies are not seeing a direct link between risk management and achievement of corporate objectives. In a carrot and stick scenario, ERM is still viewed in relation to the stick or its avoidance rather than the carrot of profit maximisation.” Hindson agrees, adding, “ERM is not a hygiene factor but a business process that ultimately belongs to the chief executive who sets the tone as to how risk will be managed and the level of discipline to be applied. Senior managers need to be involved to support and help deliver this vision.” For example, at Amlin employees report their risk events and near misses on a regular basis to their line managers in order for them as well as the company to learn from their mistakes. Hindson adds: “We have also put in place a top down culture of accountability and have made it clear who owns which areas of risk. “The theory is that if you are responsible [enough] to run a business then you can be in charge of risk management. It is a constant and consistent process that looks at the risks that can hurt the business and whether we have done enough to mitigate them.” Richard Archer MIRM, risk development lead of BT and former ERM manager at the Wellcome Trust, also believes that a successful ERM strategy comes from the senior managers. If these managers are using risk infor- mation in their management and decision making, staff will be motivated to engage with risk management. If they are seen not to value risk management, people will not be motivated in the same way. At the trust, risk management is overseen by the board and also the executive board, with additional senior management focus through the risk committee. The corporate risk register has clear top-level support and this is explicitly stated by the most senior staff at large staff meetings. Demonstrating value Care is also taken to ensure that the value of all data generated out-weighs the effort of producing it. For example, after a debate in 2010 the trust switched from ranking inherent/residual to residual/ target, so that more emphasis could be placed on ensuring sufficient actions were being carried out. “Risk managers should challenge themselves as to why they collect all the information they do,” says Archer. “The question is not just: ‘Is the information used?’ but “Is collecting the information worth the effort and might this effort be focused better elsewhere?” IRM’s Williams adds, “On paper you can have all the processes, reporting lines and documentation in place, but if people are not going to do what you hope they will then implementing ERM will be a big issue. “Every organisation has their own culture and that reflects the people in it.” Lynn Strongin Dodds, freelance writer | Risk Management Professional | June 2012 | www.rmprofessional.com | 21 INDUSTRY FOCUS police service Thin blue line Against a backdrop of low morale, swingeing cuts and the aftermath of the riots, risk professionals in the police service have to make split-second decisions on a range of threats as an ever-thinner blue line attempts to keep confidence and public order. Hollie Clemence investigates. M anaging risk in the police service can be a matter of life or death. Police officers face significant dangers as part of their job, which could be anything from averting a terror threat to protecting a child from harm. While this might seem very different to managing risk at a corporate level, the guiding principles still apply. One challenge for police service risk managers in recent years has been to embed risk-based decision-making at every level across UK forces – whether it is a senior manager faced with dwindling finances or a bobby on the beat faced with a knife-wielding offender. With more than 40 police forces across England and Wales, each with their own systems and practices, the Association of Chief Police Officers (ACPO) recognised the need for a national decision-making model to harmonise systems and practices, which was introduced last year. the new model across the service. He says it has helped to “demystify risk management to the degree that it was openly and knowledgeably discussed at all levels of meetings”. The model encourages officers to: gather information, assess risk, develop strategy, consider powers and policy, identify options, take action and review what happened. “Its main intention was to provide a tool for frontline officers to make riskbased decisions without having to refer to copious notes and doctrines when time was of a premium,” says Burton. Demystifying risk This decision-making model was designed to help officers make risk-based decisions while reducing bureaucracy and risk aversion – seen as a tool to help build “confidence of communities and use of discretion and professional judgement” – something the Home Office has said it is keen to see return to a frontline once viewed as unwilling to depart from strict policy and procedure for fear of getting into trouble. . Tim Burton, who was the risk manager for Devon & Cornwall Police from 2006 to 2011 and is now the force’s benefits realisation manager, worked with then chief constable Brian Moore to introduce Split-second decisions And according to Inspector Pete Chisholm, a response and risk manager at Northamptonshire Police, it seems to be doing the job. “It is the dynamic nature of policing that makes our risk management unique,” says Insp Chisholm. “Sometimes because of the nature of the job you have to make a split-second decision but that decision has to be the right one and have a desired outcome. This, however, is greatly assisted by the national decision-making model, which is an excellent tool for decisionmaking and risk management.” Insp Chisholm says the list of scenarios he has to prepare for as a risk manager 22 | www.rmprofessional.com | June 2012 | Risk Management Professional | is “endless”. “These could be major incidents, such as a large scale road traffic collision on the M1, raves, firearms incidents, hostage situations, public order incidents, high risk domestic abuse and high risk missing persons,” he explains. For Insp Chisholm part of the challenge is making sure his team’s decisions satisfy all parties involved, which includes the public, his officers, the organisation and himself. Although he adds: “On occasions one of those parties will not be happy with a decision that you have made.” Slow-time scrutiny This means ensuring his risk management processes, which might be used to make a instant decision, stand up to any future slow-time scrutiny from more senior officers and external critics such as the media. The media spotlight is nearly always shining on the police service. With every news story there are risk-based decisions to be made and one of the biggest issues to affect policing in recent years is budget cuts. Since the coalition government came to power and announced that it would have to cut police funding by up to 20 per cent over four years, police forces have had to scale back on services and spending without being seen to less effectively assess and manage risk. INDUSTRY FOCUS “Policing’s dynamic nature makes our risk management unique. You have to make the right split-second decision” Outsourcing risk With budgets tightening, some forces are looking to outsource more of their functions. Last month, it was revealed that West Midlands and Surrey Police invited private firms to bid for a £1.5 billion contract to investigate crimes, patrol neighbourhoods and detain suspects. As more services are contracted out, forces will be expected to handle relationships with external companies and the associated reputational risks that go with them. Justin Partridge, a former senior manager at Lincolnshire Police who has led on planning and risk for the force, says the “interconnectedness of service delivery in the modern public sector” poses a risk in itself. For example, an issue that affects a contracted private security firm could easily become a risk for the police service that outsources a contract to them. And it is not just partners in the private sector. “Where charities and voluntary groups undertake work in conjunction with the police, the risk is increased, and the control over that risk is often reduced, or forgotten about entirely,” says Partridge. He points out that many police community support officer (PCSO) posts are funded by councils, adding: “The risk is that a decision taken outside the police force might have huge impact on the delivery of services by that force.” an officer to go undercover if information on the web reveals their identity. Morale – or the lack of it - is another issue that could pose a risk to the service’s reputation and to public confidence. Police officers and civilian staff face drastic changes to their pay and conditions, which the Police Federation of England and Wales and staff unions have labelled unfair. “This a very real HR risk,” says Burton, “especially if disgruntled employees seek to undermine the organisation’s reputation in some way as a ‘parting shot’.” Last year’s August riots will also have impacted on reputation. Each force involved will have planned for any future riots but, as Burton points out, the scale of events took people by surprise at the time. The reputational risk would have been taken into consideration alongside injury and public safety risks. Similarly, the Leveson Inquiry – an examination of media regulation and the relationship between the police and the British press - will have implications. “The greatest area of risk to forces will be as a result of dirty washing being aired in public therefore damaging public confidence in policing,” says Burton. Operational threat Partridge says another effect on risk management in policing is technology: “Social media is removing the barriers to wide communication between the public and the police, which is a good thing, but there are some downsides.” While advances in technology can help police catch criminals, it also risks leading criminals back to undercover police. Partridge says it won’t be long before a criminal could check a photograph of an associate against the memory of the internet. This would make it much harder for Double-edged sword So what of the future for risk managers in the police service? Different forces treat the role in different ways, with some having one dedicated risk manager, some larger force’s having dedicated teams and others integrating the job into wider roles. Burton highlights the double-edged sword of a risk manager’s success. The more effectively risk becomes embedded in decision-making at every level, the less need there appears to be for a defined ‘risk manager’ role. “Over the years, chief officers have become far more appreciative of their responsibilities for managing risks,” says Burton. In these situations, risk managers have worked hard as consultants and advisors, he says. Where risk managers have been primarily involved in another key discipline such as insurance or health and safety they have been able to retain their positions and influence. But Burton notes that in forces where they were employed as enterprise risk managers, their position has become more difficult as senior officers grow in the knowledge of risk management. Significant unknowns Despite this, Burton says police risk management is in a “healthy state” but believes the biggest risk to policing could arrive in the shape of incoming police and crime commissioners. On 15 November this year the public across England and Wales will elect a commissioner who will be accountable for how crime is tackled in their force area. “Until the elections are concluded we do not know who these powerful individuals will be,” says Burton. “Without that knowledge, control measures, such as the relevant protocol and strategic policing priorities, may be of only limited value. The unknowns, and therefore the impacts, could be significant for some forces, and that could be why we continue to see high profile chief officers stating their intention to retire before the elections in November.” With the public and organisations reliant on the police service to ensure we can operate as individuals and businesses, getting the balance right on all the above risks has never been more important. Hollie Clemence, freelance writer | Risk Management Professional | June 2012 | www.rmprofessional.com | 23 INDUSTRY FOCUS Women on boards All trousers, no skirts? Is the lack of female representation on your board making your organisation take a dangerous approach to risk? Tom Bovingdon explores whether women really make firms less risky and more profitable W hen Fred Goodwin, former head of the Royal Bank of Scotland, had his knighthood shredded many believed it was – in addition to the public vilification of bankers as the economic system collapsed – punishment for what was typically viewed as a macho, aggressive attitude towards risk and governance. Many commentators were quick to claim that the financial crisis could have been averted