Professional - Enterprise Risk Magazine

Transcription

Professional - Enterprise Risk Magazine
Professional
RISK
MANAGEMENT
www.rmprofessional.com | June 2012
Corporate Japan
“is a perverted
golf club”
Former Olympus CEO-turnedwhistleblower Michael Woodford
talks about his experiences
•Olympic threats
•ERM - a perfect recipe?
• Police service risks
•Women on boards
•Information risk roundtable
•IRM forum review
•Zurich and IRM join forces
Risk Management Professional: the official magazine of the Institute of Risk Management
Professional
RISK
MANAGEMENT
Published on behalf of IRM, Risk Management Professional is the
leading quarterly title for risk managers and enterprise risk
For advertising opportunities please contact Steve Good:
Tel: +44 (0)20 7562 2435 or email: steve.good@rmprofessional.com
www.rmprofessional.com
contents
Cover story
Professional
RISK
MANAGEMENT
IRM CHAIRMAN: Richard Anderson FIRM
Ahead of his keynote speech at November’s IRM Risk
Leaders’ Conference, ex-Olympus CEO Michael Woodford tells us why he spoke out against wrongdoing at
the firm, and the impact it had on him and his family.
CHIEF EXECUTIVE OFFICER: Steve Fowler FIRM
Deputy chief executive: Sophie Williams
MIRM
head of marketing: Fiona Duhig
fiona.duhig@theirm.org
Tel: +44 (0)207 709 9808
editor: Tom Bovingdon
tom.bovingdon@rmprofessional.com
Tel: +44 (0)207 562 2420
design & production: Keem Chung
Tel: +44 (0)207 562 2405
keem.chung@perspectivepublishing.com
12
INDUSTRY FOCUS
News
4
Editor’s letter
8
Letters9
Olympic risks
14
advertising manager: Steve Good
Tel: +44 (0)207 562 2435
steve.good@rmprofessional.com
ERM - age of enterprise
20
accounts: Marilou Tait
Tel: +44 (0)207 562 2432
marilou.tait@rmprofessional.com
Thin blue line
22
Women on boards
24
Area focus: Australasia
28
ISO 31000: the debate
30
circulation: Joel Whitefoot
Tel: +44 (0)208 950 9117
perspective@alliance-media.co.uk
managing director: John Woods
Publishing director: Mark Evans
Risk Management Professional is
the official publication of the
Institute of Risk Management
(IRM). ISSN 2042-4078
IRM is the world’s leading enterprise-wide risk
education institute. We are independent, wellrespected advocates of the risk profession, owned
by practising risk professionals and operate
internationally, with members and students in over
90 countries.
feedback: Fiona Duhig
Tel: +44 (0)20 7709 9808
Roundtable: IT security
34
Chairman’s column
IRM FOCUS
11
Professional Development Forum review
40
SIG and RG news
44
Institute of Risk Management
6 Lloyd’s Avenue, London EC3N 3AX
Tel: +44 (0)20 7709 9808,
Fax +44(0) 20 7709 0716
www.theirm.org, enquiries@theirm.org
News45
New memberships
46
Copyright © 2012 Institute of Risk Management.
All rights reserved.
Thought leadership
47
Reproduction without written permission is strictly
forbidden. The views of outside contributors are
not necessarily the views of IRM, its editor or
its staff.
Exam results
48
www.theirm.org
enquiries@theirm.org
| Risk Management Professional | June 2012 | www.rmprofessional.com |
03
news
A governance standard demonstrating
best practice is being developed by the
British Standards Institute (BSI).
The standard, aiming to launch in
early 2013, will be developed through
work with professional bodies,
government and business.
Carolyn Williams MIRM, head
of thought leadership at IRM, said:
“We already have the UK Corporate
Governance Code covering this area
and it will be interesting to see what
value the proposed new standard
would add.”
Security professionals
“over-confident” on ERM
IT professionals have “significant gaps
in their enterprise
risk management
(ERM) strategies
despite thinking
they are on track”,
according to
research by HP.
Research published in May showed
that just 14 per cent of security
professionals are very confident that
their current IT solutions are giving them
a complete picture of their ‘risk state’.
Jennifer Lake, security product
marketing manager for HP DVLabs, said
intelligent approaches are required to
combat “a new breed of cyber threats”.
The research also showed that cyber
attacks are becoming more frequent,
staff are often inadvertently breaching
security, and less than half of survey
respondents (41 per cent) carry out
asset analysis and prioritisation as part
of their security programme.
For more information on IT security
risks, turn to our expert roundtable on
pages 34-39.
04
|
Olympus fraud “could happen anywhere”
Fraud comparable to events at Olympus
“could happen anywhere”, the former
president and CEO turned whistleblower
Michael Woodford has exclusively told
Risk Management Professional.
Woodford, who will be speaking at
IRM’s Risk Leaders’ Conference on 20
November, said any organisation could
suffer from the scenario that led to $1.7
billion losses being hidden.
“It can happen anywhere where you
get power. We’ve all got bosses. We’ve
got mortgages. You may have children. In
any hierarchical structure – and it comes
down to the tone at the top, how far
people are prepared to look the other
way or keep well away – that psychology
of how fraud or wrongdoing takes place
is interesting to examine”, he said.
As we went to press (28 May), Woodford was launching a five-day unfair
dismissal case against Olympus at a
London tribunal.
He is attempting to sue the company
for up to ten years of lost pay, citing UK
laws on unfair dismissal for whistelblowing and discrimination. Olympus previously said Woodford left because he was
“causing problems”.
Woodford is currently finishing the
British version of his book and is in talks
with film companies about taking his
story to the silver screen.
Asked who he would like to play him,
he said: “Colin Firth, Kevin Spacey, some
people have even said George Clooney,
but he’d have to put a bit of weight on
and shave his head.”
Olympics to raise flu risk in travel-hub UK
An influx of Olympic tourists will raise the risk of
a flu pandemic across the UK, according to risk
analysis firm Maplecroft.
The UK’s highly urbanised and transient population, and its prominence as a travel hub, make
it the second highest-ranked country where a flu
pandemic is likely to spread fastest, behind Singapore, the Influenza pandemic risk index found.
With tourists numbers expected to surge by around 5.3 million during the Olympics, the researchers warned of the potential to “exacerbate the already significant
risk of spread in the country, particularly since visitors from countries most at risk of a
pandemic emergence will feature high in these influxes”.
However, the report also found that the UK’s strong governance, highly developed
infrastructure, well educated population and advanced health system also places it
among the 10 countries with the highest capacity to contain a potentially lethal outbreak of a strain of flu, Maplecroft found.
After Singapore (1) and the UK (2), the highest ranked countries were South Korea
(3), the Netherlands (4) and Germany (5).
mcfarlandmo
BSI to launch governance
standard
www.rmprofessional.com | June 2012 | Risk Management Professional |
news
INDUSTRY FOCUS
Olympics “safer than home”
london 2012
Visiting the Olympic Park to watch the
world’s biggest sporting event will be safer
than staying in your house, the incident
and business continuity manager for the
Olympic Park has claimed.
Andy Tomkinson, pictured (right),
said he will feel “very safe” during the
London 2012 Olympic and Paralympic
Games because the organisers will have
“made their own luck through planning
and risk mitigation”.
He said: “If you asked me where would
be the safest place to be in London during
the Olympics, I would say the Olympic
Park. And I’d like my mum and dad to be there too. They would be safer at the Olympic Park than they are in their home.”
Tomkinson believes London 2012 will be the “best Games ever” and is satisfied that
contingency measures are in place for any eventuality. He said: “Every single kick-off,
every single weight-lift, every single backflip, there is a contingency plan. It’s been a
massive job.”
But he stressed that there is no room for complacency. He added: “No one is resting
on their laurels. Nobody is going to take their foot off the pedal.”
Heathrow Airport will be able to cope
with the extra traffic caused by the
Olympic Games, BAA has said.
At a briefing in London, BAA bosses
assured the public that the airport would
be able to manage the influx of visitors
and athletes after concerns were raised
over queues and delays at Britain’s
busiest airport.
Heathrow will open a temporary
terminal, 31 check-in desks and five
security lanes solely for the use of
athletes to cope with the demand,
bosses said. The airport will see its busiest
ever day on 13 August when handling
138,000 departures and 200,000 bags.
Meanwhile, Marc Owen, director of
the UK Border Agency, promised that
hundreds of extra trained border guards
will be drafted in.
Their assurances come after the House
of Commons culture select committee
warned that Heathrow may struggle
Arenamontanus
Heathrow “ready for olympic traffic”
to cope with long immigration queues
during the Games. In a letter to culture,
media and sport secretary Jeremy Hunt,
the committee said: “While visiting
tourists will understand that the Olympics
is a busy time, if the wait [at immigration] is in excess of an hour it may deter
tourists from returning.”
London 2012 to be “the
BCI Olympics”
The Olympic and Paralympic Games in
London this summer will be “the business continuity Olympics”, an incident
and business continuity manager for the
Olympic Park has exclusively told Risk
Management Professional.
Andy Tomkinson, who works for
London Organising Committee of the
Olympic Games and Paralympic Games
(LOCOG), says London 2012 “has gone
further than other Olympics have before
in engaging with society and business”
to minimise disruption.
Speaking outside the Olympic Park,
Tomkinson said: “There will be disruption, but it will be managed and predictable and we’ve got plans and procedures in place to help mitigate that.“
He added: “This is the first time that
business continuity for small business, freight management and the
Olympic network have really drawn
together – across society, commerce
and the Games – into one package. An
overwhelming majority of businesses
are creating plans and procedures to be
Games ready.”
| Risk Management Professional | June 2012 | www.rmprofessional.com |
05
news
X chromosome marks risk
appetite spot
One third of companies not
reporting key risks
Over one third of companies scored
zero points when rated for their
reporting on child labour, climate or
water risks.
In an analysis of 1,078 companies
carried out by Norges Bank Investment
Management (NBIM), 41 per cent of
firms failed to receive any points for
their reporting of these risks, compared
with 44 per cent the year before.
Anne Kvam, NBIM’s global head
of ownership policy, said the report
looked at areas of “particular concern
that companies need to address –
children’s rights, climate change and
water scarcity”.
She added: “While our findings
show a slight improvement in how
businesses reported on risks in these
areas in 2011 compared with 2010,
the overall level of reporting is still far
too low.”
Adidas, Air France-KLM and Nestlé
were among the companies to receive
top marks for their reporting on social
or environmental risks.
ISO 31000 under discussion
Nearly 100 delegates from around the
world gathered in Paris, France, on
21-22 May for the first international
conference to discuss the ISO 31000 risk
management standard, two years after
its launch in 2009. IRM was represented
by chief executive Steve Fowler FIRM
and head of thought leadership Carolyn
Williams MIRM, who spoke at a seminar
session on how ISO 31000 should be
addressed in educational development.
For information on IRM qualificiations
visit: www.theirm.org. For more information on the conference, visit: www.
g31000conference2012.org/
06
|
Report calls for “off-therecord” risk reports
Auditors and audit committees
should have informal meetings where
potential and emerging risks to banks
can be discussed, a report from the
Chartered Institute of Internal Auditors
(CIAA) has said.
The report, Enhancing the dialogue
between bank auditors and audit committees: good practice for bank auditors,
audit committees and executive management, said that informal meetings should
take place where ideas can be “tested in
an environment which does not demand
written reporting or precise conclusions”.
“In these meetings, the necessary
formality and protocol which surrounds
audit committee meetings can be
temporarily set aside, replaced by offthe-record conversations which seek to
identify potential and emerging risks to
the business”, the report added.
Such discussions would allow “much
more of the flavour of debates to be
presented”, the report said, and allow
auditors to communicate “as if they
were telling a story to a friend”.
www.rmprofessional.com | June 2012 | Risk Management Professional |
Having more women at board level
could help firms
strike the right risk
appetite, a business
psychologist has
claimed.
Grace Walsh,
of Psychological
Consultancy (PCL),
a firm working with
IRM to examine the
importance and impact of risk culture
on organisations, told Risk Management
Professional that having more women at
board level “may not just be beneficial
but also necessary in order to get the risk
appetite balance right”.
She added: “It is not just that more
women should be in more senior executive positions, it is that it is needed.”
PCL recently compiled research finding
“very significant” gender differences
between attitudes to risk, revealing that
females are generally more prudent and
wary in their approach to risk while men
tend to be adventurous, carefree and
spontaneous. The report stated:
“Differences in risk-taking may be a
distinctive feature on gender”.
Sharon Constançon, chief executive of board evaluation consultancy
Genius Methods, told Risk Management
Professional that the presence of women
on boards “improves the communications between directors and allows for
a natural inclusion of softer issues at
the forefront of board effectiveness like
culture, ethics, style and behaviour”.
She said: “In my experience women
are less political and more open. They are
willing to ask questions, even the simple
(or stupid) ones and persevere as they
need to get a satisfactory answer.”
For further thoughts about women on
boards, see All trousers, no skirt? (pages
24-25).
news
INDUSTRY FOCUS
Bahrain businesses make risk
“key priority”
Risk management “crucial”
for Arctic exploration
Organisations must put “robust”
risk management in place if they are
to succeed in exploring the $100bn
Arctic frontier, according to a report by
insurance market Lloyd’s.
The report, Arctic opening:
opportunity and risk in the high North,
said that “risk management is fundamental for companies to work safely,
sustainably and successfully in the
Arctic”, as expected investment in the
region is predicted to reach £100bn over
the next decade.
“Companies operating in the Arctic
require robust risk management
frameworks and processes that adopt
best practice and contain worst case
scenarios, crisis response plans and fullscale exercises. There are many practical
steps businesses can take to manage
risks effectively, including investing in
Arctic-specific technologies and implementing best-in-class operational and
safety standards, as well as transferring
some of the risks to specialist insurers”,
the report said.
Richard Ward, CEO of Lloyd’s, said
Arctic opportunities will only be realised
“if the businesses involved are able to
manage the substantial and unique risks
which exist in the region”.
He added: “The Arctic is a frontier
unlike any other, and the industries and
companies it attracts will need to develop and implement robust risk management systems to meet these challenges.”
Over half of Bahrain-based business
leaders are making risk management
their primary focus, according to a survey
carried out by KPMG.
A European and Middle East survey
released this week by the audit, tax
and advisory services firm found “many
similarities” between Bahrain organisations and their regional and European
counterparts, but said that the emphasis
on risk management is a difference.
Addressing risk throughout their
organisation was a priority for 51 per
cent of Bahrain respondents, compared
to the survey average of 21 per cent.
Narayanan Ramachandran, KPMG’s
Bahrain advisory head, said: “Perhaps
the biggest difference is the emphasis
Bahrain-based business leaders are
placing on risk management.”
Audit and risk “must speak
same language”
Middle East war “bigger risk
than debt crisis”
Conflict in the Middle East poses a
greater danger to the economy than
the Greek debt crisis, according to
Henkel AG chief executive officer
Kasper Rorsted.