if more boardrooms – especially those of the banks – had more female representation. But is there any truth to these claims? What do women bring to boards that men cannot? Should there be quotas imposed and if not, how else will women finally get a fair chance? Feminine persuasion In a Deloitte report published at the end of 2011, Women in the boardroom: a global perspective, the authors referenced “extensive” research that suggested a “correlation between the financial bottom line and the proportion of women on boards or in senior management”. And according to a series of reports by Lord Davies of Abersoch, a former banker and civil servant asked by the UK coalition government to review the state of women on boards, “female directors exercise strong oversight [and] can have a ‘positive, value-relevant impact’ on the company”, while also finding that a gender-balanced board is “more likely to pay attention to managing and controlling risk”. His most recent report, published in March, stated: “There is a negative association between female directors and 24 | insolvency risk – gender balance reduces risk. This negative correlation appears to hold good, irrespective of size, sector and ownership, for established companies as well as newly incorporated companies.” Claire Braund, director of Australian empowerment network Women on Boards, says a 2006 report, Critical mass on corporate boards: why three or more women enhance governance, showed that “a critical mass of three or more women can cause a fundamental change in the boardroom and enhance corporate governance across the organisation”. www.rmprofessional.com | June 2012 | Risk Management Professional | Quota question If you accept the basic assumption that women have a positive effect on boardrooms – disregarding the philosophical dilemma of whether a different gender approach to risk would necessarily influence a board - the challenge is to ensure women are given a place at the table. So, could quotas be the answer? In 2006, Norway implemented a quota that 40 per cent of public limited firms’ boards must be made up by the underrepresented gender. Germany is said to be considering quotas. A new law in France has put an onus on listed firms to reserve 40 per cent of seats on the board for women by 2017, while Spain has a similar scheme in place. Viviane Reding, vice-president of the European Commission, announced in March that she wants European boards to be 30 per cent female by 2015 and 40 per cent by 2020. Numerous other countries have set targets. For example, Malaysia is aiming to have women on the boards of 30 per cent of listed companies within the next five years. Braund says Australia was slow to act in putting women on boards “despite this overwhelming body of evidence that having women on boards, in leadership teams and just in the workforce in general is good for business”. She adds: “It took the inclusion of diversity measures in the ASX Corporate Governance Council Principles and Guidelines in 2009 to see any real movement from listed companies in terms of women in the boardroom”. In the year following the new guidelines, 69 ASX200 positions were filled by women, compared with 10 INDUSTRY FOCUS the previous year. Elaine Heyworth, director at Heyworth Risk Consulting, non-executive board director at AIRMIC, non-executive director at Raft Enterprises and a board member at European Professional Women’s Network, says that quotas are “absolutely” the answer to get diversity on boards. She adds: “It will force the pace and that’s a good thing.” However, Heyworth concedes that Norway might have gone too quickly with its 40 per cent target. She says: “I would move from 15, to 20, to 25 [per cent] over a three year period. Without quotas companies will be reluctant to do anything. There is a deep-seated disbelief that women can make a difference.” But Sharon Constançon, chief executive of board evaluation consultancy Genius Methods, warns that quotas are “artificial”. She says: “The situation should be addressed at the nominations committee and head hunter levels to force the net to be cast wider, naturally including more women.” Lord Davies’s initial report decided not to recommend quotas on the basis that he “did not want to see tokenism prevail”, despite finding that it will take over 70 years to achieve gender-balanced boardrooms in the UK at the current rate of change. But he added: “Government must reserve the right to introduce more prescriptive alternatives if the recommended business-led approach does not achieve significant change.” Golden skirts The Norwegian experiment led to boardlevel women being dubbed ‘golden skirts’ - some say because of their success, others because the lack of quality candidates has enabled a minority to cash in. Heyworth is quick to rubbish the idea that quotas would promote ineffectual women. She says: “I absolutely dispute the contention that a quota would bring in a less experienced women onto a “I absolutely dispute the contention that a quota would bring less experienced women onto a board. There are masses of experienced women” board. There are masses of experienced women and just because the board has to get a women doesn’t mean they will be less qualified.” And Deloitte’s report backs up Heyworth’s belief, stating: “The fear that quotas will encourage the appointment of under-qualified or token appointments does not appear to be borne out in those jurisdictions where quotas currently apply”. It added: “Gender balance is likely to benefit the companies that do adopt it. It is increasingly being recognised as a badge of good governance and therefore desirable. Investors should demand it.” When asked if there is a connection between women on boards and profitability, Constançon says the connection makes sense. She adds: “A more diverse board is probably a board of a better governed company where the board brings value to the organisation.” Risky proposition? But in addition to the swathes of research in support of what women bring to the boardroom, a case can be found against the proposition that females will enhance a board’s risk oversight, governance and profitability. A report due out in the next several weeks, Lehman sisters, by Renée Adams and Vanitha Ragunathan, concludes that banks with more female board members were not less risky than other banks during the financial crisis. Adams, a professor of finance at The University of New South Wales, tells Risk Management Professional: “We do not find that banks with more women were less risky. If anything they have higher idiosyncratic volatility. “However, there is little downside to this risk, as banks with more women also performed better during the crisis.” And according to a 2011 research paper by David Matsa and Amalia Miller from Northwestern University and the University of Virginia, respectively, A female style in corporate leadership? Evidence from quotas, women are “more risk averse than men” among the general population but “women in the boardroom are not and may even be more risk loving. In fact, women assign less value than men to security.” Precarious position Whether you accept or reject the contention that women bring a different perspective to risk and the subsequent impact on performance, Braund believes the key issue is to keep the gender diversity discussion from stalling. She says: “There is a sense of some people, including those at the top of companies, starting to disengage from the topic, possibly believing it is being addressed. “ For Heyworth, the key is to ensure men and women start working together, particularly to ensure that people don’t adopt a herd mentality. She says: “Groupthink happens because it’s the same cultural fit around the table. When you bring women into a male board, you get diversity and you break that groupthink element. But if you brought men into an all-female board the same thing would happen. “This stupid idea that ‘Lehman Sisters’ would have been safer than Lehman Brothers is nonsense because what happened was a reflection of the competitive world they were living in. If it was a bunch of women around that table they would have had exactly the same goal in mind. It was cultural, it was competitive. It was the times we were living in.” | Risk Management Professional | June 2012 | www.rmprofessional.com | 25 AREA FOCUS AUSTRALASIA E ach one of the top 20 risk concerns faced by Australasian businesses increased their aggregated risk rating over the past 12 months, according to an annual regional risk survey by insurance broker Aon Benfield. External and operational risks showed the biggest rises, reflecting the view that the operating environment was considerably riskier in 2011 than in 2010. These results are hardly surprising given the volatile chain of events affecting organisations. The high frequency and severity of natural catastrophes in Australia and New Zealand in 2011 – not to mention the wider Asia-Pacific region – tested business resilience. Meanwhile, tightening regulation and continuing economic and financial concerns, both at home and abroad, have demonstrated how quickly the business environment can change. One of the overarching trends is a stronger board level focus on how organisational risks are measured and monitored. “We’re seeing a greater desire by directors to be more involved and to be much more challenging of the organisation’s risk management structures,” says Richard Gossage, partner – risk and capital for PwC in Melbourne. “All in all if you’re in the risk management profession it’s probably a good time to be in Australia.” These external pressures have continued to push companies from all sectors to further embrace risk management and corporate governance. Companies are shifting their risk management focus in several fundamental ways: from internal to external, from operational to strategic, and from bottom-up to top-down, according to Risk in review, a report from PwC which surveyed over 1,000 executives and risk management leaders. Top-down commitment More stringent regulation is also driving a new era of risk in Australasia. This includes stronger liability, environmental and occupational health and safety (OHS) rules. 28 | Risk renaissance Beset by natural disasters, economic uncertainty and with growing compliance pressures, risk has moved up the agenda across all industry sectors in Australasia. Helen Yates reports The introduction of new OHS regulation in January 2012 has seen a renewed focus on workforce-related risks. “All this legislation suddenly has the independent directors saying to top management, ‘I want reassurance we understand our major risks and we’re properly managing them because it’s my house, my reputation and possibly my liberty that’s at stake’,” says Kevin Knight FIRM, chairman of the ISO working group that developed the ISO 31000 risk management standard. “I’ve sat down with one of the boards of one of our big resources companies,” he continues. “It has installations where if things go wrong people don’t tend to get a scratch, they tend to get killed, and that was the attitude of a number of the independent directors. They are seeking very clear reassurance that risk policies are working all the way down and the reports coming back up to them about how risk is being managed has accuracy and rigour to it.” While risk management processes and procedures were already a big part of how business was conducted, with greater buyin from senior management there is now www.rmprofessional.com | June 2012 | Risk Management Professional | the opportunity to institutionalise it. The convergence of various risk disciplines, including corporate governance, compliance, financial risk management and health and safety, and managing them in a more holistic way, can be seen within the broader global move towards ERM. ISO 31000’s introduction provides Australian organisations with guidelines on the design, implementation and maintenance of risk management processes. It is a “logical successor” to the original Australasian risk management standard AS/NZS 4360, according to Knight, and “informs the mandate and commitment of top management on how risk will be managed”. “What we have seen in the last ten years in Australia and New Zealand is when they started to put risk management processes in place they put them in as corporate policies, which means that if you want to get rid of them you actually have to cancel the policies,” he explains. “That means there are processes and procedures built into management systems that the auditors report on. AREA FOCUS Which doesn’t mean it’s at a high level, but at least some of it is there and then if you start to get support from top management it flourishes.” Year of the cat Property damage, business interruption and supply chain disruption affected many businesses as a result of events including widespread flooding in Queensland in January 2011, Cyclone Yasi in early February and the second Christchurch earthquake on 21 February 