Rorsted was quoted by Reuters news
agency as saying that conflict in the
region is the “least manageable
scenario” and would increase volatility
in raw material prices.
He was quoted as saying: “The
biggest risk in 2012 is not Greece,
it is war in the Middle East.”
Recent clashes on 4 May between
protestors and security forces in Cairo
left one dead and hundreds injured with
anxiety increasing as the results of the
23-24 May elections were counted.
But Rorsted told Reuters that the
Middle East continues to offer a “huge
opportunity” for long-term investment
in region, adding: “The price you pay
for presence in the region is volatility.”
Internal audit and risk management are
more effective when they work together
and share a common understanding,
according to a joint report from the
Risk and Insurance Management Society
(RIMS) and The Institute of Internal
Auditors (IIA).
The report, Risk management and
internal audit: forging a collaborative
alliance, found that collaboration
between the two can lead to
“stronger, more efficient decisionmaking and enhance an organisation’s
overall risk management capability
and value”.
Hal Garyn, vice-president of North
American services for IIA, said:
“Having these vital risk management and
assessment functions collaborate, speak
the same language, and leverage one
another’s perspectives on the business
is crucial. The sum is truly greater than
their parts.”
| Risk Management Professional | June 2012 | www.rmprofessional.com |
07
Editor’s Letter letters
Roll up! The circus is coming
08
|
www.rmprofessional.com | June 2012 | Risk Management Professional |
40-43. As usual, the event was a blend of
networking and new insights, but with a
twist. As well as speeches on green pigs
and meerkats, there was dancing, comedy
and the surreal moment when one risk
professional serenaded me with some
John Denver.
Something else worth celebrating is the
recent agreement between Zurich and
IRM, whereby all Zurich risk engineers
now automatically become IRM members
to at least affiliate level. For more information turn to page 44.
When recently watching The Apprentice, a BBC reality show where contestants
compete to become business partners
with famous British entrepreneur Lord
Sugar, I came across risk analyst Bilyana
Apostolova. Here was a chance for the
British public to see the face of risk
management.
But how quickly it went downhill! By
the end of the first episode Apostolova
had rubbed Lord Sugar up the wrong way.
As he decided who to sack from the losing
team, Apostolova continuously interrupted
the bearded face of British business until
his patience collapsed and he fired her.
With that in mind, we plan to examine
soft skills in our next issue. In the meantime, expectation continues to build ahead
of the Olympics. Fingers crossed the event
lives up to expectations.
And finally, some of may have noticed
that we have launched a digital version of
the magazine that can be read online or
on your smartphone or tablet. We hope
this improves your reading experience.
Tom Bovingdon, editor
london 2012
L
ondon is unfurling the banners
and flags and the
media circus is gearing
up ahead of an enormous July and August.
But none of this is, as
you might expect, to commemorate my
first year on the magazine. Instead, the
Olympics and Paralympic Games are coming to town, bringing with them some of
the biggest risk management challenges
to date.
We cover the Olympic bases on pages
14-17, but as usual have cast our net far
and wide to bring you a wealth of risk
research, news and debate on various
other topics.
Following on from our last issue,
where we asked if enough is being done
to encourage and protect whistleblowers, we speak to Michael Woodford,
the former president of Olympus who
was shooed out the back door when he
started posing questions about “murky
transactions”. Turn to pages 12-13 to
find out why it felt like he had brought “a
curse upon our family”.
Two risk monoliths go head to head in
our debate column as we ask if ISO 31000
is fit for purpose. Lots of virtual blood has
been spilt on this subject, so see what
happens when we bring the debate to
RMP on pages 19-21.
We also check which sectors are excelling in embedding enterprise risk management, examine the role of risk managers
within the police service, a focus on risk in
Australasia, and a roundtable full of expert
insight on IT security.
And we still had to find room for the
main event of the quarter – IRM’s Professional Development Forum. Three hundred
risk practitioners attended the event in
Manchester, UK, in April, and we bring
you our review of proceedings on pages
letters
End of the road for “risk”?
C
hristopher Day MIRM wrote [in
RMP March 2012] that “the whole
principle of worrying about the
precise meaning of words is complete
anathema to me” – in response to my
concerns about the definition of “risk”.
But if we do not consider what others
mean by a word, we are unable to communicate. “Use the normal terminology”
says Day, but what is “normal?” I agree
the predominant English connotation of
“risk” is the chance of an unfavorable
outcome, but many other English readers
consider ‘risk” to be the adverse event
itself, while a few see it as a measure of
probable likelihood and consequence. If,
as Norman Marks FIRM argues, our critical
needed skill is that of a “communicator,”
then we need to acknowledge the word
“risk” creates confusion!
I accept that “risk is overwhelmingly
negative”, but if the discipline of risk
management focuses only on negative
outcomes, it cannot
affect strategy.
Yes, a risk
manager can keep
an “opportunity
register”, as Day
does, but then
shouldn’t we call what we do “opportunity and risk management?” Words and
their meanings do matter. In the same
issue, Marks said our problem is that there
is ‘no common understanding, or even a
common language, for risk management
or risk”.
Later in the same issue Steven
Shackleford appears to agree with
Day: ”Clients believe it is right that risk
professionals should be naturally averse
to taking risks” - but others quoted in
your pages see a broader responsibility.
Woolfson and Evans: “What makes some
people ignore the upside of risk?” And
Marks: “As long as risk management is
associated with threats rather than making
better decisions, you aren’t really adding
value.” And Johannes Arreymbi: “I see risk
as being about managing uncertainties.”
And the Risk Decisions article: “…Recording the risks (threats and opportunities)”.
If “risk” is generally understood to
mean something negative, and if we can
agree that our role is to anticipate future
uncertainties, building coherent response
capabilities, then perhaps we must rename what we do. I see it as “a discipline
for dealing with uncertainties”. The
continuing confusion around the word
“risk” itself suggests that this word has
outlived its usefulness.
Felix Kloman FIRM,
head of Seawrack Press
Book review
MEGACHANGE : The World in 2050 (Economist)
T
hose expecting this book’s views
on the future to live up to the title
“MEGACHANGE” may be in for
some disappointment. “More of the same,
but faster”, might be a more apt title.
That said, the experts bring great
credibility, present well argued detail
and are likely to be right in many of their
predictions. There is much to recommend
of real value to risk professionals and
students of risk, such as the transformational power of increasing rates of change
(if a competitor is taking your market
share at 10% a year…you will soon be
out of business).
Other useful topics include the increas-
ing power and
immediacy of
social media
and its role
in consumer
decisionmaking – this
will probably
make attention
to reputation
risks ever more
relevant in the boardroom. Also, the focus
on the vulnerabilities of supply chains will
be grist to the mill of many risk managers.
But there is little radical thought here
and rather too much extrapolation of
current trends. So, no onset of a little Ice
Age, no impact of pandemics, no birth
of the first person to live to 500 In short,
little mention of the unlikely scenarios that
might trigger “MEGACHANGE”. Risk
professionals may also be dismayed at
some of the “certainties” such as ever
increasing global population; something
that is very likely, but is not certain.
The book argues cogently that the
doomsayers are often proved wrong but
spaceship earth should not be considered
unsinkable, even by economists.
Charles Toomer FIRM
Letters, which may be edited, should be submitted to the editor, Risk Management Professional, Perspective Publishing, Sixth Floor,
3 London Wall Buildings, London EC2M 5PD or emailed to tom.bovingdon@rmprofessional.com
| Risk Management Professional | June 2012 | www.rmprofessional.com |
09
Risk Leaders
Conference 2012
Practical strategies for
risk at board level
Tuesday 20 November
Dexter House, Royal Mint Court, London EC3N 4QN
RISK LEADERS CONFERENCE - 20 NOVEMBER 2012 - LONDON
IRM’s Risk Leaders conference is designed specifically
to meet the needs of chief risk officers, heads of audit,
non-executive directors and others responsible for risk
at board level. With speakers and seminars covering
critical risk issues, as well as an outstanding networking
opportunity, the fast paced programme will cover topical
risk issues such as:
•
Risk Culture
•
Developments in corporate governance
•
Emerging risks that boards need to be aware of
•
Risk and Strategy
To find out more about this year’s conference call +44
Speakers include Michael Woodford, former President
and Worldwide CEO of Olympus, and Jim Sutcliffe,
Chairman of the new Codes and Standards Committee
at the Financial Reporting Council (FRC).
IRM’s Risk Leaders conference is the must-attend event
for senior risk professionals and sells out quickly. To
guarantee your place, pre-register your interest by
emailing events@theirm.org.
Sponsorship and partnership opportunities are available.
Contact murray.barber@theirm.org
for further details.
(0) 20 7709 9808
go to www.theirm.org or email events@theirm.org
The Institute of Risk Management, 6 Lloyd’s Avenue, London EC3N 3AX.
Chairman’s column
irm
Conquering the conker
misconceptions
Richard Anderson FIRM examines the role of risk management in society
I
recall an interview some years ago
when I was applying for a job. The
interviewer said: “You don’t look like
a risk manager. I mean, you don’t look
like a man who would only say ‘no!’”
Of course, I never thought that my role
as a risk management professional was
simply to say “no” but this did lead me
to think about just what it is that the risk
management profession offers to society.
Are we a bunch of do-gooders and
pleasure destroyers who stop children
from playing conkers and remove hanging
baskets from (formerly) pretty market
towns? Or, as many people suspect, are
we simply insurance folk dressing up as
management consultants? Or is there
possibly a greater benefit to society that
we are able to provide?
There has been considerable political
interest in risk management recently.
During the passage of the healthcare bill
through parliament, the opposition party
has been calling for the government to
release the strategic risk register prepared
by the NHS in anticipation of the new
legislation. The government declined on
the basis that sharing a risk register would
“chill” thought-provoking advice from civil
servants. Risk registers have arrived on the
political agenda.
Of course, the argument provided by
the government is almost exactly why
many American corporations prefer not to
record their risks in a written format: they
might be used against them.
So how can risk management be anything other than a hindrance if it is only
about saying “no”, stops children from
playing conkers in the school playground
and can then be used against you if
you take it seriously? I believe that risk
management can be an enormous power
for good. Historically we have focused on
control over that where we can exercise
control: in other words things that are
happening now, or recording things which
have just happened. If we could not
exercise control, or we could not record
the event, then we were likely to put it
down to forces of nature or to religion.
But attitudes have changed. Citizens are
expecting accountability from the state,
and shareholders are expecting accountability from boards and managers. Risk
management has a major role in facilitating that accountability.
Risk management provides a framework
for a new paradigm of control: establishing how one might act in the event of
uncertain futures. This is not the bland
budgeting and forecasting of yesteryear, but rather a new way of thinking.
Risk management is about bringing a
perspective to the management (rather
than avoidance) of complicated issues in
complex organisations. It helps to prioritise
your work and that of others in a fastmoving context with an approach that
is better than simple intuition and which
facilitates communication between
people. It is a style of thought, and is
definitely not a paper chase.
If this is truly the case, then risk management is much more about enabling
new things to happen than simply stopping “bad stuff”; it is about reducing
stress in society and in the workplace,
because we will all feel much more “in
control” of events if we have thought
about how we are to manage them. If I
am right, then we will see risk management providing a better balance between
risk taking and risk avoidance, and a
better balance between our performance
culture and the ethics of both our society
and our workplace. If we get those two
balancing acts right then we will see a
more sustainable (in all senses of the
word) future.
My guess is that public perception has
a long way to go to catch up with modern
thinking in risk management. As a
profession it is our responsibility to pick
up this challenge and to provide an
explanation of why our work matters.
Richard Anderson FIRM
IRM chairman
| Risk Management Professional | June 2012 | www.rmprofessional.com |
11
analysis
I
risk LEADERS’ KEYNOTE
n July 20121, Woodford was relaxing
at a hot springs resort when a friend
translated an article from the Japanese
FACTA magazine alleging wrongdoing
and a cover-up of mysterious losses
at Olympus.
Woodford picks up the story: “When
I saw that [article] I thought this was
serious. I still didn’t believe this but when I
challenged the chairman and vice-president
on 2 August I could tell by their reaction –
their discomfiture, unease and lack of any
credible explanation. Then I knew there
was something terribly, terribly wrong.”
Woodford immediately confronted
Olympus executives. They dismissed his
concerns, Woodford claims, as they didn’t
want to bother him with a domestic issue.
“I’m the president of the company. I’m
clearly very busy and they didn’t want me
distracted by this. And I’m the person who
signs off the accounts and the letter of
representation with the auditors.
“I asked whether it [the article] was
true and they said: ‘Some of it is’. Which,
again, I found an extraordinary response.
They weren’t going to tell me anything”,
he claims.”
While other Japanese media ignored
the emerging storm clouds, Woodford
felt compelled to act after another FACTA
article appeared. This time, Woodford
decided to write a letter to the
entire board.
“FACTA published again on 20
September and this time it alleged links
with anti-social forces. And that was
enough. I said: ‘I’m going to formalise
this.’ That was when the series of letters
was written. ‘Anti-social forces’ is a
euphemism for organised crime, which is
the Yakuza in Japan. I knew I was passing
a line as soon as I wrote those letters.
There was no going back.”
Olympus assured Woodford that
the matter had been independently
investigated in 2009, but Woodford
was unsatisfied. “I saw the independent
investigation and it was an utterly useless
document… I said I wouldn’t go back to
12
|
The wronged man
Michael Woodford, former president and CEO at Olympus,
was ousted from the company after publicly blowing the
whistle on almost $2 billion of hidden losses. He talks to
Tom Bovingdon ahead of his speech at IRM’s Risk Leaders’
Conference in November
www.rmprofessional.com | June 2012 | Risk Management Professional |
INDUSTRY FOCUS
Japan unless I got some answers and
that I would resign unless I got those
answers. There were safety and legal
reasons [for not returning to Japan].
“If I was the president I wasn’t going
to manage the company blind unless I
received a satisfactory answer. I wasn’t
going to go back because my presence
would make me complicit.”
The backlash was immediate.
“At the next board meeting I was
criticised for writing those letters. The
share price was down at 80 per cent
and the institutional shareholders, still
to this day, have not made one word of
criticism - not one - of the incumbent
board, after the Tobashi [financial fraud
scheme] was exposed, and not one
word that Mr Woodford did the right
thing. Nothing.
“You have the dichotomy of overseas
shareholders up in arms saying it’s
outrageous, then not one word from
[Japan-based] others. They wouldn’t even
see me.”
Once ousted, Woodford started a
proxy battle to unseat the management
but later backed off because of the
lack of domestic support. He tells Risk
Management Professional: “I think we
had a chance of winning the proxy but
I wasn’t going to bring down the whole
edifice. That’s for Japan to deal with.”
Soon Woodford was concerned for the
safety of his family, with the FBI and the
Metropolitan Police Service advising him
on how to stay safe. As he retreated to his
London “bunker”, he received an email
from Jake Aldestein, author of Tokyo Vice
and a world authority on the Yakuza,
warning him of the Yakuza’s ways and
explaining how they had had someone
assassinated in Thailand. Woodford’s wife
saw it.