2011. Further afield, the Japanese earthquake and tsunami of 11 March 2011 and the Thai floods at the end of the year further tested business resilience and supply chains. “[Business continuity] has become fashionable again,” says Knight, “but I can remember when it was really fashionable in Brisbane in 1974 when we had the last big flood and every newsagent and five-and-dime store was selling flood maps, and everyone was very conscious of flooding and where to build. And then time passed by and we all forgot.” However, some lessons had been learnt. Australia’s heavy industries - including oil, gas and coal - proved their resilience in the most recent floods. While there was a sharp drop in exports from the Bowen Basin, Australia’s largest coal reserve, with 50 of the state’s 57 mines affected, most were able to get back up and running in a matter of days. “If you look at the oil and gas industry or the mining industry where the focus is very much around business resilience and continuity of production those businesses were generally pretty advanced anyway,” say PwC’s Gossage. “What we see now is a greater cooperation between public and private sectors and more comprehensive programme driven at state community and business level.” The earlier Queensland floods of 2007 and 2008 held important risk management lessons for the mining sector. As a result, infrastructure had been strengthened and mine operators “After the last big flood everyone was conscious of flooding and where to build. Time passed by and we all forgot” introduced better water management procedures. Working with Australian freight company QR National, dams were constructed, dykes and culverts dug, and storm drains considerably widened. Similarly, following the 2009 bushfires in Victoria, the Bushfires Royal Commission was established to investigate the causes of, preparation for, and responses to the bushfires. “There was a detailed review and the state government has worked closely with industry to put in more comprehensive approach not only in terms of early warning systems and planning, but also in terms of the responses to be deployed for when another event occurs,” says Gossage. Counting the cost For businesses in New Zealand there are the more immediate concerns surrounding safety of buildings and access to affordable insurance. Christchurch has been rocked by thousands of aftershocks since the original 3 September 2010 Darfield earthquake – including the deadly 6.3 tremor in February 2011 and a magnitude 6.0 aftershock in June 2011 – with perception of risk changing dramatically. As a business, Marsh sadly had three employees die in Christchurch. “We’ve therefore gone around the country and become extra vigilant when looking at all of the buildings our staff are in,” says Allan Beverwijk, executive director, Marsh. “It’s made people think a lot more about business continuity and there’s a big focus on health and safety – so there’s a lot more focus from management on ‘are our buildings safe for people’.” Properties are being assessed to establish how earthquake resilient they are, with the ability to withstand future quakes expressed as a percentage of the New Building Standard (NBS). The higher the percentage, the more resilient the building is to ground shaking and the easier it is to secure affordable insurance. Beverwijk adds: “If you’re a major property owner with multiple properties in any city and there is a major nat cat event your deductibles could add up to ten of millions of dollars.” Another factor businesses are grappling with is the business interruption aspect, which is making them look more closely at their office locations. The total closure of many parts of Christchurch’s central business district for such a long time had not been anticipated in business continuity plans. Neither had the depopulation of the city, leading to a drop in customers. Some smaller businesses have struggled to recover or gone out of business as a result. “[Following the February earthquake] the civil authority threw up a cordon around the city and you couldn’t go in, so you actually didn’t know if your building had suffered damage or not,” says Beverwijk. “For some it was six months before people could go back to their property, so there was a huge prevention of access issue, and if the building wasn’t damaged there might only a limited amount of business interruption cover available to them.” The confluence of these major events, ongoing uncertainty on the global economic stage and growing compliance pressures has permanently changed attitudes to risk. This is driving the commitment of top management to more holistically identify and control the risks affecting their organisation, with a mandate to keep one eye on the horizon. “Traditionally risk management focused very much on the here and now,” says Gossage. “There is now a much stronger need to look at risk management over the longer term.” Helen Yates is a freelance journalist | Risk Management Professional | June 2012 | www.rmprofessional.com | 29 analysis ISO 31000 The quarterly question: is ISO 31000 fit for purpose? Many risk professionals are citing the International Standard Organisation’s (ISO) 31000:2009 as the risk management standard, but some believe it never was fit for purpose. Why has the standard got so many supporters and detractors, how was it put together, and what does the future hold? I n order to explore this in more detail, we’ve invited two heavyweights in the world of risk. In one corner we have John Adams FIRM, emeritus professor at University College London, UK, who blogs regularly about risk. His contribution below is a condensed version of his website (john-adams.co.uk) essay entitled “ISO 31000: Dr Rorschach meets Humpty Dumpty”. In the other corner we have Grant Purdy, an associate director at Australiabased Broadleaf Capital International, and a 35-year risk management veteran. Grant represented Australia on the group that wrote the international standard and has chaired the committee in Australia that wrote the AS/NZS 4360 standards and associated guidelines. Let’s hear what they have to say: “applicable to all organisations, regardless of type, size, activities and location, and should apply to all types of risk”. But having read it several times I still don’t know what it expects of me. And here’s why: it repeatedly tells me to do what is “appropriate”, with 34 references to do the “appropriate” thing – such as “allocate appropriate resources for risk management” – in 26 pages. What is appropriate? Those deploying the word appear to assume that all readers will share its meaning. But Complex, confusing and clannish, says John Adams I’m sure others, as I do, frequently reach the end of risk management guidance without a clue as to what it expects the risk manager to actually do. That is my problem with ISO 31000 – Risk management – principles and guidelines. Published in 2009 it aspires to global leadership, if not domination, of the risk management industry. Kevin Knight, leader of the group that produced the document, claims the guide is comprehensive and global, and is 30 | www.rmprofessional.com | June 2012 | Risk Management Professional | anyone plugged into discussions about risk’s disparate cultural perceptions will appreciate that this is a facile assumption. These “appropriates” are Rorschach inkblots – the ambiguous stimuli typically shown to patients by therapists. While psychologists may battle to reach a consensus on the interpretation of the variety of meanings assigned to inkblots, it is clear that different people project very different meanings onto ambiguous stimuli. And “appropriate” is just one of many INDUSTRY FOCUS ISO 31000 inkblots, sitting alongside numerous “effectives”, “culture/ culturals”, “relevants”, “comprehensives”, “acceptables” and “tolerables”. If I take the total number of these words and divide them by the page count, ISO 31000 gets an inkblot average of 4.03 per page. It’s a fun way of quantifying the sense of vague dissatisfaction generated by so much current risk management literature. One word that is definitely not an inkblot is “risk”, defined by ISO as “the effect of uncertainty on objectives – positive and/or negative”. Section two contains 29 terms and definitions elaborating the meaning of “risk”, supplemented by 44 explanatory notes and further definitions. But this is deemed insufficient. To be absolutely confident that one is on the ISO 31000 wavelength one must also master Risk management – vocabulary (ISO Guide 73:2009), a 15-page dictionary further elaborating the ISO 31000 terms and conditions. Like Humpty Dumpty, when ISO uses a word it is determined that it should mean just what it chooses it to mean — neither more nor less. This ISO definition of risk is described as “pivotal” by Knight. Certainly it is the pivot around which its authors believe all discussion of risk management should rotate. But they have a couple of problems. First, their definition is shared by no standard dictionary. The rest of the world understands “risk” as something negative – a threat, hazard, loss or injury. Dictionaries have the merit of defining words as most people use them. With its idiosyncratic definition ISO appears to aspire to establish itself as a priestly caste with a private vocabulary inaccessible to the vulgar horde. It is claimed on networking sites such as LinkedIn that ISO’s approach has been adopted by several thousand “experts”. Possibly. But they are vastly outnumbered by hundreds of millions of other lay and expert risk managers who share the standards that are free, and communicate in the language of the standard dictionaries, the unique approach and language of the ISO “new standard” appear unlikely catch on. dictionary meaning – who understand risk to be something negative Second, a major part of a risk manager’s job involves communication with non-experts. Not only is the ISO “risk” definition unlikely to appear in the dictionaries that most of the nonexperts are likely to consult, but it can only be found in ISO 31000 and the supplementary vocabulary guide, together currently costing over £200 – a rather expensive textbook for would-be students. In attempting to assert its mastery over the word “risk” - a word requiring an expensive dictionary before those deploying it can be confident that they know what they mean by it - the ISO experts face can expect to be frustrated by the blank incomprehension of those whose access to their private language is blocked by this daunting paywall. Purdy has described ISO 31000 as “a new globally accepted standard for risk management”. Accepted by whom? Most people interested in risk management have never been asked about it, never read it, and probably never heard of it. The academic world is comprehensively ignorant of it because it can be found in no libraries. I have only been able to join this discussion because a friend sent me bootleg copies. In a world where the vast majority use Never perfect, but inclusionary, practical and widely accepted, says Grant Purdy Organisations and their stakeholders are increasingly using published standards to draw conclusions on whether they are being properly run. They provide the basis for benchmarking, give specific and prescriptive technical specifications and methods, and provide general and generic guidance. ISO 31000 falls into the last of those categories, but is sometimes confused with standards in the first two. Standards are created because society wishes to treat risk, but standards bring their own risks. Notwithstanding the standardisation of standards and the fact they are periodically reviewed and revised, standards may not always reflect the ‘best available’ practices and leading thinking; sometimes because nominated representatives are restricted in what they can say, not expert at all, or because their views no longer reflect current needs. Standards can be biased, have compromises, or have their clarity and precision clouded by ensuring words are translatable into other languages. The language of a standard and the terms it uses can be ambiguous because it has to accommodate many points of view, interpretations and beliefs. It would be naïve to think that ISO 31000 is immune from the above. But having worked on other national standards, like that from Australian and New Zealand (AS/NZS 4360:2004), developed and improved over 15 years and two revisions, ISO 31000 is based on the ways that many thousands of international organisations have managed risk over a long time period. Thousands of people had their say during the public consultation, and it was voted for by 23 | Risk Management Professional | June 2012 | www.rmprofessional.com | 31 analysis ISO 31000 of 26 nations, with Germany and Uruguay abstaining and Italy voting against. ISO 31000 cannot be ‘perfect’. Compromises to accommodate different points of view and interests inevitably led to some ‘fudging’ and the introduction of some unnecessary