“It was very frightening. My wife
suffered terribly. My wife got that [email]
and went to pieces. She was screaming,
in a trance every night; waking around
one o’clock and she would then fall back
asleep once I’d calmed her. But I’m a light
Woodford on Woodford:
“I was a businessman. I was used to chairing meetings, maybe the marketing of a new
product, or the quality, cost and delivery of our manufacturing, or spending time with
our research and development groups. It was a conventional life as a businessman.
And suddenly I found myself in a John Grisham novel.”
“I wasn’t angry. I was just driven and persistent to get to the truth. I just wanted to be
forensic in my follow-up and be factual.”
“My hands still go cold when I tell the story.”
sleeper so I was loaded with adrenalin.
He adds: “It’s like a black comedy [now]
but not when my wife was having a
nervous breakdown and my daughter
was in tears – my wife, particularly, is still
getting over it emotionally. I don’t think
she’ll get over it in its entirety. She’s a
mother. What curse had I brought upon
my family? We had our differences. I
was zealot-like, particularly afterwards. I
wouldn’t give up.”
But surely he considered keeping quiet
and having a quiet life?
“The thing that’s surprised me most is
that the overwhelming majority of people
say: ‘Gosh, why did you do that?’ If
enough people say it you think, ‘gosh,
maybe I am mad’. I would have thought
most people would have reacted in
the same way but I’ve now come to a
different opinion.”
So what lessons can he impart to his
audience of global risk professionals at
IRM’s Risk Leaders’ Conference on 20
November in London, UK?
“I will take the audience through what
happened, look at the lessons learned and
the generalised themes”, he says. “If you
need any tale to reinforce the importance
of risk management, this is the one. This is
the perfect one.”
He adds: “Risk management says what
happens if there’s an earthquake, or with
regards to currency exposure, health and
safety. I don’t know how you risk manage
the perverted golf club [culture]. You
can’t. The people running the company
were massively inadequate, in the case of
Olympus, and incompetent.
“The fundamental lessons to be learned
are: why did the auditors miss it? How
did they miss it? What role did the banks
have? How could they not know the
company was so indebted? All you are left
with is that there’s something very strange
and odd about the way Japan works.”
Woodford on corporate Japan:
“It is an Alice in Wonderland place, Japan. The absolute priority is to keep the clothes
on the emperor, even if there are no clothes. Deference, total obedience. Not everyone, but a majority. I look at corporate Japan as a great big golf club that has become
perverted and distorted.”
“The whole priority is don’t rock the boat, don’t create any noise. I think Japan lost
the last decade with no growth at all. There is huge concern over how many more
organisations like Olympus are out there. Because if you have that cultural approach,
if a company is in distress or not achieving what’s expected of it, you are likely to get
positions where people compromise themselves. I am certain there are [others].”
“I thought the lunatics had taken over the asylum.”
| Risk Management Professional | June 2012 | www.rmprofessional.com |
13
sponsored feature
olympics
Olympian risks
The world will be watching when the London 2012 Olympic and Paralympic Games commence
next month. But, asks Tom Bovingdon, what potential risks do the Games bring with them?
O
lympic memories have a habit of
etching themselves in the public’s
imagination. Muhammad Ali
lighting the flame; Jesse Owens’s trophy
haul in 1936.
On 27 July 2012 it will be all eyes on
London and the regional UK host cities.
And beyond the predictable opening
ceremony fanfare – no doubt consisting
of Routemaster buses, pillar-box phone
boxes and iconic black cabs – lie the
Olympic-sized risks that come with hosting
Brand
Will Jennings, author of Olympic Risks, a research associate
at the centre for analysis of risk and regulation at the London
School of Economics and Political Science, UK, and a senior
lecturer in politics and international relations at Southampton
University, says the Olympics are a “fascinating example of
brand protection”. He adds: “It is the best known brand in the
world. Market research has shown that the Olympic rings are
up there with the symbols that everyone recognises.”
The International Olympic Committee’s (IOC’s) concern
stretches to the way the brand is ethically perceived, Jennings
says, adding: “They had a wake-up call with the Salt Lake City
corruption scandal that hit the IOC [where allegations of
corruption were rife, but no evidence of illegality was found]
and because of that they have been heavily influential in
pushing protectionism of the brand and safeguarding their
commercial sponsors.”
Anthony Mundy, facilities director at the Ricoh Arena, where
Olympic football matches will be held, knows how big an issue
branding is as his workplace is being renamed to the City of
Coventry Stadium for the duration of the Games.
He says: “We have a huge amount of commercial branding
from various organisations. We had to get agreement from
these firms that their branding would be covered up during
Games time. We have to cover every sign from the hand dryers in the toilets to the writing on the TVs. There is an Olympic
‘look and feel’ and then the commercial branding of the
sponsors of the Games goes on top.”
14
|
the biggest and oldest sporting event in
the world.
A wealth of risks exist around the event
but we have chosen to examine five ahead
of the main event - one to symbolise each
Olympic ring.
Legacy
Contemporary expectations around Olympic legacies are
“softer” than in the 1980s and 90s when there was an
emphasis on economic impact, stimulating the economy
and regeneration, Jennings says. He adds: “It is incredibly
difficult for an organisation that is geared around a short time
period to integrate legacy into its plans because as soon as the
Olympics is over, a lot of the main staff move on.”
One key issue is whether the Olympics will leave a trail of
white elephant stadiums, Jennings warns. He says: “Even in a
sports-mad country like Australia they struggled to fill some of
the stadiums after the Olympics.”
But Mundy says there are plenty of positive legacy issues,
such as the Ricoh Arena benefitting from new staircases,
modifications for extra footfall and extra CCTV. He adds: “And
then there is the softer side. We have reviewed our health and
safety policies and procedures, and held table-top exercises
with local authorities, emergency services and security services.
We were robust before but it’s made us look again and that’s a
positive thing.”
Andy Tomkinson, responsible for incident management and
business continuity at the Olympic Park for London Organising Committee of the Olympic Games and Paralympic Games
(LOCOG), says he believes his children and grandchildren will
be using the venues for sport.
And the legacy stretches to housing, crime and employment, he says, adding: “I don’t know anywhere else where the
village has been converted into a mix of social housing, council
housing and very highest level private housing. And all of that
has been sold so the legacy has kicked off before the athletes
have moved in. There will be a life-changing regeneration that
the Olympics bring and over 300 qualified apprentices who
now have jobs.”
www.rmprofessional.com | June 2012 | Risk Management Professional |
Transport
An issue that Jennings says “has always been a concern”. He tells Risk Management
Professional: “There were concerns ahead of Sydney over whether their airport would
have the capacity. In Athens they were concerned about the trains. And Atlanta is a
classic example of where transport really derailed things.
“One can never tell quite how apocryphal the stories are but apparently there were
bus drivers getting lost on the way to venues and athletes turning up late for events.
It became known as ‘the glitch games’.”
Keith Tilley, an expert in business continuity and disaster recovery services from SunGard Availability Services, says forward looking businesses should ensure that staff can
work remotely during any disruptions. He says: “Businesses need to understand the
importance of investing in business resilience and a comprehensive continuity plan.”
Tomkinson says that “the transport services in London are ready” for the
challenge of coping with a huge influx of visitors, adding: “The travel advice for
business has had hundreds of thousands of downloads”.
Mundy says the Ricoh Arena has had “unique” challenges in its position away from
the city centre. He says: “Typically around 80 to 85 per cent of people travel here
by car to our 2,000 on-site and 5,000 off-site parking spaces. The change for the
Olympics is that we’re not allowed to use the former as the stadium has to be ‘clean’.
We lose those spaces. So the Olympic Delivery Authority (ODA) is laying on free bus
services during Games time for ticket holders and staff in a big push to get people to
change their attitudes.”
Security
Tomkinson says it is “absolutely fundamental to provide a safe and secure Games”.
He adds: “We have a security posture and an execution plan that meets the requirements to mitigate those risks that we have been informed of by intelligence.”
Jennings agrees that security is “one of the most prominent issues”. He says: “The
standard budget for securing the Olympics is now in excess of one billion pounds. This
is an incredible cost. The risks of terrorism at the Olympics are not that different to
the underlying risks that London faces on a day-to-day basis but the Olympics offer a
symbolic platform for various groups who want to make a statement.”
Political
Jennings says the IOC attempts to
defuse domestic disagreements by
getting the main political parties in
host countries to sign an agreement
to support the event. But he concedes
that international politics bring even
greater risks.
He says: “At the Moscow Olympics
you had a US boycott because of the
Soviet invasion of Afghanistan. If there
is an outbreak of military intervention in the world by any major world
powers, it will always create tension
before the Olympics.”
At a more local level, Mundy says
that the Games has helped develop
“excellent lines of communication and
great networks” with people in the
local council.
He says: “We have been reporting twice every month to the council
and they have been really supportive,
helping us to tackle different issues that
crop up. And it’s been fantastic to build
a relationship for future working.”
| Risk Management Professional | June 2012 | www.rmprofessional.com |
15
sponsored feature
OlYMPICs
Resilience - the real lasting
legacy of The Games?
In the wake of the Diamond Jubilee, the Olympic Games will focus the world’s attention on the
UK, giving firms numerous challenges to overcome if they are to continue business as usual.
Keith Tilley argues that businesses that use the Olympics as a catalyst to improve their resilience, not only for the duration of the Games but into the long-term, will come out winning.
R
esearch¹ commissioned by SunGard
Availability Services shows that
British businesses are taking this
message on board to varying degrees.
More than half of those that have taken
steps to mitigate Olympics-related disruption believe that adopting these practices
longer-term will make their businesses
more efficient. Almost half say it will make
them more resilient, over a third more
competitive and one fifth a better place
to work, while almost a fifth believe it will
give them greater operating capacity.
Almost two-thirds have made plans to
reduce the disruptive effects – although
only around a quarter have tested plans in
place and feel ready for the Games.
Three in four firms have learnt from
bitter experience of previous business interruptions and intend to assess their business
continuity plans before the Games, while
just over half will evaluate the effectiveness
of their plans afterwards.
This appraisal process should naturally
result in more effective organisational resilience and availability strategies.
Increased threats
With an extra one million visitors a day
expected to use the tube network on the
busiest days and widespread road closures
throughout central London and around
other Olympic venues, organisers are
urging businesses in the affected areas to
plan for the inevitable transport chaos.
16
|
The ripple effect is likely to be felt across
the UK with businesses outside London
potentially affected by transport disruption, infrastructure strains, skeleton staffing, interrupted supply chains, protests
and denial of access (or exit).
The Games, which will be televised
worldwide, present a golden opportunity for any terrorist group or lone
wolf determined to stage a high profile
terror spectacular. As anyone old enough
to remember the horrors of the 1972
Munich Olympics will attest, this is not
sensationalist scaremongering but a very
real threat taken seriously by the Games’
organisers who have doubled the original
security budget.
For all these reasons, it is perhaps unsurprising that firms may view this year’s
events as a major headache rather than
cause for celebration.
Differing priorities
As might be expected, the SunGard-sponsored research revealed that organisational
www.rmprofessional.com | June 2012 | Risk Management Professional |
priorities differ according to each director’s
area of functional responsibility.
For instance, almost half of HR directors
have focused on developing special flexible working policies to operate throughout the period and plan to introduce
flexible working, shorter hours and remote
working. These concessions are most
likely to apply to those who are not in a
customer-facing or location-specific role.
IT directors, on the other hand, are
relying on technology to see them
through. More than half are increasing
investment in technologies to help them
counteract the worst effects of disruption. This includes infrastructure upgrades
to allow employees to access documents
from home and introducing tablet and
smartphone devices.
Over half of operations directors have
already adapted their delivery schedule
as a result of other major disruptions in
the past two years. Forty per cent have
introduced new systems or technology
to enable them to manage supply chains
in a more flexible way and almost a third
have collaborated with other retailers
and logistics providers to share loads and
delivery slots.
They are relatively well prepared for
the likely disruption with 70 per cent
having made contingency arrangements
with suppliers and partners. These
include adapting delivery schedules, stockpiling as much as possible beforehand
and asking logistics staff not to take
leave during the period.
Practical plan of action
The research showed employers expect
only half of their workforce to be active
immediately following a major disruption
but today’s technological developments
mean this need not be the case. So how
can firms ensure that it is ‘business as
usual’ when the Games return to the UK
for the first time in 64 years?
SunGard Availability Services has
published a ten-step guide to Becoming Games Ready that recommends the
following action plan:
• Step 1: conduct a risk analysis –
identify issues and critical processes at
risk, understand staff commuting habits.
Use own staff or consultancy to make
up lost time
• Step 2: evaluate options, solutions
and establish workarounds, staff operational procedures and policies with the
business; refresh incident management
arrangements
• Step 3: contract a third party provider
if external expertise is needed or you
lack the resources to prepare properly
yourself
• Step 4: source any additional resources: such as extra ports and VDIs and
review business interruption insurance
• Step 5: implement and test solutions
or workarounds; identify any failings
and correct them
• Step 6: establish alternative suppliers
for sundry items such as water, food,
office consumables; order surplus to last
two months. Test solutions and workarounds to ensure they work in practice
• Step 7: communicate policies to staff
and benefits to stakeholders
• Step 8: implement proactive measures
and be in a high state of incident management readiness to react to events
• Step 9: stand down from a state of
high alert
• Step 10: review performance and
exploit your new capability to deal with
future disruptions
The importance of communicating
contingency plans effectively (Step 7)
should not be underestimated as this is an
area either frequently overlooked or done
badly. In fact, the SunGard survey flagged
a yawning gap between what employers
and employees believe. While over half of
bosses claimed to have communicated the
business’s contingency plans, almost nine
out of ten employees said they felt in the
dark about Olympic working policies!
Another point worth noting for firms
drawing up policies relating to staff is that
while the Games present great teambuilding opportunities, they also create
potential for conflict. It would be wise to
include an instruction to tone down overt
nationalism in the workplace to minimise
the risk of confrontation between colleagues supporting opposing nations.
A stick and a carrot
The clock is ticking loudly for businesses
that have not yet put plans in place
to avoid the huge upheaval caused by
the Olympics. The fallout from disruption caused or exacerbated by poor or
no preparation stands to affect not just
operations, but customers, profits and
reputation too, which means this is very
much a director level concern. What CEO
wants an Olympics-related disaster – that
with planning could have been avoided –
on their hands?
This isn’t about creating unnecessary
unease – developing, refining and testing
business continuity plans can be a lengthy
and time consuming process. But it’s a
hugely important one; businesses need to
see this as a golden opportunity to implement measures that will not just benefit
them for two months in 2012 but will
serve them for years to come. One thing is
certain: having had four years to prepare,
if they fail to do so and let customers
down, goodwill is likely to be very thin on
the ground indeed.
Olympics aside, there are other, more
compelling arguments for seizing this opportunity to build a resilient business. Business continuity today has evolved from being a reactive response primarily concerned
with recovering from a disaster to become
an integral part of an enterprise-wide quality management process that ensures the
business is always available.
In today’s global marketplace firms simply cannot to be ‘offline’ for any reason. If
a newspaper misses its print slot, its space
on the newsstand will be taken by a competitor publication. Should a supplier fail to
deliver supplies to a supermarket’s distribution centre, its shelf space will be filled by
rivals’ goods. If a call centre’s phone lines
or website are down, consumers will simply
buy their insurance, flights or utilities from
someone else.
In other words, rather than being a
begrudging tick-box exercise to remain
compliant or as insurance against a disaster
scenario that may never occur, the strongest organisations make it a fundamental
plank of their strategy to ensure they
remain open for business, no matter what.
After all, businesses that can demonstrate their ability to withstand potentially show-stopping events such as severe
weather, industrial disputes, terror attacks
and power or technical outages could
find this a considerable advantage when it
comes to attracting new business.
So while the government hopes the
huge cost of staging the Games will be
justified by its sporting legacy, the 2012
Olympics may yet leave something even
more valuable. By fostering increased
understanding among British businesses
of the importance of ensuring resilience
in the face of disruption, the benefits of
the Olympics will last well beyond the
closing ceremony.
¹Independently conducted by Vanson Bourne and YouGov in
February 2012
Keith Tilley, managing director UK &
Ireland, executive vice president Europe,
SunGard Availability Services.
| Risk Management Professional | June 2012 | www.rmprofessional.com |
17
Fed up with the fight?
AVAILABILITY SERVICES
MAKE A RECOVERY, NOT WAR
If getting the resources you need is a constant battle, we can help.
Having completed more than 100,000 recovery tests, we found that some businesses just have a plan, while others
continuously test and sync it with the rest of the business. But time and again, resource is the main issue. It’s impossible to
test, or recover, without technical support from colleagues outside your department, but they will already be battling with
their own priorities.
At SunGard Availability Services, we can manage your entire testing and recovery environment, including the process, tasks
and the recovery itself. Our experts work side-by-side with you to review and develop your plans and define procedures.
Together, we make sure the plan is in line with your production environment from design to testing to change control.
And we are ready to perform the test and carry out the recovery for your business 24/7/365.
SunGard’s Managed Recovery Programme can help you focus your energy on building your business, rather than fighting
over how to get up and running following a disaster.
Discover a less stressful route to recovery and request a free consultation by calling 0800 143413
or find out more at www.sungard.co.uk/MRP
SunGard and the SunGard logo are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries.
All other trade names are trademarks or registered trademarks of their respective holders.
LEGAL VIEW
INDUSTRY FOCUS
Risk managers and
vicarious liability
Risk managers are not ‘vicariously liable’ for the misconduct of
others, says law firm RPC, after a recent ruling relating to the
UK Financial Services Authority (FSA).
T
he long awaited Upper Tribunal
decision in John Pottage v. the FSA
is a reminder from the regulated
financial services sector of the test that
applies when assessing whether an
individual has committed misconduct. We
consider what it means for risk managers.
Pottage was appointed CEO of UBS’s
wealth management business in September 2006, having been with the firm’s
wealth management business since 1999.
The FSA case
The FSA alleged that on becoming CEO,
Pottage failed to discharge his responsibility to carry out an adequate ‘initial assessment’ of the governance and risk management framework of the firm, including: the
firm’s governance and risk management
framework; operational risks; the quality
of management information; the practical
implications of the global matrix management structure adopted by the business;
and the strengths and weaknesses of the
individuals who reported to him.
The FSA alleged that had Pottage carried out the initial assessment properly “it
would have been apparent that there were
serious flaws in the design and operational
effectiveness of those [governance and
risk management] frameworks”. Pottage
should, the FSA said, then have instigated
a ‘systematic overhaul’ - the kind of steps
the FSA thought reasonably required to
ensure compliance. The FSA’s complaint
was that he should have done such a
systematic overhaul earlier.
The FSA did accept though that, upon
his appointment, Pottage received assurances from certain individuals, including
his predecessor, that there were no issues
about which he needed to be particularly
concerned. But the FSA concluded that
Pottage had been “too accepting of the
assurances he received...” and believed he:
“should have questioned more vigorously
the assumption that the frameworks were
fit for purpose and that they had been
implemented locally.”
The tribunal’s decision
The tribunal found serious flaws in the
firm’s systems and controls but the critical
question for the enforcement action for
misconduct was whether Pottage personally failed to take reasonable steps (i.e.
whether his failure to initiate a systematic
overhaul sooner was unreasonable).
The tribunal decided that, on the facts
of the case, Pottage had not behaved
unreasonably. It took the view that two
to three months from the start of a role
would normally be appropriate for an
initial assessment.
No matter what the immediate
exigencies of the business, those new
to risk management of a firm should
conduct an initial assessment of (to use the
words of the FSA’s expert in the case) “his
objectives; his authority; the character and
quality of the senior executives on whom
he depends; and the nature and condition
of the organisation over which he now
presides, including the adequacy of its
controls”. Importantly, the tribunal noted
“that no one [in the firm itself] or indeed
the FSA, had suggested, prior to the initiation of the [systematic overhaul], that it
was necessary or appropriate to carry out
a wider review of systems and controls
than had in fact been put in place”.
Given the number of those in functions
such as audit, risk, legal and compliance in such large organisations, and the
informality with which ideas and recommendations can be instigated, directors
with risk management responsibility need
to address recommendations and state
clearly why they are minded to follow
them (or not, as the case may be).
Is regulatory reform possible?
The tribunal’s analysis is unremarkable but
important; making clear that the test for
personal culpability for misconduct under
the FSA’s regime is essentially the same
as that for negligence - reasonableness.
The case produces no new law but serves
as useful confirmation that a director
cannot be ‘vicariously liable’ for breaches
by a firm unless a causal link establishes
personal culpability.
Vicarious director liability – at least in
the context of failing banks – has been
discussed (for example) by Adair Turner,
the FSA’s current chairman. If the test
was one of vicarious liability for failures
committed in parts of the organisation for
which one has functional responsibility
then Pottage would have been liable.
True vicarious liability is appropriate for
assessing an entity’s liability to pay compensation but does it really have any role
to play when disciplining a human being?
What is the point of disciplinary liability in
the absence of genuine fault?
We hope neither the law nor regulation will be reformed to invoke vicarious
liability in misconduct cases.
Steven Francis, partner; Robbie
Constance, senior associate, RPC
| Risk Management Professional | June 2012 | www.rmprofessional.com |
19
INDUSTRY FOCUS
Enterprise risk management
Age of enterprise
Enterprise risk management (ERM) first gained prominence in the wake of the WorldCom and
Enron scandals , reaching new heights after the collapse of Lehman Brothers in 2008 and the
ensuing fallout. Lynn Strongin Dodds examines its current progress and the ingredients to a
successful ERM strategy.
D
espite ERM’s burgeoning profile
and well-documented attributes
– it can significantly reduce an
organisations’ net risk exposure and act
as an effective tool in the decision making
process – the strategy is still a hard sell in
many corporate circles.
One of the main reasons is cultural.
“The biggest challenge is getting buy-in
from people,” says Alex Hindson FIRM,
previous IRM chairman and head of group
risk at insurer, Amlin.
“This is why implementing an ERM
strategy is not just about the processes
but also about changing behaviour and
attitudes. Understanding the culture
is very important because you need to
develop an appropriate ERM [strategy]
that fits the organisation.”
Embedding ERM
To gain a better understanding into the
dynamics of an organisation’s risk culture,
IRM is currently conducting research to
determine how companies can effectively
embed an ERM strategy.
The institute is examining various
international organisations as well as their
employees and their interaction to identify
the best practices. The aim, according to
Carolyn Williams MIRM, head of thought
leadership at IRM, is to “create awareness
within a company about its risk culture
and how that can be adapted when developing a risk management framework”.
Changing attitudes, though, does not
happen overnight, although regulation
such as Basel III and Solvency II is focusing the collective minds of the financial
20
|
services industry. Both sets of rules place
greater emphasis on the quality of a company’s risk management and governance,
as well as on the quantitative assessment
of risk and capital. As a result, insurance
companies and banks are gearing up, but
for many other industries there seems to
be more talk than action.
This is supported by a recent study
by Zurich Financial Services Group in
collaboration with Harvard Business
Review Analytic Services. It found:
• that even though global companies
have intensified their efforts on ERM over
the past four years, many are struggling to
build an effective, risk-aware culture
• two-thirds of the 1,419 canvassed
said that ERM had moved up the agenda
• but only one in ten felt that their
executive management was “highly
effective” in creating a strong risk
management environment
• just 14 per cent believed that their
companies linked risk information to
www.rmprofessional.com | June 2012 | Risk Management Professional |
strategic decision-making “extremely
well”, despite this being identified as
“extremely important”
Risk reluctance
The main barriers included an over
emphasis on compliance rather than
fundamental processes, lack of strong
management support and a reluctance to
take a holistic approach.
These findings were echoed by a paper
published earlier in the year by PriceWaterhouseCoopers (PwC) called Black swans
turn grey: the transformation of risk. It
showed that many companies did not
have a comprehensive risk management
programme in place and as a result were
being outpaced by an era of catastrophic
‘black swan’ – low probability but high
impact – events
Like the Zurich and Harvard studies, the
PwC report advocated a new, more flexible and holistic approach to risk management where the focus was much more on
a company’s risk appetite. It also
INDUSTRY FOCUS
recommended that there needed to be
a clearer ownership of risks at leadership
levels, with risk awareness and accountability shared across the organisation
through a common risk culture. This can
provide a company with a competitive
edge and there is also growing evidence
that businesses seen to truly embed a riskaware culture are valued more highly by
the markets.
Although organisations have different
approaches, there are common frameworks that can be applied across the
spectrum. The starting point, according
to Mike Wilkinson, an insurance management consultant at Towers Watson and
IRM affiliate, is to understand the objectives, quantify the risk appetite, break
down the silos, communicate and engage
people throughout the organisation.
“The cultural aspect comes from the
top managers. They need to make sure
people understand the value proposition
with regard to ERM and why it is important to them. There is also a carrot and
stick element in terms of performance
measurement and remuneration. Increasingly, especially in banks, rewards are
being aligned to risks and how they are
managed. I expect to see this approach
adopted more in other industries.”
Tone from the top
The most important factor is that the chief
executive and board take responsibility
and become the main key drivers of the
ERM strategy. Companies may be hiring
more chief risk officers but their role is to
work in tandem with the CEO and not be
the sole driver of ERM in an organisation.
They should be advising and assisting,
providing regular communication and
tools to help manage and integrate risk
awareness into the company’s strategic
planning. But the ultimate responsibility
for moving the strategy forward lies with a
company’s top echelon.
James Portelli FIRM, group commercial
director at Lifecare International, notes:
“The CEO can either be the greatest
“ERM fails when companies don’t see the link to
corporate objectives. In a carrot and stick scenario,
ERM is still viewed in relation to the stick rather
than the carrot of profit maximisation”
champion or the greatest challenge. In the
Middle East, for example, the constant
challenge is the lack of regulation and
enforcement. There is a certain opacity and lack of dissemination of industry
information.
“However, in general ERM fails because
companies are not seeing a direct link
between risk management and achievement of corporate objectives. In a carrot
and stick scenario, ERM is still viewed in
relation to the stick or its avoidance rather
than the carrot of profit maximisation.”
Hindson agrees, adding, “ERM is not a
hygiene factor but a business process that
ultimately belongs to the chief executive
who sets the tone as to how risk will be
managed and the level of discipline to
be applied. Senior managers need to
be involved to support and help deliver
this vision.”
For example, at Amlin employees report
their risk events and near misses on a
regular basis to their line managers in
order for them as well as the company to
learn from their mistakes. Hindson adds:
“We have also put in place a top down
culture of accountability and have made it
clear who owns which areas of risk.
“The theory is that if you are responsible [enough] to run a business then you
can be in charge of risk management. It
is a constant and consistent process that
looks at the risks that can hurt the business and whether we have done enough
to mitigate them.”
Richard Archer MIRM, risk development
lead of BT and former ERM manager at
the Wellcome Trust, also believes that a
successful ERM strategy comes from the
senior managers.
If these managers are using risk infor-
mation in their management and decision
making, staff will be motivated to engage
with risk management. If they are seen
not to value risk management, people will
not be motivated in the same way.
At the trust, risk management is overseen by the board and also the executive
board, with additional senior management
focus through the risk committee.
The corporate risk register has clear
top-level support and this is explicitly
stated by the most senior staff at large
staff meetings.
Demonstrating value
Care is also taken to ensure that the
value of all data generated out-weighs
the effort of producing it. For example,
after a debate in 2010 the trust switched
from ranking inherent/residual to residual/
target, so that more emphasis could be
placed on ensuring sufficient actions were
being carried out.
“Risk managers should challenge
themselves as to why they collect all the
information they do,” says Archer. “The
question is not just: ‘Is the information
used?’ but “Is collecting the information
worth the effort and might this effort be
focused better elsewhere?”
IRM’s Williams adds, “On paper you
can have all the processes, reporting lines
and documentation in place, but if people
are not going to do what you hope they
will then implementing ERM will be a
big issue.
“Every organisation has their own culture and that reflects the people in it.”
Lynn Strongin Dodds, freelance writer
| Risk Management Professional | June 2012 | www.rmprofessional.com |
21
INDUSTRY FOCUS
police service
Thin blue line
Against a backdrop of low morale, swingeing cuts and the aftermath of the riots, risk professionals
in the police service have to make split-second decisions on a range of threats as an ever-thinner
blue line attempts to keep confidence and public order. Hollie Clemence investigates.
M
anaging risk in the police service
can be a matter of life or death.
Police officers face significant
dangers as part of their job, which could
be anything from averting a terror threat
to protecting a child from harm.
While this might seem very different to
managing risk at a corporate level,
the guiding principles still apply. One
challenge for police service risk
managers in recent years has been to
embed risk-based decision-making at
every level across UK forces – whether it
is a senior manager faced with dwindling
finances or a bobby on the beat faced
with a knife-wielding offender.
With more than 40 police forces across
England and Wales, each with their own
systems and practices, the Association of
Chief Police Officers (ACPO) recognised
the need for a national decision-making
model to harmonise systems and practices, which was introduced last year.
the new model across the service.
He says it has helped to “demystify risk
management to the degree that it was
openly and knowledgeably discussed at all
levels of meetings”.
The model encourages officers to:
gather information, assess risk, develop
strategy, consider powers and policy,
identify options, take action and review
what happened.
“Its main intention was to provide a
tool for frontline officers to make riskbased decisions without having to refer to
copious notes and doctrines when time
was of a premium,” says Burton.
Demystifying risk
This decision-making model was designed
to help officers make risk-based
decisions while reducing bureaucracy
and risk aversion – seen as a tool to help
build “confidence of communities and use
of discretion and professional judgement”
– something the Home Office has said it
is keen to see return to a frontline once
viewed as unwilling to depart from strict
policy and procedure for fear of getting
into trouble. .