complexity. While the standard is a remarkably good and succinct set of guidelines, further simplification would enable it to be even more realistic and pertinent for those who need to make decisions and manage risk. But to paraphrase Winston Churchill, the current approach to standards-making is the worst way of doing it except all the others that have been tried. Next year a formal review of ISO 31000 will give us an opportunity to improve the basic standard, but I know from recent experience that vested interests and commercially motivated stances have increased significantly over the last three years and that therefore any revision is going to be subjected to many pressures. Generally there seems to be a strong motivation to add rather than reduce complexity in risk management. Often this seems to be by adopting and endorsing various three-letter acronyms (GRC, ERM, BCM, SRM etc) or by creating a new ‘risk-something’ term to describe some 32 | property, action or outcome that was previously not considered important. While it would be nice if all standards were free, I think the idea is unrealistic. After all, in the UK you even have to pay for copies of statutes! I’m less concerned about academics than I am about managers and decision makers - the primary audience. Given the benefits that come from effective risk management, I would have thought that the sum involved was a pretty good investment and hardly a barrier. Changes in definitions inevitably offend some practitioners with different views and long histories of propounding other theories or approaches. The definition of “risk”, in particular, has polarised views of the standard. But I’m not sure why a dictionary definition of a concept as complex as “risk” is to be preferred over that produced by many people who have been thinking about this and working on it for years, and which has been tested out on many more of those who actually have to manage it daily. The ways that words are defined in dictionaries probably does not involve as many stakeholders as are involved in standards making and while dictionaries tend to look backwards, its is the purpose of standards to set future norms and to change the ways that people think and act. Whether they accept the definition of risk in ISO 31000 or not, most people agree that to make good decisions they need to have reliable answers to four questions: • what are we trying to achieve? • who should be involved? • what creates uncertainty and how significant is it? • what can we do to ensure success? These are, of course, the elements of ISO 31000 that concern the process for risk management and the framework that ensures that the process becomes integrated with an organisation’s system www.rmprofessional.com | June 2012 | Risk Management Professional | ISO favoured in standards survey Three times as many risk professionals prefer the ISO 31000 risk management standard to the COSO ERM Framework, according to an online survey carried out by a Fellow of IRM. The survey (not associated with IRM) of 180 risk practioners, carried out on networking site LinkedIn by Norman Marks FIRM, found that 52 per cent of respondents prefer ISO to COSO, with 14 per cent opting for COSO, 25 per cent saying they have no preference as both can be used effectively, and the remainder (eight per cent) saying both are ineffective. Seventy-five per cent of those surveyed said they had read both documents, with 12 per cent saying they have only read COSO, seven per cent saying they have only read ISO, and the remainder (six per cent) unfamiliar with either. Respondents who favoured COSO praised its comprehensiveness, longevity, better discussion of risk appetite, “strong” focus on corporate governance and linkage to strategies and objectives. ISO advocates complimented its user-friendliness, flexibility, top-down approach to risk management and that it represented “the collective wisdom of global risk leaders”. Marks admits that the results are “meaningful but not authorative”, while adding that those ambivalent about both documents said that there is little evidence that either actually works. Others suggested that the two should be combined. He concluded that all risk practitioners should read both sets of guidance. of management. While not all practitioners agree with the definition of risk given in the standard, this is being understood and appreciated by managers who have to employ the risk management process to help them make better decisions. The core process for managing risk and the need for a framework that achieves its integration into a system of management are widely accepted. roundtable Information risk information Sponsored by Information risk management a roundtable discussion Tuesday 1 May 2012 CHAIRMAN PANEL Steven Furnell Professor of information systems security, Plymouth University Dave Canham MIRM UK IT risk manager, Aviva Harvey Seale CIRM, Group information risk manager, Nuffield Health Peter Allan Information technology security professional Simon Clarke Risk analyst for a major London market insurer Ramzi Musallam, Information risk management consultant, BUPA Ben Beeson Partner - global technology and privacy practice, Lockton Tim James SIRM, Head of risk management, Health Protection Agency Becky Pinkard, Security manager for a global company *All comments are those of the delegates and not their organisations Cyber-crime is not a fictional concept; it is a very real problem. Last year the cost of global cybercrime was estimated to be USD388bn, with an individual falling victim to a form of online crime every 19 seconds. In today’s multi-channel, mobile and inter-connected world, every element of society is increasingly at risk as more and more sensitive data is stored on a computer system somewhere in the world. The risks are constantly evolving as technology develops and they are 34 | likely to become more acute as new generations of smartphones effectively become mobile wallets, placing increasing volumes of personal and financial data at risk. Data privacy is, and will continue to be, the biggest emerging risk for businesses in the 21st century. Insurance can provide essential financial assistance and access to highly experienced legal, IT forensic and crisis PR advice – which can help companies preserve reputation and get back to trading as rapidly as possible. www.rmprofessional.com | June 2012 | Risk Management Professional | Cyber risk investigator for a financial institution (anonymity requested) The big questions: • what are the key threats? • how can organisations become more resilient? • should IT risk management be a component of governance? • are data breaches inevitable? • what can insurance offer? • what dangers do personal devices pose? • how should you respond to a breach? information risk roundtable INDUSTRY FOCUS Sponsored by Steven Furnell, professor of information systems security at Plymouth University, kicked off the debate at Tower 42, London, UK, by asking: “What are the main threats facing today’s organisations?” Cyber risk investigator: It’s important to consider aspects outside of cyber crime such as social engineering, particularly within financial services. Criminals and fraudsters always try to stay one step ahead, it’s easy to admire their ingenuity. One of the biggest threats is not being fully aware of the threat itself. I am surprised by the high number of people and consumers who still give away confidential information to people without understanding the risk. Criminals spend months building up profiles. It’s not an overnight phenomenon. And yet we give personal information such as dates of birth away. user education. People are so used to sharing information on social networks that when they come to work there is a blurring of work and personal information. There is a lack of clarity from regulators about what they expect and a lack of clarity in companies’ policies. It’s a real challenge for organisations to get the balance right between providing access to data and educating people to follow the right policies and procedures. Furnell: Do we believe that the balance is right at the moment? Are organisations putting the security and countermeasures in the areas where they are most under threat. Or is there a lack of focus on education compared to technical controls? Beeson: In the US there’s no doubt that this is seen as an important risk driven by legislation and regulation, not least the requirement to notify following a data breach. The potential financial damage has got people very interested in this. And then you get the US Securities and Exchange Commission saying that if you are a public company and you file, you have to list your cyber risks now. So investors are going to start asking questions. What Viviane Reding [vice-president of the European Commission] is proposing will get Europe to the same place eventually. I wonder if we in Europe view this as a risk beyond the IT department, in the same way it is viewed in the US. Musallam: That is one of my main concerns. When it comes to IT risk the risk management department isn’t always involved. But for an organisation to have effective risk management it must embrace risk in all its forms, otherwise it’s not identified and addressed. Canham: I chair IRM’s risk in information systems and e-business special interest group (SIG) and when we’ve looked down the supply chains of organisations, it’s about understanding where the data is, especially when there is outsourcing. It’s something we need to get a handle on. Then there’s how people culturally treat data and what they post on Twitter and Facebook. There’s a lot of talk about cyber crime but these are the nuts and bolts. Musallam: The other big challenge is the regulatory environment and new legislation such as the draft EU data protection directive that came out in January 2012 with a number of potential challenges. The other issue is | Risk Management Professional | June 2012 | www.rmprofessional.com | 35 roundtable information risk Sponsored by Canham: We need to get away from the idea that this is an IT problem, or a fraud department problem. This is a business issue. We’ve got some way to go on that. Pinkard: I’ve been doing this for 15 years and global companies are struggling with perception versus reality. Companies are still retro-fitting security across the organisation. They might achieve great coverage across a piece of the organisation but the depth of security is something we’re still struggling with. We don’t need fancy tools and toys. The security problems that we’re still fighting today are things like patching systems, the principle of least privilege, just controlling simple things across global, complex organisations. Allan: I agree. There are basic observations from the 1970s that people haven’t learned from. As for how good people’s security systems are, my perception has always been that people are over-confident. I’ve spoken to countless people who will say: “Oh, my systems are pretty good. You won’t find anything here.” Unless you have some regular scrutiny over entire estate, you can bet that there is loads of stuff that has gone wrong. James: There is a question about the dis-benefits. You can put lots of controls in place, encrypt data, but the more tools and security you put “There are basic observations from the 1970s that people haven’t learned from” 36 | on, the more layers you have to pass, the end users – who as they get more senior have more access to sensitive material – become more frustrated and therefore adapt their behaviour. The industry needs to think about how to make security more invisible and user friendly for the end user. Furnell: We’ve touched on the importance of having a policy, which is one of the foundations and the fact that in some cases organisations have a patchy approach. The recently published Information security breaches survey 2012’ showed that a something like a mere quarter of organisations thought that they had a good understanding of their firm’s security policy. The policy is usually there, but not always backed up, promoted and understood. So what are the other basics? Cyber risk investigator: It’s all very well introducing new policies, but if the user doesn’t know why they are in place, they may not adhere to it. If they’re told why, or shown results, then they will adhere to the policy. It’s got to make sense. Clark: It’s a cultural thing. In our company the culture is to have clear wordings displaying the fundamental reasons behind policies, to ensure there is that understanding from staff. I’ve worked another company and they were the complete opposite; very wordy, with a lot of legalese, and no one cared or understood. Beeson: We’ve explained to people in our organisation why we have a clear www.rmprofessional.com | June 2012 | Risk Management Professional | desk policy. Now they understand that the Financial Services Authority could walk in tomorrow and fine us, as they did with