Tim Burton, who was the risk manager
for Devon & Cornwall Police from 2006
to 2011 and is now the force’s benefits
realisation manager, worked with then
chief constable Brian Moore to introduce
Split-second decisions
And according to Inspector Pete
Chisholm, a response and risk manager at
Northamptonshire Police, it seems to be
doing the job.
“It is the dynamic nature of policing
that makes our risk management unique,”
says Insp Chisholm. “Sometimes because
of the nature of the job you have to make
a split-second decision but that decision
has to be the right one and have a desired
outcome. This, however, is greatly assisted
by the national decision-making model,
which is an excellent tool for decisionmaking and risk management.”
Insp Chisholm says the list of scenarios
he has to prepare for as a risk manager
22
|
www.rmprofessional.com | June 2012 | Risk Management Professional |
is “endless”. “These could be major
incidents, such as a large scale road
traffic collision on the M1, raves, firearms
incidents, hostage situations, public order
incidents, high risk domestic abuse and
high risk missing persons,” he explains.
For Insp Chisholm part of the challenge
is making sure his team’s decisions satisfy
all parties involved, which includes the
public, his officers, the organisation and
himself. Although he adds: “On occasions
one of those parties will not be happy
with a decision that you have made.”
Slow-time scrutiny
This means ensuring his risk management
processes, which might be used to make
a instant decision, stand up to any future
slow-time scrutiny from more senior officers and external critics such as the media.
The media spotlight is nearly always
shining on the police service. With every
news story there are risk-based decisions
to be made and one of the biggest issues
to affect policing in recent years is
budget cuts.
Since the coalition government came to
power and announced that it would have
to cut police funding by up to 20 per cent
over four years, police forces have had
to scale back on services and spending
without being seen to less effectively
assess and manage risk.
INDUSTRY FOCUS
“Policing’s dynamic nature makes our risk
management unique. You have to make the right
split-second decision”
Outsourcing risk
With budgets tightening, some forces
are looking to outsource more of their
functions. Last month, it was revealed that
West Midlands and Surrey Police invited
private firms to bid for a £1.5 billion
contract to investigate crimes, patrol
neighbourhoods and detain suspects.
As more services are contracted out,
forces will be expected to handle
relationships with external companies and
the associated reputational risks that go
with them.
Justin Partridge, a former senior
manager at Lincolnshire Police who has
led on planning and risk for the force,
says the “interconnectedness of service
delivery in the modern public sector”
poses a risk in itself. For example, an issue
that affects a contracted private security
firm could easily become a risk for the
police service that outsources a contract
to them. And it is not just partners in the
private sector.
“Where charities and voluntary groups
undertake work in conjunction with
the police, the risk is increased, and the
control over that risk is often reduced, or
forgotten about entirely,” says Partridge.
He points out that many police community
support officer (PCSO) posts are funded
by councils, adding: “The risk is that a
decision taken outside the police force
might have huge impact on the delivery of
services by that force.”
an officer to go undercover if information
on the web reveals their identity.
Morale – or the lack of it - is another
issue that could pose a risk to the service’s
reputation and to public confidence.
Police officers and civilian staff face drastic
changes to their pay and conditions,
which the Police Federation of England
and Wales and staff unions have
labelled unfair.
“This a very real HR risk,” says Burton,
“especially if disgruntled employees seek
to undermine the organisation’s reputation in some way as a ‘parting shot’.”
Last year’s August riots will also have
impacted on reputation. Each force
involved will have planned for any future
riots but, as Burton points out, the scale of
events took people by surprise at the time.
The reputational risk would have been
taken into consideration alongside injury
and public safety risks.
Similarly, the Leveson Inquiry – an
examination of media regulation and the
relationship between the police and the
British press - will have implications. “The
greatest area of risk to forces will be as a
result of dirty washing being aired in public therefore damaging public confidence
in policing,” says Burton.
Operational threat
Partridge says another effect on risk
management in policing is technology:
“Social media is removing the barriers to
wide communication between the public
and the police, which is a good thing, but
there are some downsides.”
While advances in technology can help
police catch criminals, it also risks leading criminals back to undercover police.
Partridge says it won’t be long before a
criminal could check a photograph of an
associate against the memory of the internet. This would make it much harder for
Double-edged sword
So what of the future for risk managers in the police service? Different forces
treat the role in different ways, with some
having one dedicated risk manager, some
larger force’s having dedicated teams and
others integrating the job into wider roles.
Burton highlights the double-edged
sword of a risk manager’s success. The
more effectively risk becomes embedded
in decision-making at every level, the less
need there appears to be for a defined
‘risk manager’ role.
“Over the years, chief officers have
become far more appreciative of their
responsibilities for managing risks,” says
Burton. In these situations, risk managers have worked hard as consultants and
advisors, he says. Where risk managers
have been primarily involved in another
key discipline such as insurance or health
and safety they have been able to retain
their positions and influence.
But Burton notes that in forces where
they were employed as enterprise risk
managers, their position has become more
difficult as senior officers grow in the
knowledge of risk management.
Significant unknowns
Despite this, Burton says police risk
management is in a “healthy state” but
believes the biggest risk to policing could
arrive in the shape of incoming police and
crime commissioners.
On 15 November this year the public
across England and Wales will elect a
commissioner who will be accountable for
how crime is tackled in their force area.
“Until the elections are concluded
we do not know who these powerful
individuals will be,” says Burton. “Without
that knowledge, control measures, such as
the relevant protocol and strategic policing
priorities, may be of only limited value.
The unknowns, and therefore the impacts,
could be significant for some forces, and
that could be why we continue to see
high profile chief officers stating their
intention to retire before the elections
in November.”
With the public and organisations
reliant on the police service to ensure we
can operate as individuals and businesses,
getting the balance right on all the above
risks has never been more important.
Hollie Clemence, freelance writer
| Risk Management Professional | June 2012 | www.rmprofessional.com |
23
INDUSTRY FOCUS
Women on boards
All trousers, no skirts?
Is the lack of female representation on your board making your organisation take a dangerous
approach to risk? Tom Bovingdon explores whether women really make firms less risky and
more profitable
W
hen Fred Goodwin, former
head of the Royal Bank of
Scotland, had his knighthood
shredded many believed it was – in addition to the public vilification of bankers as
the economic system collapsed – punishment for what was typically viewed as a
macho, aggressive attitude towards risk
and governance.
Many commentators were quick to
claim that the financial crisis could have
been averted if more boardrooms –
especially those of the banks – had more
female representation.
But is there any truth to these claims?
What do women bring to boards that men
cannot? Should there be quotas imposed
and if not, how else will women finally get
a fair chance?
Feminine persuasion
In a Deloitte report published at the end
of 2011, Women in the boardroom: a
global perspective, the authors referenced
“extensive” research that suggested a
“correlation between the financial bottom
line and the proportion of women on
boards or in senior management”.
And according to a series of reports by
Lord Davies of Abersoch, a former banker
and civil servant asked by the UK coalition
government to review the state of women
on boards, “female directors exercise
strong oversight [and] can have a ‘positive,
value-relevant impact’ on the company”,
while also finding that a gender-balanced
board is “more likely to pay attention to
managing and controlling risk”.
His most recent report, published
in March, stated: “There is a negative
association between female directors and
24
|
insolvency risk – gender balance reduces
risk. This negative correlation appears to
hold good, irrespective of size, sector and
ownership, for established companies as
well as newly incorporated companies.”
Claire Braund, director of Australian empowerment network Women on
Boards, says a 2006 report, Critical mass
on corporate boards: why three or more
women enhance governance, showed that
“a critical mass of three or more women
can cause a fundamental change in the
boardroom and enhance corporate governance across the organisation”.
www.rmprofessional.com | June 2012 | Risk Management Professional |
Quota question
If you accept the basic assumption that
women have a positive effect on boardrooms – disregarding the philosophical
dilemma of whether a different gender
approach to risk would necessarily influence a board - the challenge is to ensure
women are given a place at the table. So,
could quotas be the answer?
In 2006, Norway implemented a quota
that 40 per cent of public limited firms’
boards must be made up by the underrepresented gender. Germany is said to be
considering quotas. A new law in France
has put an onus on listed firms to reserve
40 per cent of seats on the board for
women by 2017, while Spain has a similar
scheme in place.
Viviane Reding, vice-president of the
European Commission, announced in
March that she wants European boards to
be 30 per cent female by 2015 and 40 per
cent by 2020. Numerous other countries
have set targets. For example, Malaysia is
aiming to have women on the boards of
30 per cent of listed companies within the
next five years.
Braund says Australia was slow to act
in putting women on boards “despite
this overwhelming body of evidence that
having women on boards, in leadership
teams and just in the workforce in general
is good for business”.
She adds: “It took the inclusion of
diversity measures in the ASX Corporate
Governance Council Principles and Guidelines in 2009 to see any real movement
from listed companies in terms of women
in the boardroom”. In the year following
the new guidelines, 69 ASX200 positions
were filled by women, compared with 10
INDUSTRY FOCUS
the previous year.
Elaine Heyworth, director at Heyworth
Risk Consulting, non-executive board
director at AIRMIC, non-executive director
at Raft Enterprises and a board member at
European Professional Women’s Network,
says that quotas are “absolutely” the
answer to get diversity on boards. She
adds: “It will force the pace and that’s a
good thing.”
However, Heyworth concedes that
Norway might have gone too quickly
with its 40 per cent target. She says: “I
would move from 15, to 20, to 25 [per
cent] over a three year period. Without
quotas companies will be reluctant to do
anything. There is a deep-seated disbelief
that women can make a difference.”
But Sharon Constançon, chief executive
of board evaluation consultancy Genius
Methods, warns that quotas are “artificial”. She says: “The situation should be
addressed at the nominations committee
and head hunter levels to force the
net to be cast wider, naturally including
more women.”
Lord Davies’s initial report decided
not to recommend quotas on the basis
that he “did not want to see tokenism
prevail”, despite finding that it will take
over 70 years to achieve gender-balanced
boardrooms in the UK at the current rate
of change.
But he added: “Government must
reserve the right to introduce more prescriptive alternatives if the recommended
business-led approach does not achieve
significant change.”
Golden skirts
The Norwegian experiment led to boardlevel women being dubbed ‘golden skirts’
- some say because of their success, others
because the lack of quality candidates has
enabled a minority to cash in.
Heyworth is quick to rubbish the idea
that quotas would promote ineffectual
women. She says: “I absolutely dispute
the contention that a quota would bring
in a less experienced women onto a
“I absolutely dispute the contention that a quota
would bring less experienced women onto a board.
There are masses of experienced women”
board. There are masses of experienced
women and just because the board has to
get a women doesn’t mean they will be
less qualified.”
And Deloitte’s report backs up
Heyworth’s belief, stating: “The fear that
quotas will encourage the appointment
of under-qualified or token appointments
does not appear to be borne out in
those jurisdictions where quotas
currently apply”.
It added: “Gender balance is likely to
benefit the companies that do adopt it.
It is increasingly being recognised as a
badge of good governance and therefore
desirable. Investors should demand it.”
When asked if there is a connection
between women on boards and profitability, Constançon says the connection makes
sense. She adds: “A more diverse board
is probably a board of a better governed
company where the board brings value to
the organisation.”
Risky proposition?
But in addition to the swathes of research
in support of what women bring to the
boardroom, a case can be found against
the proposition that females will enhance
a board’s risk oversight, governance
and profitability.
A report due out in the next several
weeks, Lehman sisters, by Renée Adams
and Vanitha Ragunathan, concludes that
banks with more female board members
were not less risky than other banks
during the financial crisis.
Adams, a professor of finance at The
University of New South Wales, tells Risk
Management Professional: “We do not
find that banks with more women were
less risky. If anything they have higher
idiosyncratic volatility.
“However, there is little downside to
this risk, as banks with more women also
performed better during the crisis.”
And according to a 2011 research paper
by David Matsa and Amalia Miller from
Northwestern University and the University
of Virginia, respectively, A female style
in corporate leadership? Evidence from
quotas, women are “more risk averse
than men” among the general population
but “women in the boardroom are not
and may even be more risk loving. In fact,
women assign less value than men
to security.”
Precarious position
Whether you accept or reject the
contention that women bring a different
perspective to risk and the subsequent
impact on performance, Braund believes
the key issue is to keep the gender
diversity discussion from stalling.
She says: “There is a sense of some
people, including those at the top of
companies, starting to disengage from
the topic, possibly believing it is being
addressed. “
For Heyworth, the key is to ensure
men and women start working together,
particularly to ensure that people don’t
adopt a herd mentality.
She says: “Groupthink happens
because it’s the same cultural fit around
the table. When you bring women into
a male board, you get diversity and you
break that groupthink element. But if you
brought men into an all-female board the
same thing would happen.
“This stupid idea that ‘Lehman Sisters’
would have been safer than Lehman
Brothers is nonsense because what
happened was a reflection of the competitive world they were living in. If it was a
bunch of women around that table they
would have had exactly the same goal in
mind. It was cultural, it was competitive. It
was the times we were living in.”
| Risk Management Professional | June 2012 | www.rmprofessional.com |
25
AREA FOCUS
AUSTRALASIA
E
ach one of the top 20 risk concerns
faced by Australasian businesses
increased their aggregated risk rating
over the past 12 months, according to
an annual regional risk survey by insurance broker Aon Benfield. External and
operational risks showed the biggest rises,
reflecting the view that the operating
environment was considerably riskier in
2011 than in 2010.
These results are hardly surprising given
the volatile chain of events affecting
organisations. The high frequency and
severity of natural catastrophes in
Australia and New Zealand in 2011 – not
to mention the wider Asia-Pacific region –
tested business resilience.
Meanwhile, tightening regulation
and continuing economic and financial
concerns, both at home and abroad, have
demonstrated how quickly the business
environment can change.
One of the overarching trends is
a stronger board level focus on how
organisational risks are measured and
monitored. “We’re seeing a greater desire
by directors to be more involved and to be
much more challenging of the organisation’s risk management structures,” says
Richard Gossage, partner – risk and capital
for PwC in Melbourne. “All in all if you’re
in the risk management profession it’s
probably a good time to be in Australia.”
These external pressures have continued to push companies from all sectors
to further embrace risk management and
corporate governance. Companies are
shifting their risk management focus in
several fundamental ways: from internal
to external, from operational to strategic,
and from bottom-up to top-down, according to Risk in review, a report from PwC
which surveyed over 1,000 executives and
risk management leaders.
Top-down commitment
More stringent regulation is also driving a
new era of risk in Australasia. This includes
stronger liability, environmental and occupational health and safety (OHS) rules.
28
|
Risk renaissance
Beset by natural disasters, economic uncertainty and with
growing compliance pressures, risk has moved up the agenda
across all industry sectors in Australasia. Helen Yates reports
The introduction of new OHS regulation
in January 2012 has seen a renewed focus
on workforce-related risks.
“All this legislation suddenly has the
independent directors saying to top management, ‘I want reassurance we understand our major risks and we’re properly
managing them because it’s my house, my
reputation and possibly my liberty that’s at
stake’,” says Kevin Knight FIRM, chairman
of the ISO working group that developed
the ISO 31000 risk management standard.
“I’ve sat down with one of the boards
of one of our big resources companies,”
he continues. “It has installations where
if things go wrong people don’t tend to
get a scratch, they tend to get killed, and
that was the attitude of a number of the
independent directors. They are seeking
very clear reassurance that risk policies are
working all the way down and the reports
coming back up to them about how risk
is being managed has accuracy and rigour
to it.”
While risk management processes and
procedures were already a big part of how
business was conducted, with greater buyin from senior management there is now
www.rmprofessional.com | June 2012 | Risk Management Professional |
the opportunity to institutionalise it.
The convergence of various risk
disciplines, including corporate
governance, compliance, financial risk
management and health and safety, and
managing them in a more holistic way,
can be seen within the broader global
move towards ERM.
ISO 31000’s introduction provides
Australian organisations with guidelines
on the design, implementation and
maintenance of risk management processes. It is a “logical successor” to the
original Australasian risk management
standard AS/NZS 4360, according to
Knight, and “informs the mandate and
commitment of top management on how
risk will be managed”.
“What we have seen in the last ten
years in Australia and New Zealand is
when they started to put risk management processes in place they put them in
as corporate policies, which means that if
you want to get rid of them you actually
have to cancel the policies,” he explains.
“That means there are processes
and procedures built into management
systems that the auditors report on.
AREA FOCUS
Which doesn’t mean it’s at a high level,
but at least some of it is there and then if
you start to get support from top management it flourishes.”
Year of the cat
Property damage, business interruption
and supply chain disruption affected many
businesses as a result of events including
widespread flooding in Queensland in January 2011, Cyclone Yasi in early February
and the second Christchurch earthquake
on 21 February 2011. Further afield, the
Japanese earthquake and tsunami of 11
March 2011 and the Thai floods at the
end of the year further tested business
resilience and supply chains.
“[Business continuity] has become
fashionable again,” says Knight, “but I
can remember when it was really fashionable in Brisbane in 1974 when we had
the last big flood and every newsagent
and five-and-dime store was selling flood
maps, and everyone was very conscious
of flooding and where to build. And then
time passed by and we all forgot.”
However, some lessons had been learnt.
Australia’s heavy industries - including oil,
gas and coal - proved their resilience in
the most recent floods. While there was
a sharp drop in exports from the Bowen
Basin, Australia’s largest coal reserve, with
50 of the state’s 57 mines affected, most
were able to get back up and running in a
matter of days.
“If you look at the oil and gas industry
or the mining industry where the focus is
very much around business resilience and
continuity of production those businesses
were generally pretty advanced anyway,”
say PwC’s Gossage. “What we see now is
a greater cooperation between public and
private sectors and more comprehensive
programme driven at state community
and business level.”
The earlier Queensland floods of 2007
and 2008 held important risk management lessons for the mining sector.
As a result, infrastructure had been
strengthened and mine operators
“After the last big flood
everyone was conscious
of flooding and where to
build. Time passed by
and we all forgot”
introduced better water management
procedures. Working with Australian
freight company QR National, dams were
constructed, dykes and culverts dug, and
storm drains considerably widened.
Similarly, following the 2009 bushfires
in Victoria, the Bushfires Royal Commission was established to investigate the
causes of, preparation for, and responses
to the bushfires. “There was a detailed
review and the state government has
worked closely with industry to put in
more comprehensive approach not only in
terms of early warning systems and planning, but also in terms of the responses
to be deployed for when another event
occurs,” says Gossage.
Counting the cost
For businesses in New Zealand there are
the more immediate concerns surrounding
safety of buildings and access to affordable insurance. Christchurch has been
rocked by thousands of aftershocks since
the original 3 September 2010 Darfield
earthquake – including the deadly 6.3
tremor in February 2011 and a magnitude
6.0 aftershock in June 2011 – with perception of risk changing dramatically.
As a business, Marsh sadly had three
employees die in Christchurch. “We’ve
therefore gone around the country and
become extra vigilant when looking at
all of the buildings our staff are in,” says
Allan Beverwijk, executive director, Marsh.
“It’s made people think a lot more about
business continuity and there’s a big focus
on health and safety – so there’s a lot
more focus from management on ‘are our
buildings safe for people’.”
Properties are being assessed to establish how earthquake resilient they are,
with the ability to withstand future quakes
expressed as a percentage of the New
Building Standard (NBS). The higher the
percentage, the more resilient the building
is to ground shaking and the easier it is to
secure affordable insurance.
Beverwijk adds: “If you’re a major property owner with multiple properties in any
city and there is a major nat cat event your
deductibles could add up to ten of millions
of dollars.”
Another factor businesses are grappling
with is the business interruption aspect,
which is making them look more closely
at their office locations. The total closure
of many parts of Christchurch’s central
business district for such a long time had
not been anticipated in business continuity plans. Neither had the depopulation of
the city, leading to a drop in customers.
Some smaller businesses have struggled to
recover or gone out of business as a result.
“[Following the February earthquake]
the civil authority threw up a cordon
around the city and you couldn’t go in, so
you actually didn’t know if your building
had suffered damage or not,” says Beverwijk. “For some it was six months before
people could go back to their property,
so there was a huge prevention of access
issue, and if the building wasn’t damaged
there might only a limited amount of business interruption cover available to them.”
The confluence of these major events,
ongoing uncertainty on the global
economic stage and growing compliance
pressures has permanently changed attitudes to risk. This is driving the commitment of top management to more holistically identify and control the risks affecting
their organisation, with a mandate to
keep one eye on the horizon.
“Traditionally risk management focused
very much on the here and now,” says
Gossage. “There is now a much stronger
need to look at risk management over the
longer term.”
Helen Yates is a freelance journalist
| Risk Management Professional | June 2012 | www.rmprofessional.com |
29
analysis
ISO 31000
The quarterly question:
is ISO 31000 fit for purpose?
Many risk professionals are citing the International Standard Organisation’s (ISO) 31000:2009
as the risk management standard, but some believe it never was fit for purpose. Why has the
standard got so many supporters and detractors, how was it put together, and what does the
future hold?
I
n order to explore this in more detail,
we’ve invited two heavyweights in
the world of risk. In one corner we
have John Adams FIRM, emeritus
professor at University College London,
UK, who blogs regularly about risk. His
contribution below is a condensed version
of his website (john-adams.co.uk) essay
entitled “ISO 31000: Dr Rorschach meets
Humpty Dumpty”.
In the other corner we have Grant
Purdy, an associate director at Australiabased Broadleaf Capital International, and
a 35-year risk management veteran. Grant
represented Australia on the group that
wrote the international standard and has
chaired the committee in Australia that
wrote the AS/NZS 4360 standards and
associated guidelines. Let’s hear what they
have to say:
“applicable to all organisations, regardless
of type, size, activities and location, and
should apply to all types of risk”.
But having read it several times I still
don’t know what it expects of me. And
here’s why: it repeatedly tells me to do
what is “appropriate”, with 34 references
to do the “appropriate” thing – such as
“allocate appropriate resources for risk
management” – in 26 pages.
What is appropriate? Those deploying
the word appear to assume that all
readers will share its meaning. But
Complex, confusing and
clannish, says John Adams
I’m sure others, as I do,
frequently reach the end of risk
management guidance without a clue
as to what it expects the risk manager to
actually do.
That is my problem with ISO 31000
– Risk management – principles and
guidelines. Published in 2009 it aspires
to global leadership, if not domination,
of the risk management industry.
Kevin Knight, leader of the group that
produced the document, claims the
guide is comprehensive and global, and is
30
|
www.rmprofessional.com | June 2012 | Risk Management Professional |
anyone plugged into discussions about
risk’s disparate cultural perceptions will
appreciate that this is a facile assumption.
These “appropriates” are Rorschach
inkblots – the ambiguous stimuli typically
shown to patients by therapists. While
psychologists may battle to reach a
consensus on the interpretation of
the variety of meanings assigned to
inkblots, it is clear that different people
project very different meanings onto
ambiguous stimuli.
And “appropriate” is just one of many
INDUSTRY FOCUS
ISO 31000 inkblots, sitting alongside
numerous “effectives”, “culture/
culturals”, “relevants”, “comprehensives”,
“acceptables” and “tolerables”. If I take
the total number of these words and
divide them by the page count, ISO 31000
gets an inkblot average of 4.03 per page.
It’s a fun way of quantifying the sense
of vague dissatisfaction generated by so
much current risk management literature.
One word that is definitely not an
inkblot is “risk”, defined by ISO as “the
effect of uncertainty on objectives –
positive and/or negative”. Section
two contains 29 terms and definitions
elaborating the meaning of “risk”,
supplemented by 44 explanatory notes
and further definitions.
But this is deemed insufficient. To be
absolutely confident that one is on the ISO
31000 wavelength one must also master
Risk management – vocabulary (ISO Guide
73:2009), a 15-page dictionary further
elaborating the ISO 31000 terms and
conditions. Like Humpty Dumpty, when
ISO uses a word it is determined that it
should mean just what it chooses it to
mean — neither more nor less.
This ISO definition of risk is described as
“pivotal” by Knight. Certainly it is
the pivot around which its authors
believe all discussion of risk management
should rotate. But they have a couple
of problems.
First, their definition is shared by no
standard dictionary. The rest of the
world understands “risk” as something
negative – a threat, hazard, loss or injury.
Dictionaries have the merit of defining
words as most people use them. With
its idiosyncratic definition ISO appears to
aspire to establish itself as a priestly caste
with a private vocabulary inaccessible to
the vulgar horde.
It is claimed on networking sites such
as LinkedIn that ISO’s approach has been
adopted by several thousand “experts”.
Possibly. But they are vastly outnumbered
by hundreds of millions of other lay and
expert risk managers who share the
standards that are free, and communicate
in the language of the standard
dictionaries, the unique approach and
language of the ISO “new standard”
appear unlikely catch on.
dictionary meaning – who understand risk
to be something negative
Second, a major part of a risk
manager’s job involves communication
with non-experts. Not only is the ISO
“risk” definition unlikely to appear in
the dictionaries that most of the nonexperts are likely to consult, but it can
only be found in ISO 31000 and the
supplementary vocabulary guide, together
currently costing over £200 – a rather
expensive textbook for would-be students.
In attempting to assert its mastery
over the word “risk” - a word requiring
an expensive dictionary before those
deploying it can be confident that they
know what they mean by it - the ISO
experts face can expect to be frustrated
by the blank incomprehension of those
whose access to their private language is
blocked by this daunting paywall.
Purdy has described ISO 31000 as “a
new globally accepted standard for risk
management”. Accepted by whom? Most
people interested in risk management
have never been asked about it, never
read it, and probably never heard of it.
The academic world is comprehensively
ignorant of it because it can be found in
no libraries. I have only been able to join
this discussion because a friend sent me
bootleg copies.
In a world where the vast majority use
Never perfect, but inclusionary, practical and widely accepted, says Grant Purdy
Organisations and their stakeholders are
increasingly using published standards
to draw conclusions on whether they
are being properly run. They provide the
basis for benchmarking, give specific
and prescriptive technical specifications
and methods, and provide general and
generic guidance. ISO 31000 falls into the
last of those categories, but is sometimes
confused with standards in the first two.
Standards are created because society
wishes to treat risk, but standards bring
their own risks. Notwithstanding the
standardisation of standards and the
fact they are periodically reviewed and
revised, standards may not always reflect
the ‘best available’ practices and leading
thinking; sometimes because nominated
representatives are restricted in what they
can say, not expert at all, or because their
views no longer reflect current needs.
Standards can be biased, have
compromises, or have their clarity and
precision clouded by ensuring words are
translatable into other languages. The
language of a standard and the terms it
uses can be ambiguous because it has
to accommodate many points of view,
interpretations and beliefs.
It would be naïve to think that ISO
31000 is immune from the above.
But having worked on other national
standards, like that from Australian
and New Zealand (AS/NZS 4360:2004),
developed and improved over 15 years
and two revisions, ISO 31000 is based
on the ways that many thousands of
international organisations have managed
risk over a long time period. Thousands
of people had their say during the public
consultation, and it was voted for by 23
| Risk Management Professional | June 2012 | www.rmprofessional.com |
31
analysis
ISO 31000
of 26 nations, with Germany and Uruguay
abstaining and Italy voting against.
ISO 31000 cannot be ‘perfect’.
Compromises to accommodate different
points of view and interests inevitably led
to some ‘fudging’ and the introduction
of some unnecessary complexity. While
the standard is a remarkably good
and succinct set of guidelines, further
simplification would enable it to be even
more realistic and pertinent for those who
need to make decisions and manage risk.
But to paraphrase Winston Churchill,
the current approach to standards-making
is the worst way of doing it except all the
others that have been tried.
Next year a formal review of ISO 31000
will give us an opportunity to improve
the basic standard, but I know from
recent experience that vested interests
and commercially motivated stances have
increased significantly over the last three
years and that therefore any revision is
going to be subjected to many pressures.
Generally there seems to be a strong
motivation to add rather than reduce
complexity in risk management. Often this
seems to be by adopting and endorsing
various three-letter acronyms (GRC, ERM,
BCM, SRM etc) or by creating a new
‘risk-something’ term to describe some
32
|
property, action or outcome that was
previously not considered important.
While it would be nice if all standards
were free, I think the idea is unrealistic.
After all, in the UK you even have to pay
for copies of statutes! I’m less concerned
about academics than I am about
managers and decision makers - the
primary audience. Given the benefits that
come from effective risk management, I
would have thought that the sum involved
was a pretty good investment and hardly
a barrier.
Changes in definitions inevitably offend
some practitioners with different views
and long histories of propounding other
theories or approaches. The definition of
“risk”, in particular, has polarised views of
the standard.
But I’m not sure why a dictionary
definition of a concept as complex
as “risk” is to be preferred over that
produced by many people who have been
thinking about this and working on it for
years, and which has been tested out on
many more of those who actually have
to manage it daily. The ways that words
are defined in dictionaries probably does
not involve as many stakeholders as are
involved in standards making and while
dictionaries tend to look backwards, its
is the purpose of standards to set future
norms and to change the ways that
people think and act.
Whether they accept the definition of
risk in ISO 31000 or not, most people
agree that to make good decisions they
need to have reliable answers to four
questions:
• what are we trying to achieve?
• who should be involved?
• what creates uncertainty and how
significant is it?
• what can we do to ensure success?
These are, of course, the elements of
ISO 31000 that concern the process for
risk management and the framework
that ensures that the process becomes
integrated with an organisation’s system
www.rmprofessional.com | June 2012 | Risk Management Professional |
ISO favoured in standards survey
Three times as many risk professionals
prefer the ISO 31000 risk management
standard to the COSO ERM Framework,
according to an online survey carried
out by a Fellow of IRM.
The survey (not associated with IRM)
of 180 risk practioners, carried out on
networking site LinkedIn by Norman
Marks FIRM, found that 52 per cent of
respondents prefer ISO to COSO, with
14 per cent opting for COSO, 25 per
cent saying they have no preference as
both can be used effectively, and the
remainder (eight per cent) saying both
are ineffective.