HSBC, for £3 million. In the insurance industry we’re starting to see some basic standards that you’re going to have to meet if you’re going to be insured. A very simple example is encryption on portable devices. You cannot get insured for a data breach with a portable device now, pretty much. Canham: There’s something to be said for making it real and personable. I was recently auditing an organisation and they had left credit card slips out. I said: “Would you want yours there?” From my point of view this is where IT sometimes falls down. We need to give it the human element. Seale: Policy dissemination is a key thing. When a breach happens, you need to evidence you’re monitoring compliance and that you picked up shortcomings, created action plans and documented the progress of those action plans through your approved governance committees. We recently started running breach simulations on essentially, what would happen if someone, somewhere lost a laptop. Who would they call? What would they do and what mechanism kicks off in the organisation to protect the data? Pinkard: It’s about making user awareness personal. Whether it’s understanding policies or walking them through a scenario, but taking it down to a level so that it’s understandable to them. information risk roundtable INDUSTRY FOCUS Sponsored by treat that. If you look at the Information Commissioner’s Office fine record, it’s not that they are okay with the first breach, rather they understand that you need to learn lessons. It’s the organisations that don’t learn lessons and don’t change systems that get fined. And you can create a reward system as well so that you incentivise people to come forward when they spot things. And culture, good culture, needs to come from the top. James: Some policies run to 90-odd pages. You can tell the person who wrote it enjoyed themselves but no one is going to read it. What are the key messages and the principles that people need to live by in their professional lives? They can be very simple and that’s what organisations need to get across. Furnell: Talking about personalising the message, these are things that could help the professional community in their private lives as well. If they realise this could help them privately to their own benefit, their own conduct will improve. Pinkard: On the technological side there’s a lot of complexity in businesses today because they have carried forward they way that they have always done things. For example, I’ve worked with companies where no one knows how something works and if you were to take it apart, no one would know how to put it back together. A lot of companies need to invest some serious time and effort to go into these situations and understand how they can become more resilient. Allan: I’m aware of a situation where a financial gateway was hacked. It should have been rebuilt and replaced so we could pick over the bones of the old one but we received the same answer you got: “No, you can’t touch that. It’s an important box.” It gets swept under the carpet. Pinkard: I’ve heard of boxes that have been infected for a year, two years plus, but they can’t take them offline. And it’s deemed that the virus is okay to be there and that it can be dealt with. Furnell: To what extent should organisations be regarding a breach as an inevitability? Seale: It’s a case of when. You can have the most robust policies and procedures, the best policy dissemination, but it will happen. It’s how you Canham: There is an inevitability to an attack these days, particularly to a large organisation on the front line, so you need to make sure you do all you can to prevent an attack, but also you can respond in the right way. Pinkard: I think it’s almost become passé for these big companies to be attacked, so that it almost washes over people now. When TJ Maxx happened years ago, they lost millions of credit card numbers but then reported higher-than-ever revenues because after the reporting process people felt safer than ever doing business with them. Beeson: That was a game changer. That was insured, as I understand, and it cost them over $200 million for that breach, and it really woke people up to the data breach risk. Maybe they didn’t lose a lot of customers but they were financially hit, big time. The insurance didn’t go very far, as I understand it. Furnell: So what are the key lessons for firms? What do they need to do or be aware of? Musallam: I think it’s key to demonstrate that you take this seriously. You need to communicate that to authorities, the press, clients and staff. So communication is a key part of the issue. | Risk Management Professional | June 2012 | www.rmprofessional.com | 37 roundtable information risk Sponsored by footprint, to be forgotten. When it comes to the right to be forgotten, forget about it. Furnell: We’d mentioned before the issue of insurance and the increasing uptake of insurance around these breaches, so how can insurers and organisations work together to ensure that firms are better prepared for a data breach incident? Beeson: There is a huge reputational issue. One company took a year to inform people of a data loss. Frankly that’s unforgiveable. We shouldn’t be thinking in terms of financial consequences, we should be thinking in terms of reputational damage. Increasingly, unless you have a plan to respond to a data breach it’s going to be frowned upon. Seale: What people really care about is whether you are taking the protection of their private data seriously. ICO guidance consistently refers to the ‘spirit’ of the data protection act, in essence “If you treat client data like it’s your own personal data, you can’t go far wrong.” Gordon: If you find a breach in some part of your business, the next thing 38 | you need to do is ask whether any other have happened, whether everybody is doing this, and what you are doing about the whole area rather than just the one incident. Pinkard: I’d love to have a crystal ball and look 50 years into the future to see if we have the same perception of privacy as we do now. Will we give the same amount of care and due diligence to things such as credit card numbers and our dates of birth? Because so many people are simply putting it out there. I know there are controls but a lot of young people just don’t care. I wonder if we’ll get to a point where we have a different mindset. At the moment I don’t think it’s possible, with the amount of information out there that makes up your digital www.rmprofessional.com | June 2012 | Risk Management Professional | Beeson: A specialist market has cropped up to write this risk. There is always going to be a residual risk – we can’t stop a data breach from happening. But are organisations happy with that to be on their balance sheet or do they want to get it off their balance sheet? That’s where insurance comes in. But insurers are saying that you really need to have minimum baseline standards for security and in terms of how you contract to third parties. If you do all that then we’ll insure it and take that big hit off the balance sheet. Insurers are helping to drive minimum standards. Furnell: People increasingly have their own smartphones, tablets, laptops etc that they’re using in the work environment. How do we view the risks of the bring-your-own device initiatives? Are organisations managing the risk effectively? Canham: This is my bugbear. People have previously told me that your personal device is no different to having a book. Hang on a second, I wouldn’t want to nick the book, but I would want to steal a personal information risk roundtable INDUSTRY FOCUS Sponsored by device. And what happens if you lose it? Is there a defined process? Is there a requirement to report it to your organisation? I get the productivity benefits, but there are a lot of risks that we are yet to get on top of. Musallam: One big thing is data leakage. You try to build a wall around a network but if staff email documents to their private account, or can copy data to a USB device, then it’s almost useless. Cyber risk investigator: It comes back to regular reviews needing to be done to ensure that your actions are proactive rather than reactive. If you do bring your own device into the work place, it will be subject to some controls and limitations. Again, this goes back to communication. Users must be made aware of a policy at regular intervals. Pinkard: I’d really like to see some statistics around whether or not it’s truly a lower cost by the time we put in the controls, coordinate carrier plans, train folks and choose a mobile device management platform. Is it truly a lower cost? Am I reaping in the thousands and millions? And this needs to be looked at by the executive level. With so much personal and business data together and the integration of devices and aggregation of data, I see in 30 to 40 years that everyone will have their data space in the sky. A person or a family will have a data address, and I’ll have a throwaway device. So instead of this phone that I’m carrying around I’ll have some “When the press hears of a breach, the worst thing is for a firm to be unavailable for comment” device that I could pick up for £10-15. It becomes an access portal to that data. It’s about the data. Allan: Once you allow people to bring their own devices, you have got a larger range of devices, software and carriers. Supposing a company is trying to provide support, this will give them a headache. Once you have multiple products you have multiple sets of bugs. A different set of bugs from each platform makes more bugs in total than any one of those platforms. Are you going to back-up all of these devices, including personal data? Clarke: I’m involved in business continuity as well. If something goes wrong and people can work fluidly from home on their own devices then that’s a real bonus. But as you say there are so many negative associations that need to be weighed up. Furnell: We’ve touched on responding to a breach, but have we got any final thoughts on the crucial steps a company should take after an incident to safeguard their reputation? Beeson: There’s still a big difference between US and UK data. In the US you will get a financial hit but in the EU the legislation is still quite embryonic. They’re talking about a fine of two per cent of your gross income, which apparently won’t be insurable. But we’re not at that stage yet. Canham: We’ve got to be careful that the regulators don’t find out about any breach before we tell them. Clarke: And when the press hears of a breach, the worst thing is for a firm to be unavailable for comment. There has got to be a statement as soon as possible. Chairman’s conclusion A lot of what we discuss now comes down to the human aspect; the attitudes, the perceptions, the behaviours of people in the organisation. Then there’s the increased media interest and the more open attitude to personal data. So there’s an expectation of protection coupled with a populace who don’t seem to do as much as they could to support that security culture. Having a policy isn’t enough – there needs to be a promoted security culture. There will always be an element of residual risk so we need to be prepared for what might happen. That might be insurance, media relations, or maintaining relations with client and customer to protect your reputation. IRM’s Risk in Information Systems and e-Business (RISE) Special Interest Group (SIG) is looking for members to discuss the wider picture around technology risks, business challenges and share thought leadership on emerging risks. For more information about the RISE SIG, visit: http://www.theirm.org/events/ RISE.htm. To contact the SIG’s chairman, email david.canham@aviva.co.uk. | Risk Management Professional | June 2012 | www.rmprofessional.com | 39 irm Professional development forum IRM forum review Three hundred risk professionals gathered to enjoy IRM’s Professional Development Forum on 23-25 April in Manchester, UK. With international speakers, workshops, seminars and networking events at the neo-Gothic Manchester Town Hall and Manchester City FC’s Etihad Stadium, Tom Bovingdon looks back at the highlights of a memorable gathering David Ovenden Economist calls for banking airbags Airbags are needed in the financial system to prevent a repeat of the economic crisis, a leading economist told the forum. Financial Times journalist, blogger and broadcaster Tim Harford called for “big, big airbags for the financial system” instead of clever contracts or adding more complexity. He said: “The real airbag for the financial system is just to force banks to hold much more capital than they do. Extra capital for banks doesn’t cost as much as they [banks] claim it will. It makes that money far more flexible and much more forgiving [when things go wrong].” Harford said the financial crisis was exacerbated by the fact that banking was both complex and “tightly-coupled” - where one thing inevitably leads to NotW had “extraordinary risk culture” Disgraced British tabloid newspaper The News of The World (NotW) had an “incredible culture of actively encouraged controlled risk”, the tabloid’s former marketing director told forum delegates. Ellis Watson, now managing director of newspapers at DC Thomson, said that Rupert Murdoch, owner of News International, succeeded in business “from pretty much nothing to something enormous by encouraging controlled risk in pretty much everything you did”. Watson said: “He empowered people and there was something in the DNA of the organisation that encouraged people to be better, braver, and to try and get there faster and better than the other guy. It was an extraordinary culture to grow up in.” “He [Rupert] was wealthy enough and canny enough to actively encourage ordinary people to try and achieve extraordinary things. “There was a culture where, as long as you weren’t repeating mistakes, it would give the same focus to a failed risk as it would a succeeded risk. There was nothing quite like it on earth.” 