Seventy-five per cent of those
surveyed said they had read both
documents, with 12 per cent saying
they have only read COSO, seven per
cent saying they have only read ISO,
and the remainder (six per cent)
unfamiliar with either.
Respondents who favoured COSO
praised its comprehensiveness,
longevity, better discussion of risk
appetite, “strong” focus on corporate
governance and linkage to strategies
and objectives. ISO advocates
complimented its user-friendliness,
flexibility, top-down approach to risk
management and that it represented
“the collective wisdom of global
risk leaders”.
Marks admits that the results are
“meaningful but not authorative”,
while adding that those ambivalent
about both documents said that there
is little evidence that either actually
works. Others suggested that the two
should be combined. He concluded
that all risk practitioners should read
both sets of guidance.
of management.
While not all practitioners agree with
the definition of risk given in the standard,
this is being understood and appreciated
by managers who have to employ the
risk management process to help them
make better decisions. The core process
for managing risk and the need for a
framework that achieves its integration
into a system of management are
widely accepted.
roundtable
Information risk information
Sponsored by
Information risk management a roundtable discussion
Tuesday 1 May 2012
CHAIRMAN
PANEL
Steven Furnell
Professor of information
systems security,
Plymouth University
Dave Canham MIRM
UK IT risk manager, Aviva
Harvey Seale CIRM,
Group information risk
manager, Nuffield Health
Peter Allan
Information technology
security professional
Simon Clarke
Risk analyst for a major
London market insurer
Ramzi Musallam,
Information risk
management
consultant, BUPA
Ben Beeson
Partner - global
technology and privacy
practice, Lockton
Tim James SIRM,
Head of risk management,
Health Protection Agency
Becky Pinkard,
Security manager for a
global company
*All comments are those of the delegates and not their organisations
Cyber-crime is not a fictional
concept; it is a very real problem.
Last year the cost of global cybercrime was estimated to be USD388bn,
with an individual falling victim to
a form of online crime every 19
seconds. In today’s multi-channel,
mobile and inter-connected
world, every element of society is
increasingly at risk as more and
more sensitive data is
stored on a computer system
somewhere in the world. The
risks are constantly evolving as
technology develops and they are
34
|
likely to become more acute as
new generations of smartphones
effectively become mobile wallets,
placing increasing volumes of
personal and financial data at risk.
Data privacy is, and will continue
to be, the biggest emerging risk
for businesses in the 21st century.
Insurance can provide essential
financial assistance and access to
highly experienced legal, IT forensic
and crisis PR advice – which can
help companies preserve reputation
and get back to trading as rapidly
as possible.
www.rmprofessional.com | June 2012 | Risk Management Professional |
Cyber risk investigator for a
financial institution
(anonymity requested)
The big questions:
• what are the key threats?
• how can organisations become
more resilient?
• should IT risk management be a
component of governance?
• are data breaches inevitable?
• what can insurance offer?
• what dangers do personal devices pose?
• how should you respond to a breach?
information risk
roundtable
INDUSTRY FOCUS
Sponsored by
Steven Furnell, professor of
information systems security at
Plymouth University, kicked off the
debate at Tower 42, London, UK, by
asking: “What are the main threats
facing today’s organisations?”
Cyber risk investigator: It’s important to consider aspects outside of
cyber crime such as social engineering,
particularly within financial services.
Criminals and fraudsters always try to
stay one step ahead, it’s easy to admire
their ingenuity. One of the biggest
threats is not being fully aware of the
threat itself. I am surprised by the high
number of people and consumers who
still give away confidential information
to people without understanding the
risk. Criminals spend months building
up profiles. It’s not an overnight phenomenon. And yet we give personal information such as dates of birth away.
user education. People are so used to
sharing information on social networks
that when they come to work there is
a blurring of work and personal information. There is a lack of clarity from
regulators about what they expect and
a lack of clarity in companies’ policies.
It’s a real challenge for organisations
to get the balance right between
providing access to data and educating
people to follow the right policies and
procedures.
Furnell: Do we believe that the balance is right at the moment? Are
organisations putting the security and
countermeasures in the areas where
they are most under threat. Or is there
a lack of focus on education compared
to technical controls?
Beeson: In the US there’s no doubt
that this is seen as an important risk
driven by legislation and regulation,
not least the requirement to notify
following a data breach. The potential
financial damage has got people very
interested in this. And then you get the
US Securities and Exchange
Commission saying that if you are a
public company and you file, you have
to list your cyber risks now. So investors
are going to start asking questions.
What Viviane Reding [vice-president
of the European Commission] is
proposing will get Europe to the same
place eventually. I wonder if we in
Europe view this as a risk beyond the
IT department, in the same way it is
viewed in the US.
Musallam: That is one of my main concerns. When it comes to IT risk the risk
management department isn’t always
involved. But for an organisation to
have effective risk management it must
embrace risk in all its forms, otherwise
it’s not identified and addressed.
Canham: I chair IRM’s risk in information systems and e-business special
interest group (SIG) and when we’ve
looked down the supply chains of
organisations, it’s about understanding where the data is, especially when
there is outsourcing. It’s something we
need to get a handle on. Then there’s
how people culturally treat data and
what they post on Twitter and Facebook. There’s a lot of talk about cyber
crime but these are the nuts and bolts.
Musallam: The other big challenge
is the regulatory environment and
new legislation such as the draft EU
data protection directive that came
out in January 2012 with a number of
potential challenges. The other issue is
| Risk Management Professional | June 2012 | www.rmprofessional.com |
35
roundtable
information risk
Sponsored by
Canham: We need to get away from
the idea that this is an IT problem, or
a fraud department problem. This is a
business issue. We’ve got some way to
go on that.
Pinkard: I’ve been doing this for 15
years and global companies are struggling with perception versus reality.
Companies are still retro-fitting security
across the organisation. They might
achieve great coverage across a piece
of the organisation but the depth of
security is something we’re still struggling with. We don’t need fancy tools
and toys. The security problems that
we’re still fighting today are things like
patching systems, the principle of least
privilege, just controlling simple things
across global, complex organisations.
Allan: I agree. There are basic observations from the 1970s that people
haven’t learned from. As for how
good people’s security systems are,
my perception has always been that
people are over-confident. I’ve spoken
to countless people who will say:
“Oh, my systems are pretty good. You
won’t find anything here.” Unless you
have some regular scrutiny over entire
estate, you can bet that there is loads
of stuff that has gone wrong.
James: There is a question about
the dis-benefits. You can put lots of
controls in place, encrypt data, but
the more tools and security you put
“There are basic
observations from the
1970s that people haven’t
learned from”
36
|
on, the more layers you have to pass,
the end users – who as they get more
senior have more access to sensitive
material – become more frustrated and
therefore adapt their behaviour. The
industry needs to think about how to
make security more invisible and user
friendly for the end user.
Furnell: We’ve touched on the importance of having a policy, which is one
of the foundations and the fact that in
some cases organisations have a patchy
approach. The recently published Information security breaches survey 2012’
showed that a something like a mere
quarter of organisations thought that
they had a good understanding of their
firm’s security policy. The policy is usually there, but not always backed up,
promoted and understood. So what
are the other basics?
Cyber risk investigator: It’s all very
well introducing new policies, but if
the user doesn’t know why they are
in place, they may not adhere to it. If
they’re told why, or shown results, then
they will adhere to the policy. It’s got to
make sense.
Clark: It’s a cultural thing. In our
company the culture is to have clear
wordings displaying the fundamental
reasons behind policies, to ensure
there is that understanding from staff.
I’ve worked another company and
they were the complete opposite; very
wordy, with a lot of legalese, and no
one cared or understood.
Beeson: We’ve explained to people in
our organisation why we have a clear
www.rmprofessional.com | June 2012 | Risk Management Professional |
desk policy. Now they understand that
the Financial Services Authority could
walk in tomorrow and fine us, as they
did with HSBC, for £3 million. In the
insurance industry we’re starting to see
some basic standards that you’re going
to have to meet if you’re going to be
insured. A very simple example is encryption on portable devices. You cannot get insured for a data breach with
a portable device now, pretty much.
Canham: There’s something to be said
for making it real and personable. I
was recently auditing an organisation
and they had left credit card slips out.
I said: “Would you want yours there?”
From my point of view this is where IT
sometimes falls down. We need to give
it the human element.
Seale: Policy dissemination
is a key thing. When a
breach happens, you need to
evidence you’re monitoring
compliance and that you picked up
shortcomings, created action plans
and documented the progress of those
action plans through your approved
governance committees. We recently
started running breach simulations
on essentially, what would happen if
someone, somewhere lost a laptop.
Who would they call? What
would they do and what mechanism
kicks off in the organisation to protect
the data?
Pinkard: It’s about making user awareness personal. Whether it’s understanding policies or walking them through a
scenario, but taking it down to a level
so that it’s understandable to them.
information risk
roundtable
INDUSTRY FOCUS
Sponsored by
treat that. If you look at the Information Commissioner’s Office fine record,
it’s not that they are okay with the first
breach, rather they understand that
you need to learn lessons. It’s the organisations that don’t learn lessons and
don’t change systems that get fined.
And you can create a reward system as
well so that you incentivise people to
come forward when they spot things.
And culture, good culture, needs to
come from the top.
James: Some policies run to 90-odd
pages. You can tell the person who
wrote it enjoyed themselves but no
one is going to read it. What are the
key messages and the principles that
people need to live by in their professional lives? They can be very simple
and that’s what organisations need to
get across.
Furnell: Talking about personalising
the message, these are things that
could help the professional community
in their private lives as well. If they
realise this could help them privately to
their own benefit, their own conduct
will improve.
Pinkard: On the technological side
there’s a lot of complexity in businesses
today because they have carried forward they way that they have always
done things. For example, I’ve worked
with companies where no one knows
how something works and if you were
to take it apart, no one would know
how to put it back together. A lot of
companies need to invest some serious
time and effort to go into these situations and understand how they can
become more resilient.
Allan: I’m aware of a situation where
a financial gateway was hacked. It
should have been rebuilt and replaced
so we could pick over the bones of
the old one but we received the same
answer you got: “No, you can’t touch
that. It’s an important box.” It gets
swept under the carpet.
Pinkard: I’ve heard of boxes that have
been infected for a year, two years
plus, but they can’t take them offline.
And it’s deemed that the virus is okay
to be there and that it can be dealt
with.
Furnell: To what extent should
organisations be regarding a breach as
an inevitability?
Seale: It’s a case of when. You can
have the most robust policies and
procedures, the best policy dissemination, but it will happen. It’s how you
Canham: There is an inevitability to an
attack these days, particularly to a large
organisation on the front line, so you
need to make sure you do all you can
to prevent an attack, but also you can
respond in the right way.
Pinkard: I think it’s almost become
passé for these big companies to be
attacked, so that it almost washes over
people now. When TJ Maxx happened
years ago, they lost millions of credit
card numbers but then reported higher-than-ever revenues because after the
reporting process people felt safer than
ever doing business with them.
Beeson: That was a game changer.
That was insured, as I understand, and
it cost them over $200 million for that
breach, and it really woke people up to
the data breach risk. Maybe they didn’t
lose a lot of customers but they were
financially hit, big time. The insurance
didn’t go very far, as I understand it.
Furnell: So what are the key lessons
for firms? What do they need to do or
be aware of?
Musallam: I think it’s key to demonstrate that you take this seriously. You
need to communicate that to authorities, the press, clients and staff. So communication is a key part of the issue.
| Risk Management Professional | June 2012 | www.rmprofessional.com |
37
roundtable
information risk Sponsored by
footprint, to be forgotten. When it
comes to the right to be forgotten,
forget about it.
Furnell: We’d mentioned before the
issue of insurance and the increasing uptake of insurance around these
breaches, so how can insurers and
organisations work together to ensure
that firms are better prepared for a
data breach incident?
Beeson: There is a huge reputational
issue. One company took a year to
inform people of a data loss. Frankly
that’s unforgiveable. We shouldn’t
be thinking in terms of financial
consequences, we should be thinking in terms of reputational damage.
Increasingly, unless you have a plan to
respond to a data breach it’s going to
be frowned upon.
Seale: What people really care about
is whether you are taking the protection of their private data seriously. ICO
guidance consistently refers to the
‘spirit’ of the data protection act, in
essence “If you treat client data like it’s
your own personal data, you can’t go
far wrong.”
Gordon: If you find a breach in some
part of your business, the next thing
38
|
you need to do is ask whether any
other have happened, whether
everybody is doing this, and what you
are doing about the whole area rather
than just the one incident.
Pinkard: I’d love to have a crystal
ball and look 50 years into the
future to see if we have the same
perception of privacy as we do now.
Will we give the same amount of care
and due diligence to things such as
credit card numbers and our dates of
birth? Because so many people are
simply putting it out there. I know
there are controls but a lot of young
people just don’t care. I wonder if
we’ll get to a point where we have
a different mindset. At the moment
I don’t think it’s possible, with the
amount of information out there
that makes up your digital
www.rmprofessional.com | June 2012 | Risk Management Professional |
Beeson: A specialist market has
cropped up to write this risk. There is
always going to be a residual risk – we
can’t stop a data breach from happening. But are organisations happy with
that to be on their balance sheet or do
they want to get it off their balance
sheet? That’s where insurance comes
in. But insurers are saying that you
really need to have minimum baseline
standards for security and in terms of
how you contract to third parties. If
you do all that then we’ll insure it
and take that big hit off the balance
sheet. Insurers are helping to drive
minimum standards.
Furnell: People increasingly have their
own smartphones, tablets, laptops
etc that they’re using in the work
environment. How do we view the
risks of the bring-your-own device
initiatives? Are organisations managing
the risk effectively?
Canham: This is my bugbear. People
have previously told me that your
personal device is no different to
having a book. Hang on a second, I
wouldn’t want to nick the book, but I
would want to steal a personal
information risk
roundtable
INDUSTRY FOCUS
Sponsored by
device. And what happens if you lose
it? Is there a defined process? Is there
a requirement to report it to your
organisation? I get the productivity
benefits, but there are a lot of risks that
we are yet to get on top of.
Musallam: One big thing is data
leakage. You try to build a wall around
a network but if staff email documents
to their private account, or can
copy data to a USB device, then it’s
almost useless.
Cyber risk investigator: It comes
back to regular reviews needing to be
done to ensure that your actions are
proactive rather than reactive. If you
do bring your own device into the
work place, it will be subject to some
controls and limitations. Again, this
goes back to communication. Users
must be made aware of a policy at
regular intervals.
Pinkard: I’d really like to see some
statistics around whether or not it’s
truly a lower cost by the time we put
in the controls, coordinate carrier
plans, train folks and choose a mobile
device management platform. Is it
truly a lower cost? Am I reaping in the
thousands and millions? And this needs
to be looked at by the executive level.
With so much personal and business
data together and the integration of
devices and aggregation of data, I
see in 30 to 40 years that everyone
will have their data space in the sky.