40 | another. He said the financial system could avoid this scenario by ensuring safety gates - similar to those used to break domino-toppling records - are in place. But he warned that safety systems can sometimes have unintended consequences. Speaking about credit-default swaps, which were originally viewed and promoted as safety measures, Harford said: “They didn’t make the system safer, they made it more complicated. So although in principle they were safety systems, in fact they were magnifying fundamental risks in the system.” Recycle failures, says futurologist Organisations need to view failures “as plastic bottles that need to be recycled and re-used”, a futurologist and trendspotter told forum delegates. Magnus Lindkvist said that organisations need not be ashamed of failures as it can lead to greater successes. Citing Nintendo as an example, he recalled how their first “failed” arcade game later became Donkey Kong, which gave birth to the character ‘Jump Man’ – later to be called Mario. Lindkvist said: “By recycling one failure they gained two worldwide successes. That’s the problem with many companies today. They have a success culture. They reward success. They celebrate success. Failures become something to be ashamed of or hide in the bookkeeping, or both. He called for organisations to become “DJs of ideas” by recycling the best parts of multiple failures. www.rmprofessional.com | June 2012 | Risk Management Professional | IRM FOCUS Risk register seeks expert editors Risk editors with specialist expertise are being sought by a not-for-profit organisation as they seek to compile an open-source database of international risks. The Global Risk Register (GRR), a not-for-profit enterprise hoping to launch later this year, is looking for volunteers who can assess information for accuracy and impartiality. Anu Devi, founder and program director of the register, told forum delegates that GRR aims to share information on global risks “for the benefit of humanity” by tapping into the online knowledge base. She called for people to contribute by either joining the community, creating a risk committee, becoming a risk editor or simply by spreading the word about GRR. Devi said: “We are creating small risk committees and will then have smaller groups of individuals who will enter the info into a wiki [an open-source dictionary]. We want to establish risk editors who are specialists in their field.” The first three risk focus areas will be cyber security, water security and a yet-to-be-chosen health topic. For more information on GRR visit: https://www.globalriskregister.org. Risk professionals told: prepare for green pig world Organisations need to be prepared for the “unexpected, unpredictable surprises” illustrated by the success of the Angry Birds business empire, a futurologist told delegates at IRM’s forum. The success of the app and subsequent spin-offs show that organisations need to be ready for “a green pig world”, trendspotter Magnus Lindkvist told the crowd of around 300 risk professionals. “Who would have thought that one of the world’s best business ideas in 2012 would be a green pig?”, he said, adding: “This game has been downloaded and paid for nearly 800 million times. “You could say that eight per cent of the world’s population are right now busy flicking angry birds at green pigs. We couldn’t predict that. Imagine if I’d said to you ten years ago that the future, my friend, is about green pigs. “This is what I mean by a green pig world. We live in a world of these positive, unexpected, unpredictable surprises. They can be good or they can be bad. It is a green pig world. They can take companies by surprise.” EU Parliament to establish Brussels-based risk committee An informal committee on risk will be established in the European Parliament on 5 September, a leading risk academic revealed at the forum. Ragnar Löfstedt FIRM, director of King’s College London’s centre for risk management, revealed that he is working to establish an informal committee to ensure that advice coming from Brussels is “evidence-based and science-based”. Expected to be headed by Julie Girling MEP, along with around ten other cross-party MEPs, the committee will also have input from academics and practitioners. A manifesto for the committee is expected to be published in June. Löfstedt also called for British risk professionals to canvass their local MPs and members of the UK House of Lords to ensure risk debate is elevated to a higher level. He said “we need to consider how to engage society in discussion about risk”, adding: “We need to have it discussed in schools and universities. We are not doing that enough.” | Risk Management Professional | June 2012 | www.rmprofessional.com | 41 IRM Professional development forum cultural categories - fatalists, hierachists, individualists and egalitarians – represent a “perfect culture” and that organisations should try and let a blend of cultures all have a voice. “There isn’t one best culture out of the four, they’re all seeing different risks. What you need is for all of them to be voicing their ideas about risk. You should be Call for behavioural focus More needs to be done around the behavioural side of risk management, the head of risk, benefits and value at Transport for London (TfL) told the forum David Hancock said that risk management “is all behavioural” and that more psychologists, socialists and social anthropologists needed to be invited to participate in the risk debate. “The first time round I made the mistake of thinking it was about process, and I thought if you could teach people techniques and quantitative mathematics, teach them how to do probability, then we’ll teach them how to be risk managers. But [now] in my view it’s all behavioural,” he said. During the same question time debate on whether risk managers are an unaffordable luxury in recessionary times, Kelly Maynard, a risk manager at Polygon, called for risk professionals to looking for all four of the voices, including the fatalist, to be heard,”Linsley said. Summarising that individualists would be concerned by profit, hierachists with controls and systems, egalitarians with ethics, and fatalists with a concern of “blind side” risks, Linsley added that “a clash of world views” would often happen when these groups worked together. David Ovenden Good risk cultures “need varied voices”, says academic No “clumsy solutions” exist when seeking the perfect risk culture, a senior lecturer from the University of York said at the forum. Philip Linsley, delivering a seminar on culture, risk and risk management, said that not one of four widely accepted demonstrate their value by being “a little more extrovert”. She added: “We risk managers are in general very good negotiators. So why not use that capability that we have and show our value to the organisation.” Forum news in brief Target: close the business A presentation by the Mines Advisory Group (MAG) concluded that its key corporate objective was to go out of business – as this would demonstrate their success. Rob White, MAG’s director of operations and an IRM affiliate, spoke about the operational risks of clearing mines, how strategic risk is a new concept for their board and the difficulties of striking the right balance between charity and corporate work. Risk culture steps Marsh issued forum delegates with a list of ten steps to ensure their business has a good ERM culture. The steps included targeting new staff at 42 | induction, senior management buy-in and demonstrating the value of risk management. The findings came from a study which found that weak business have little “alignment” with risk culture. Where’s your phone, boss? Half of all executives lose their phone at some point, putting the data contained on it at risk of theft of misuse, Norman Marks FIRM, an evangelist for SAP, told forum delegates. With more and more people using phones and tablets to access the web, and 72 per cent of board members wanting to receive board papers on their iPads, managers must think about www.rmprofessional.com | June 2012 | Risk Management Professional | technology and data risks, Marks said. He added that speed was of the essence because risks do not wait. Outsourcing “baggage” Monika Narula, a risk professional based in India with a financial firm and an IRM diploma student, examined outsourcing risks such as assessing strategic partners and emerging risks with suppliers. Concluding that outsourcing “brings along a baggage of risks with benefits”, Narula stressed the importance of risk managers being more involved in outsourcing decisions. Forum presentations can be found at: http://irmforum.org/. David Ovenden IRM FOCUS Forum chairman’s summary Ghislain Giroux Dufort, president of Baldwin Risk Strategies and forum chairman, praised the “varied and rich concurrent seminar sessions”. He added: “We had delegates coming from over 20 countries and I met many fascinating people, both from the United Kingdom and from abroad.” His full summary of the event can be found at www.baldwinglobal.com or via info@baldwinglobal.com. Our sample survey of forum attendees discovered that: • ninety per cent of respondents would not hesitate in recommending the forum to a colleague • seventy per cent of respondents rated the forum overall as “excellent” or “very good” • our keynote speakers were one of the most highly rated forum elements. One respondent said “Magnus [Lindkvist] was brilliant. It was worth attending for him alone.” David Ovenden View from the forum floor What did some of the 300 international risk professionals have to say about the event? The Institute of Risk Management – Events GLOBAL RISK AWARDS | Risk Management Professional | June 2012 | www.rmprofessional.com | 43 To pre-register your interest in attending, or to discuss sponsorship opportunities, contact us at events@theirm.org or call +44 (0) 20 7709 9808 irm NEWS Zurich and IRM join forces Zurich has joined forces with IRM and entered into an agreement to enrol all 150 of its risk engineers as institute members, reflecting Zurich’s ongoing commitment to professional qualifications and employee personal development. As of April 2012, every Zurich risk engineer will automatically become an IRM member to at least affiliate grade. Mark Matthews, head of Zurich Risk Engineering UK, said, “In order to deliver, Zurich’s risk engineers, consultants and analysts not only require industry experience, but the highest level of on-going technical instruction and training and professional qualifications, and this is what we will provide for them.” Steve Fowler FIRM, IRM’s chief executive, said: “IRM is delighted to bring its worldrenowned risk education programmes and leading-edge thought leadership to Zurich’s UK risk engineering team.” irm special interest groups (sig) Risk managers “cannot be C-sick”, SIG says Risk managers must master “the seven Cs” if they are to survive in 2020, research carried out by IRM’s Innovation, Value Creation and Opportunity SIG has found. Professionals working in risk need to master commercial skills, communication skills, confidence, creativity, culture and act as challengers and catalysts if they plan to be around in the next eight years, the group has discovered. Revealing its findings at IRM’s April Professional Development Forum in Manchester, UK, the SIG – headed by Clive Thompson FIRM, project director for FINEX Global, Willis Group – concluded that risk managers will need to think strategically and challenge their leaders to ensure their longevity. The group also predicted that the board will be formally risk-trained by 2020. The group hopes to publish the full findings in autumn and more detailed coverage is planned in later editions of RMP. Enterprise Risk Management SIG As the last issue of Risk Management Professional went to press, IRM’s Enterprise Risk Management (ERM) SIG was discussing how to integrate risk and performance with Wim Van der Stede, a professor from the London School of Economics. The group then turned to a case study on Lloyd’s of London’s approach to risk appetite. PDFs of the presentation papers can be found in the SIG section of IRM’s website. New SIG: Governance, Risk and Compliance Anyone interested in joining a group dedicated to discussions on governance, risk and compliance (GRC) is being invited to contact Robert Toogood, a senior partner at Chaordic Solutions. To express your interest please contact robert_toogood@chaordicsolutions.co.uk. Solvency II SIG After a well-attended March meeting, the Solvency II SIG met again on 17 April to discuss the ORSA process – challenges and opportunities. Speaking at the event in London, UK, were Keith Jackson, group chief risk officer at BUPA, Matt Taylor, group head of risk at BUPA, and Peter Taylor, director at Conducter Consulting. In May the group convened again to discuss the role of risk management training in sustaining a risk culture. Joachim Adenusi FIRM, director of Inspirational Risk, and Georgia Tsaikki, a group risk advisor for Amlin, were among the speakers. A joint meeting with the Bermuda RG is planned for June to discuss navigating multiple international regulatory requirements. Sessions for July and September are also planned. IRM REGIONAL GROUPS (RG) Botswana RG IRM’s Botswana RG is soon to launch, aiming to act as a networking hub in the southern Africa region. Brian Chiyangwa CIRM will be chairman of the group. Middle East RG Solvency II was the topic of the day when the IRM Middle East RG met on 12 March at the Ritz Carlton in Doha. An afternoon workshop was led by Adeel Mushtaq of KPMG. 44 | North-West England RG Lynn Stalker MIRM, a business risk manager at the Sellafield nuclear site, delivered a presentation on quantitative assessment to the North-West England RG on 17 May. Held at the Sellafield offices in Risley, Derbyshire, Stalker looked at the appropriateness and value of quantitative assessments. A session on risk appetite is scheduled for 11 July, along with an October seminar on the people side of risk management. For more information on RGs and SIGs visit www.theirm.org. www.rmprofessional.com | June 2012 | Risk Management Professional | news irm IRM FOCUS World class Global Risk Awards to launch IRM’s new Global Risk Awards will be held in London in the first quarter of 2013. Aiming to celebrate “world class” risk management products, services and people, the awards will recognise the best and give organisations and professionals the chance to showcase their excellence. “Learn meerkat lessons”, says IRM chief Top government scientist to address Annual Lecture The man responsible for scientific advice when the UK is hit by crises has been confirmed as the keynote speaker at IRM’s 2012 Annual Lecture. Sir John Beddington FIRM, chief scientific advisor to the British government with responsibility for the quality of science-based evidence in government decision making, will deliver his speech at the 5 December lecture. Sir John has advised several governments and international bodies on risk issues, including the Australian and US governments, the European Commission and the United Nations Environment Programme. Having offered advice on crises such as the 2009 swine flu outbreak and the 2010 volcanic ash incident, Sir John is also charged with ensuring that scientific method, risk and uncertainty are understood by the public, particularly around the misconceptions and misunderstanding regarding climate change. Invitations and booking instructions for the Annual Lecture and AGM will be sent to members closer to the occasion. IRM backs inaugural World Risk Day IRM has lent its backing to the launch of the first ever World Risk Day. Taking place on 26 June, World Risk Day will include a free global virtual summit of risk experts to address best practices. It is supported by organisations including Active Risk, the Risk and Insurance Management Society (RIMS), the Association for Federal Enterprise Risk Management (AFERM) and the Major Projects Association (MPA). Steve Fowler FIRM, IRM’s chief executive, applauded the launch of the initiative, adding: “By drawing attention to the value-add of well-structured risk management, World Risk Day benefits both business and the risk profession.” Loren Padelford, executive vice-president and general manager, Active Risk, added that the day would “elevate the conversation around risk management and setting benchmarks for the industry.” As well as the summit, www. worldriskday.com will also feature a resource centre, a blog and a benchmark survey. Membership Renewals Members are reminded that their annual subscriptions are due for renewal on 1 July 2012. Renewal invitation letters will be issued in early June and the online payment facility will be available by 15 June 2012. Details of the 2012/2013 subscriptions can be found on IRM’s website. Risk professionals should embrace the success of a fictional meerkat as an example of how social networking can link to modern business, IRM’s chief executive told the institute’s Professional Development Forum. Steve Fowler FIRM, speaking in Manchester, UK, on 23-25 April, said risk professionals should be aware of the link between trends such as one-inten pets being put on Facebook by their owners and the success of Aleksandr Orlov, a fictional meerkat who has spearheaded the growth of Britain’s fastest-growing insurance brokerage, comparethemarket.com. Fowler said: “There is a link between some of these things that people do for fun on social networking sites and business – we can’t ignore that link.” Boardrooms embracing risk Risk management is moving “from the engine room to the board room”, IRM’s chairman told delegates at the forum. Richard Anderson FIRM said that “risk management has never been more important” than it is now. He said: “It is moving from the engine room to the board room and it is our role to support that.” Anderson added that it was a “privilege and pleasure” to welcome 300 risk professionals from over 20 different countries. For further forum coverage, turn to pages 40-43. | Risk Management Professional | June 2012 | www.rmprofessional.com | 45 IRM Membership NEW IRM MEMBERSHIPS Fellow Richard Mackie Eversholt Rail Kevin Thomas Ecclesiastical Insurance Member John DavisUK Power Networks Lyndsey Gregory Deloitte & Touche Panagiotis Loizou Ernst & Young Gayle Marshall Insurance Corporation of Barbados Certificant Haizam Abu Hassan Telekom Malaysia Omar Abu-Rish Thames Valley Police Carlos Arias IFC - World Bank Group George Baird IMG World Paul Brown Gloucestershire County Council Neil Buck Aberdeen City Council Blesie Bustamante Manila Water Company Wendy Chen Swire Pacific Carla Compagno CADG Pedro Cupertino de Miranda Sonae Investimentos Jonathan Davies Co-operative Banking Group Lindsey Downes ADAS Andrew Dyson North East Lincolnshire Council Robert Elliott GSH Ryan Forsythe Investec Rebecca Fox Shacklocks Solicitors Richard Fraser Shaw Simone Freire-McKinnell ADMS Europe (Aegon Direct Marketing Services) Michelle Gardiner De Beers Consolidated Mines Alexander Guzman Ecopetrol S.A. Ross Harding Ernst & Young Martin Hughes GPT Special Project Management Mohsin Jagani Abu Dhabi Retirement Pensions & Benefits Fund Ellie King RBS Andreea Licu ING Pension Fund (Romania) Hesham Mabrouk Abu Dhabi Ports Company David Marsh Chris McQuaid Nationwide UK (Ireland) Claire MilnerUK Asset Resolution Stephen Mortimer EDF Energy James Nelson Rolls-Royce Norlaili Nordin Inland Revenue Board of Malaysia Iain Ogilvie Scottish Water Oyejumoke Okubadejo NHS North West London Jamie Oliff FM Global Javier Perez-Blanco Navarro Eduan PieterseVBKom Projects Mark Pring Co-operative Banking Group Chandra Raman Mark Surveyor Ruth Riddell Wulvern Housing Benjamin Romero PPL Global Chloe Rutkowski DLA Piper (UK) Lee Schneider Co-operative Banking Group Soo Wy Seng QBE Insurance (Malalysia) Berhad Nikki Sevens Driving Standards Agency Syed Shah British Council Matthew Shanahan Canada Life International Kanaga Devi Shanmugam Inland Revenue Board of Malaysia Chas Staines Integrated Risk Consultants Andrew Voules ICM Business Continuity Dena Walker Virgin Media Rachel Washington ASA Fiona Whitelaw Chivas Brothers Jey Williams Capita Business Services Mark Willis Halifax Diana Wright Anthony Yuile Syed Zain Allianz Malaysia Berhad Hassan Zaitoun Dar Al Arkan Real Estate Development SPECIALIST Pavel Aksenov Thomson Reuters Stephen BlottUK General Insurance Group Lisa Boswell MAPFRE ASSISTANCE Mark Brown Supreme Global Solutions Martin Churm Lynzi Harrison Skandia UK Julie Howell Off House Alex Jeppe CAN John Joyce Allianz Maalila Malambo Blue Insurance Paul McLarnon Cunningham Lindsey Helen Molyneux Cambridge Risk Solutions Ashok Narayanan t’Azur Company B.S.C Thomas Puschnik Zurich Suk Rathore DNV James Royds Sempartus Consulting Affiliate Paul Ablin easyJet Edgar Ager Secure Trust Bank Solene AnglaretVeolia Water UK Ali Anvari Paul Attrell ISOQAR Lee Barnes TFPL Keith Bernhard Alterra Capital Kat Blyth Ecclesiastical Chris Boulden BAE Systems Detica Michelle Bucknor Ecclesiastical Gladys Cheung Catlin Jonathan Clarke Reachable Alistair Craig Morgan Sindall Steve Daniels BAE Systems Detica Thomas Delaney Worcester City Council Ann Doan CharitiesAid Foundation Adriano Dondi Civil Service Healthcare Cynthia Emmanuels Parallex Microfinance Bank Paul Emms Skandia John EnochVoxsmart Peter Evans Carillion Jennifer EvansVelrada Vincent Geake BAE Systems Detica Maria Hadjipavlou W. R. Berkley Insurance (Europe) Henry Harrison BAE Systems Detica Luisa Jefford TFPL Andy Langley Ecclesiastical Ayan Man Mitsui Sumitomo Insurance (London) Michelle Mifka Coutts Louise Parry The Co-operative Kevin Pearce Aldermore Bank Marcello Pizzichetta Infrassure Claire Quick Ecclesiastical Ben Rendle BAE Systems Detica Robert Scott Wolverhampton City Council Claire Sewter BAE Systems Detica Andrew Shefford KPMG Ben Stellman BAE Systems Detica Oliver Tardiff BAE Systems Detica Marcella Taylor Dave Whitley BAE Systems Detica Helen Whittle easyJet Nick Wilding BAE Systems Detica Stephen Yates Travelers Management Zurich enrols all 150 risk engineers All of Zurich’s 150 risk engineers (see IRM News, page 44) have become institute members. Congratulations to all of the below on joining us: Kevin Abbott David Allison Jack Ashworth Ian Avis Graham Brazier Steph Buckle Bert Campbell Martin Clemmit John Currie Ralph De Mesquita Ian Dunbar Tony Fagan Robert Foggitt Brian Friar Andrew Grantham Chris Haseley Sally Jenner Gary Jones Chris Knowles Killian Liston Fabio Lupo Shelley Marshall Bernel Mayers 46 | Ade Adeyemo Catherine Aislabie Huw Andrews Alex Arteaga Mike Aspinall Tim Astley Mark Barry Stuart Blackie Stan Brejza Sarah Brown Joan Burstow Luca Bussani Gavin Chalmers Bradley Clarke Philip Coley Peter Coulsey Rupert Damms Ian Dann Paul Dean Martin Dippnall Andy Dyehouse Steve Elgar Paul Farmer Robert Farrell Neil Ford David Forster Lisa FrostYojana Ganda Brian GreenVivien Gumble Angela Hodder Gary Howe Michael Johnson Simon Johnson Sharon Kearns Mick Kelly Marc Leblanc Stephen Leveritt Stuart Lloyd Michael Long Kevin Lyons Mandy Maris Bev Martin Raida Mashal Geraldine McFaul Philip McManus Aeid Albelwi Stephen Arundale Helen Aston Carole Booker Curt Bryant Jo Caley Ian Clarke Carl Coulter Malcolm Davies Derek Downham Alan Ely Paul Feltham Jerry Fox Richard Geary Ady Hall John Howe David Jones Louisa Knight Lynne Liddiard Davina Lonsdale John Marriott Gordon Matchett Ross McMillan Ronan Meghen Tracey Moore Oluwaseun Oladiran Richard Parslow Nicola Phipps John Platt Alan Ross Jim Smith Nick Strong Cliff Vaughan Tilden Watson David Williams Mark Middleton Kevin Morris Peter Oxenham Rhodri Pashley Howard Pilling Andy Price Paul Rowbotham Nicol Smith Nigel Tribe Andrew Ward Gordon Weir Alison Wood Mark Midgley Stephen Mills Emmy Muandingi Steven Mulry Kevin Parker Claire Parker-Harrison Sarah Pearson Rod Penman Clive Pinch James Pinner Owen Rees Paul Richards Liz Sheehy Dale Sibanda George Solarski Ian Stanton Justine Trimmer Claire Tutt Ann Watson Les Watson Robert Whyte Alex Wicks Ian Wrightson Become an IRM member IRM membership can support you throughout your career, whether you see risk management as your profession or as a key skill. Membership provides you with recognition, networking opportunities, knowledge and career support. To find out more about becoming a member visit: www.theirm.org/joining/JOjoining.html www.rmprofessional.com | June 2012 | Risk Management Professional | thought leadership IRM IRM FOCUS Future thinking Carolyn Williams MIRM provides her regular round-up of the latest issues, ideas and initiatives from IRM’s thought leadership activities Woodford, ex-CEO of Olympus and Jim Sutcliffe, chairman of the UK Financial Reporting Council’s codes and standards committee, which has responsibility for the Turnbull Guidance on internal control. Further details about the conference will be included in Risk Management Professional in September and will also be sent to all IRM members, but if you would like to pre-register your interest please e-mail events@theirm.org. Risk culture – IRM’s risk culture working group has been undertaking surveybased research to support the group’s discussions. So far the group has been looking at individual risk perspectives, organisational risk culture and whether different cultural models make it more or less difficult to implement various aspects of risk management. Preparation of a first draft guidance document is now underway. This will be released for wider consultation in the summer. Any IRM members who feel that they have a contribution to make to the work should e-mail Carolyn Williams at carolyn.williams@theirm.org. Vodafone perspective report on exploring attitudes towards risk – IRM has recently contributed to work undertaken by UK mobile telecommunications company Vodafone aimed at raising awareness of risk management and business continuity among their corporate customers. The work incorporates some of the guidance of risk appetite produced by IRM last year and can be found at: http://www.vodafone.co.uk/consumer/ groups/public/documents/webcontent/ vftst162178.pdf CfA risk governance national occupational standards – IRM will be contributing to a CfA – formerly known as the Council for Administration – working group that will be developing national occupational standards in risk governance for the UK. National occupational standards set out the required competencies and knowledge required to undertake particular functions within organisations. The new standards will be issued towards the end of the year. The IRM game – following a pilot scheme involving IRM members around the world plus some training sessions at IRM’s recent Professional Development Forum in Manchester, UK, the files for the IRM Game have been placed in the members’ area of the IRM website for any member to access. The game aims to help communicate basic risk management concepts within an organisation by means of a role-playing game. IRM Risk Leaders’ Conference – our third Risk Leaders’ Conference will take place on 20 November 2012 in London, focusing on risk at board level. Speakers confirmed to date include Michael Online Resource Centre (ORC) IRM’s online resource centre for members provides easy, searchable access to hundreds of documents and links on various aspects of risk management. Recent additions include: • UK climate change risk assessment – a major report from the UK’s Department for Environment, Food and Rural Affairs (Defra) • Future risk - social and economic challenges for tomorrow – a collection of expert essays commissioned by the Chartered Insurance Institute • Emerging risks 2012 – a report based on a recent London risk seminar • Turning risk into results - how leading companies use risk management to fuel better performance – a report from Ernst & Young Any IRM members who would like to submit papers for inclusion in the ORC should contact Carolyn Williams at carolyn.williams@theirm.org. Carolyn Williams MIRM is head of thought leadership at IRM | Risk Management Professional | June 2012 | www.rmprofessional.com | 47 irm Education IRM FOCUS Examination successes International certificate T risk management and Application of risk management. This was slightly lower than the June 2011 session where 91 per cent of candidates passed both papers. Most of the November papers were hree hundred and fifty five candidates sat the November 2011 examinations of whom 86 per cent achieved a pass, merit or distinction grade in each of the papers – Theory of completed to a high standard, as shown by the number of candidates achieving merit and distinction grades: Distinction % Merit % Pass % Overall % pass rate Theory of risk management 43 23% 70 38% 36 19% 81% Application of risk management 58 34% 63 37% 35 9% 91% Totals 131 29% 133 38% 71 14% 86% Comparison of pass rates June 2010 – November 2011 Nov-11 Pass rate % Jun-11 Pass rate % Nov-10 Pass rate % Jun-10 Pass rate % Theory of risk management 81% 87% 88% 86% Application of risk management 91% 96% 89% 92% Totals 86% 91% 89% 89% International Diploma International Diploma in Risk Management The institute would like to congratulate and have now completed the Internathe following candidates who were tional Diploma: successful in their Level 3 assignment • Gayle Marshall • Panagiotis Loizou • John Davis Financial services Risk Management in Financial Services 46 candidates sat the November 2011 examination and the overall pass rate was 63 per cent. This compares with 29 students who sat in June 2012 with an overall pass rate of 76 per cent. Financial services 48 | Distinction % Merit % Pass % Overall % pass rate 1 2% 7 15% 21 46% 63% www.rmprofessional.com | June 2012 | Risk Management Professional | directory of risk management professionals To advertise in this directory please contact Steve Goood on +44 (0)20 7562 2435 or steve.good@rmprofessional.com ENTERPRISE RISK MANAGEMENT Harnser Group Ltd 69-75 Thorpe Road Norwich NR1 1UA Tel: +44 (0)1603 230534 Email: info@harnsergoup.com or info@prismworld.org Web: www.harnsergroup.com or www.prismworld.org PRISM® (Performance and Risk-based Integrated Security Methodology) is a complete risk management framework that can be applied to any organisation that faces security risks. It reflects best practice in security risk thinking and ensures cost effective security solutions that support the delivery of strategic objectives anywhere in the world. The methodology forms the basis of the Reference Security Management Plan (RSMP) written at the behest of the European Commission for owners and operators of energy infrastructure assets across the European Union. In Q2 2011 PRISM® software will be available to support the application of a consistent security risk management approach across multiple sites. Harnser Group is an international specialist in security risk management for government and commercial organisations in areas of technical design, governance and audit. Our aim is to deliver high quality advice and to challenge traditional thinking about security risk to raise awareness amongst other stakeholders of the impact on strategy, finance and operational decisions made by organisations to protect and enhance shareholder value. Active Risk Active Risk Manager from Active Risk 1 Grenfell Road Maidenhead Berks SL6 1HN Active Risk provides software and services for the management of project, portfolio, operational and true enterprise risk management. Active Risk Manager™ (ARM) is the world’s leading web-based Enterprise Risk Management (ERM) system. Tel: 01628 582500 Fax: 01628 582600 www.activerisk.com Active Risk was founded in the UK in 1987 and opened offices in the US in 2004. Active Risk Manager is used by major organisations around the globe including BAE Systems, British Nuclear Group, Rio Tinto, Lockheed Martin, Nestle, United States Air Force, NASA, London Underground and SABIC. For further information and a detailed view of Active Risk’s products and services visit www.activerisk.com or call +44(0)1628 582500 (EMEA) or +1 703 673 9580 (Americas) VALUATION Charterfields Limited International Asset Consultants 36-38 Cornhill, London EC3V 3PQ Tel: 0870 0434170 Fax: 0870 0434172 E: neil.warburton@charterfields.com www.charterfields.com Charterfields' insurance valuation services provide clarity and certainty in relation to the insurance of material assets. This advice:• • • • protects a business against the consequences of under or over insurance; facilitates more accurate MPL calculations; determines fair premium allocation; provides market confidence when placing cover; and gives impartial and credible valuation data. We act on behalf of major corporations, brokers and risk managers, covering all business sectors around the world. We offer a range of survey options, including cost modelling reviews that provide risk managers with quick and cost effective initial advice on the accuracy of declared values. RISK CONSULTANCY Risk Doctor & Partners Risk Doctor Surgery, Lower Heyshott, Petersfield, Hampshire GU31 4PZ, UK Telephone: +44(0)7717 665222 Email: info@risk-doctor.com Web: www.risk-doctor.com Specialist risk management support from Dr David Hillson and selected partners, combining leading-edge thinking with expert practical application, offering access to the latest developments in risk management best practice. With an enviable track record in diagnosis and treatment, and a strong emphasis on managing opportunities through the risk process, we provide a unique approach to understanding and managing the uncertainties facing your business. Services are available worldwide, including coaching & mentoring, capability benchmarking, process development, risk assessments, and skills training directory of risk management professionals To advertise in this directory please contact Steve Goood on +44 (0)20 7562 2435 or steve.good@rmprofessional.com INSURANCE CLAIMS HANDLING & RISK MANAGEMENT SOFTWARE JC Applications Development Manor Barn Hawkley Rd Hawkley Liss Hampshire GU33 6JS Tel: +44 (0)1730 712020 Fax: +44 (0)1730 712030 Email: jcad@jcad.co.uk Web: www.jcad.co.uk At JC Applications Development Ltd we believe that our commitment to providing simple to use yet feature rich applications for claims and risk management, is what has enabled us to grow a successful and satisfied client base of over 160 organisations. Although our clients can occupy very different sectors of business, for instance; UK Central & Local Government, US Government, Commercial, sentiments converge when looking for a proven technology solution provider. If you are looking to improve upon the way you handle claims or manage risk then JCAD have the right mix of products and services to guarantee a cost effective and timely implementation. RISK MANAGEMENT CONSULTANCY Risk Management Consultancy Ove Arup and Partners The Arup Campus Blythe Valley Park Solihull B90 8AE Tel: +44 (0) 121 213 3000 Email: Rob.Davies@arup.com Web: www.arup.com Arup provides tailored Programme and Project Risk Management (PPRM) support to its clients across numerous industry sectors (e.g. Energy; Transport Infrastructure, Commercial Property), capitalising on the Firm's core engineering and project management skills. We provide these services at all project lifecycle stages, helping to manage both threats and opportunities to cost and benefit streams. In particular, our risk quantification expertise ensures we can reliably contribute to business case development, procurement and delivery structuring, tender evaluation, project controls during implementation and cost-effective transition to full operation. Importantly, we've also developed a Monte Carlo-based decision support tool for optimising asset management strategies. As part of our PPRM service offering we specialise in five key areas; • Project Risk Management (PRM); • Quantitative Risk Analysis (QRA); • Asset Risk Management (ARM); • Enterprise Risk Management (ERM); and • Business Continuity Management (BCM). Risk Decisions Group Whichford House, Parkway Court Oxford Business Park South Oxford, OX4 2JY Catherine James, Office Manager Catherine.james@riskdecisions.com +44 (0)1865 718 666 Fiona Racher, Business Development Director Fiona.racher@riskdecisions.com +44 (0)1865 718 666 www.riskdecisions.com Risk Decisions have the expert people and the market leading training and software that organisations need to develop their internal capability in risk management. Risk Decisions specialise in supporting government bodies and companies undertaking large capital projects or seeking to manage risks in order to meet corporate governance obligations, covering enterprise, business programme and project risk management. By providing an appropriate mix of consultancy, training, coaching and software, Risk Decisions equips teams with the knowledge and the skills needed to embed effective risk management practice into mainstream business activities. RISK MANAGEMENT INFORMATION SYSTEMS Covalent Software 3 Hammet Street Taunton Somerset TA1 1RZ www.covalentsoftware.com +44 (0)1823 323239 Covalent ERM, used by 160+ organisations, brings risk management to life as a dynamic process, rather than the static, disconnected approach offered by spreadsheets. It streamlines the whole risk identification, assessment, treatment and monitoring process, providing real-time profiling and alerts, regular re-assessments and continuous controls monitoring. It facilitates proactive management of risk, minimising likelihood and impact, and provides easy tracking of mitigation plan progress and key risk indicators. It also aligns risks with strategic objectives, giving full visibility of how risks directly threaten those objectives and what's being done about it. Covalent ERM delivers increased risk responsiveness, improved governance performance and a streamlined, lower cost, dynamic risk management process.