A person or a family will have a data
address, and I’ll have a throwaway
device. So instead of this phone that
I’m carrying around I’ll have some
“When the press hears of
a breach, the worst thing is
for a firm to be unavailable
for comment”
device that I could pick up for £10-15.
It becomes an access portal to that
data. It’s about the data.
Allan: Once you allow people to bring
their own devices, you have got a
larger range of devices, software and
carriers. Supposing a company is trying
to provide support, this will give them
a headache. Once you have multiple
products you have multiple sets of
bugs. A different set of bugs from
each platform makes more bugs in
total than any one of those platforms.
Are you going to back-up all of these
devices, including personal data?
Clarke: I’m involved in business
continuity as well. If something goes
wrong and people can work fluidly
from home on their own devices then
that’s a real bonus. But as you say there
are so many negative associations that
need to be weighed up.
Furnell: We’ve touched on responding
to a breach, but have we got any
final thoughts on the crucial steps a
company should take after an incident
to safeguard their reputation?
Beeson: There’s still a big difference
between US and UK data. In the US
you will get a financial hit but in the EU
the legislation is still quite embryonic.
They’re talking about a fine of two
per cent of your gross income, which
apparently won’t be insurable. But
we’re not at that stage yet.
Canham: We’ve got to be careful that
the regulators don’t find out about any
breach before we tell them.
Clarke: And when the press hears of
a breach, the worst thing is for a firm
to be unavailable for comment. There
has got to be a statement as soon
as possible.
Chairman’s conclusion
A lot of what we discuss now comes
down to the human aspect; the attitudes, the perceptions, the behaviours
of people in the organisation. Then
there’s the increased media interest and
the more open attitude to personal data.
So there’s an expectation of protection coupled with a populace who don’t
seem to do as much as they could to
support that security culture. Having a
policy isn’t enough – there needs to be
a promoted security culture.
There will always be an element of
residual risk so we need to be prepared
for what might happen. That might be
insurance, media relations, or maintaining relations with client and customer to
protect your reputation.
IRM’s Risk in Information Systems and
e-Business (RISE) Special Interest Group
(SIG) is looking for members to discuss
the wider picture around technology
risks, business challenges and share
thought leadership on emerging risks.
For more information about the RISE
SIG, visit: http://www.theirm.org/events/
RISE.htm. To contact the SIG’s chairman,
email david.canham@aviva.co.uk.
| Risk Management Professional | June 2012 | www.rmprofessional.com |
39
irm
Professional development forum
IRM forum review
Three hundred risk professionals gathered to enjoy IRM’s Professional Development Forum
on 23-25 April in Manchester, UK. With international speakers, workshops, seminars and
networking events at the neo-Gothic Manchester Town Hall and Manchester City FC’s Etihad
Stadium, Tom Bovingdon looks back at the highlights of a memorable gathering
David Ovenden
Economist calls for banking airbags
Airbags are needed in the financial system
to prevent a repeat of the economic crisis,
a leading economist told the forum.
Financial Times journalist, blogger and
broadcaster Tim Harford called for “big,
big airbags for the financial system”
instead of clever contracts or adding
more complexity.
He said: “The real airbag for the
financial system is just to force banks to
hold much more capital than they do.
Extra capital for banks doesn’t cost as
much as they [banks] claim it will. It makes
that money far more flexible and much
more forgiving [when things go wrong].”
Harford said the financial crisis was
exacerbated by the fact that banking
was both complex and “tightly-coupled”
- where one thing inevitably leads to
NotW had “extraordinary risk culture”
Disgraced British tabloid newspaper The News of The World
(NotW) had an “incredible culture of actively encouraged
controlled risk”, the tabloid’s
former marketing director told
forum delegates.
Ellis Watson, now managing
director of newspapers at DC
Thomson, said that Rupert
Murdoch, owner of News
International, succeeded in
business “from pretty much nothing to something enormous by
encouraging controlled risk in pretty much everything you did”.
Watson said: “He empowered people and there was something
in the DNA of the organisation that encouraged people to be
better, braver, and to try and get there faster and better than the
other guy. It was an extraordinary culture to grow up in.”
“He [Rupert] was wealthy enough and canny enough to
actively encourage ordinary people to try and achieve extraordinary things.
“There was a culture where, as long as you weren’t repeating
mistakes, it would give the same focus to a failed risk as it would
a succeeded risk. There was nothing quite like it on earth.”
40
|
another. He said the financial system could
avoid this scenario by ensuring safety
gates - similar to those used to break
domino-toppling records - are in place.
But he warned that safety systems can
sometimes have unintended consequences. Speaking about credit-default swaps,
which were originally viewed and
promoted as safety measures, Harford
said: “They didn’t make the system
safer, they made it more complicated.
So although in principle they were safety
systems, in fact they were magnifying
fundamental risks in the system.”
Recycle failures, says
futurologist
Organisations need to view
failures “as plastic bottles
that need to be recycled
and re-used”, a futurologist
and trendspotter told
forum delegates.
Magnus Lindkvist said that
organisations need not be
ashamed of failures as it can
lead to greater successes.
Citing Nintendo as an example, he recalled how their
first “failed” arcade game later became Donkey Kong, which
gave birth to the character ‘Jump Man’ – later to be called Mario.
Lindkvist said: “By recycling one failure they gained two worldwide successes. That’s the problem with many companies today.
They have a success culture. They reward success. They celebrate
success. Failures become something to be ashamed of or hide in
the bookkeeping, or both.
He called for organisations to become “DJs of ideas” by
recycling the best parts of multiple failures.
www.rmprofessional.com | June 2012 | Risk Management Professional |
IRM FOCUS
Risk register seeks expert editors
Risk editors with specialist expertise are being sought by a not-for-profit organisation as
they seek to compile an open-source database of international risks.
The Global Risk Register (GRR), a not-for-profit enterprise hoping to launch later this
year, is looking for volunteers who can assess information for accuracy and impartiality.
Anu Devi, founder and program director of the register, told forum delegates that GRR
aims to share information on global risks “for the benefit of humanity” by tapping into
the online knowledge base.
She called for people to contribute by either joining the community, creating a risk
committee, becoming a risk editor or simply by spreading the word about GRR.
Devi said: “We are creating small risk committees and will then have smaller groups of
individuals who will enter the info into a wiki [an open-source dictionary]. We want to
establish risk editors who are specialists in their field.”
The first three risk focus areas will be cyber security, water security and a yet-to-be-chosen health topic. For more information on GRR visit: https://www.globalriskregister.org.
Risk professionals told: prepare for
green pig world
Organisations need to be prepared for the
“unexpected, unpredictable surprises”
illustrated by the success of the Angry
Birds business empire, a futurologist told
delegates at IRM’s forum.
The success of the app and subsequent
spin-offs show that organisations need to
be ready for “a green pig world”, trendspotter Magnus Lindkvist told the crowd
of around 300 risk professionals.
“Who would have thought
that one of the world’s
best business ideas in
2012 would be a green
pig?”, he said, adding: “This
game has been downloaded and paid
for nearly 800 million times.
“You could say that eight per cent of
the world’s population are right now busy
flicking angry birds at green pigs. We
couldn’t predict that. Imagine if I’d said
to you ten years ago that the future, my
friend, is about green pigs.
“This is what I mean by a green pig
world. We live in a world of these positive, unexpected, unpredictable surprises.
They can be good or they can be bad. It is
a green pig world. They can take companies by surprise.”
EU Parliament to establish Brussels-based risk committee
An informal committee on risk will be established in the European Parliament on 5
September, a leading risk academic revealed at the forum.
Ragnar Löfstedt FIRM, director of King’s College London’s centre for risk management,
revealed that he is working to establish an informal committee to ensure that advice
coming from Brussels is “evidence-based and science-based”.
Expected to be headed by Julie Girling MEP, along with around ten other cross-party
MEPs, the committee will also have input from academics and practitioners. A manifesto
for the committee is expected to be published in June.
Löfstedt also called for British risk professionals to canvass their local MPs and
members of the UK House of Lords to ensure risk debate is elevated to a higher level.
He said “we need to consider how to engage society in discussion about risk”,
adding: “We need to have it discussed in schools and universities. We are not doing
that enough.”
| Risk Management Professional | June 2012 | www.rmprofessional.com |
41
IRM
Professional development forum
cultural categories - fatalists, hierachists,
individualists and egalitarians – represent
a “perfect culture” and that organisations
should try and let a blend of cultures all
have a voice.
“There isn’t one best culture out of the
four, they’re all seeing different risks. What
you need is for all of them to be voicing
their ideas about risk. You should be
Call for behavioural focus
More needs to be done around the
behavioural side of risk management,
the head of risk, benefits and value at
Transport for London (TfL) told the forum
David Hancock said that risk management “is all behavioural” and that
more psychologists, socialists and social
anthropologists needed to be invited to
participate in the risk debate.
“The first time round I made the
mistake of thinking it was about process,
and I thought if you could teach people
techniques and quantitative mathematics,
teach them how to do probability, then
we’ll teach them how to be risk managers.
But [now] in my view it’s all behavioural,”
he said.
During the same question time debate
on whether risk managers are an
unaffordable luxury in recessionary times,
Kelly Maynard, a risk manager at Polygon,
called for risk professionals to
looking for all four of the voices, including
the fatalist, to be heard,”Linsley said.
Summarising that individualists would
be concerned by profit, hierachists with
controls and systems, egalitarians with
ethics, and fatalists with a concern of
“blind side” risks, Linsley added that “a
clash of world views” would often happen
when these groups worked together.
David Ovenden
Good risk cultures “need varied
voices”, says academic
No “clumsy solutions” exist when
seeking the perfect risk culture, a senior
lecturer from the University of York said
at the forum.
Philip Linsley, delivering a seminar on
culture, risk and risk management, said
that not one of four widely accepted
demonstrate their value by being “a little
more extrovert”.
She added: “We risk managers are in
general very good negotiators. So why not
use that capability that we have and show
our value to the organisation.”
Forum news in brief
Target: close the business
A presentation by the Mines Advisory
Group (MAG) concluded that its key
corporate objective was to go out of
business – as this would demonstrate
their success. Rob White, MAG’s director of operations and an IRM affiliate,
spoke about the operational risks of
clearing mines, how strategic risk is a
new concept for their board and the
difficulties of striking the right balance
between charity and corporate work.
Risk culture steps
Marsh issued forum delegates with
a list of ten steps to ensure their
business has a good ERM culture. The
steps included targeting new staff at
42
|
induction, senior management buy-in
and demonstrating the value of risk
management. The findings came
from a study which found that weak
business have little “alignment” with
risk culture.
Where’s your phone, boss?
Half of all executives lose their phone at
some point, putting the data contained
on it at risk of theft of misuse, Norman
Marks FIRM, an evangelist for SAP, told
forum delegates.
With more and more people using
phones and tablets to access the web,
and 72 per cent of board members
wanting to receive board papers on
their iPads, managers must think about
www.rmprofessional.com | June 2012 | Risk Management Professional |
technology and data risks, Marks
said. He added that speed was of the
essence because risks do not wait.
Outsourcing “baggage”
Monika Narula, a risk professional
based in India with a financial firm and
an IRM diploma student, examined
outsourcing risks such as assessing strategic partners and emerging risks with
suppliers. Concluding that outsourcing
“brings along a baggage of risks with
benefits”, Narula stressed the importance of risk managers being more
involved in outsourcing decisions.
Forum presentations can be found at:
http://irmforum.org/.
David Ovenden
IRM FOCUS
Forum chairman’s summary
Ghislain Giroux Dufort, president of
Baldwin Risk Strategies and forum
chairman, praised the “varied and
rich concurrent seminar sessions”. He
added: “We had delegates coming
from over 20 countries and I met many
fascinating people, both from the
United Kingdom and from abroad.”
His full summary of the event can be
found at www.baldwinglobal.com or
via info@baldwinglobal.com.
Our sample survey of forum attendees
discovered that:
• ninety per cent of respondents would
not hesitate in recommending the
forum to a colleague
• seventy per cent of respondents rated
the forum overall as “excellent” or
“very good”
• our keynote speakers were one of the
most highly rated forum elements. One
respondent said “Magnus [Lindkvist]
was brilliant. It was worth attending
for him alone.”
David Ovenden
View from the forum floor
What did some of the 300
international risk professionals have to
say about the event?
The Institute of Risk Management – Events
GLOBAL RISK AWARDS
| Risk Management Professional | June 2012 | www.rmprofessional.com |
43
To pre-register your interest in attending, or to discuss sponsorship opportunities, contact us at
events@theirm.org or call +44 (0) 20 7709 9808
irm
NEWS
Zurich and IRM join forces
Zurich has joined forces with IRM and
entered into an agreement to enrol all 150
of its risk engineers as institute members,
reflecting Zurich’s ongoing commitment to
professional qualifications and employee
personal development.
As of April 2012, every Zurich risk
engineer will automatically become an IRM
member to at least affiliate grade.
Mark Matthews, head of Zurich Risk
Engineering UK, said, “In order to deliver,
Zurich’s risk engineers, consultants and
analysts not only require industry experience, but the highest level of on-going
technical instruction and training and
professional qualifications, and this is what
we will provide for them.”
Steve Fowler FIRM, IRM’s chief executive,
said: “IRM is delighted to bring its worldrenowned risk education programmes and
leading-edge thought leadership to Zurich’s
UK risk engineering team.”
irm special interest groups (sig)
Risk managers “cannot be
C-sick”, SIG says
Risk managers must master “the seven
Cs” if they are to survive in 2020, research
carried out by IRM’s Innovation, Value
Creation and Opportunity SIG has found.
Professionals working in risk need to
master commercial skills, communication
skills, confidence, creativity, culture and
act as challengers and catalysts if they plan
to be around in the next eight years, the
group has discovered.
Revealing its findings at IRM’s April
Professional Development Forum in
Manchester, UK, the SIG – headed by Clive
Thompson FIRM, project director for FINEX
Global, Willis Group – concluded that risk
managers will need to think strategically
and challenge their leaders to ensure their
longevity. The group also predicted that the
board will be formally risk-trained by 2020.
The group hopes to publish the full findings in autumn and more detailed coverage
is planned in later editions of RMP.
Enterprise Risk Management SIG
As the last issue of Risk Management Professional went to press, IRM’s Enterprise Risk
Management (ERM) SIG was discussing how to integrate risk and performance with
Wim Van der Stede, a professor from the London School of Economics.
The group then turned to a case study on Lloyd’s of London’s approach to risk appetite. PDFs of the presentation papers can be found in the SIG section of IRM’s website.
New SIG: Governance, Risk and Compliance
Anyone interested in joining a group dedicated to discussions on governance,
risk and compliance (GRC) is being invited to contact Robert Toogood, a senior
partner at Chaordic Solutions. To express your interest please contact
robert_toogood@chaordicsolutions.co.uk.
Solvency II SIG
After a well-attended March meeting, the
Solvency II SIG met again on 17 April to
discuss the ORSA process – challenges
and opportunities.
Speaking at the event in London, UK,
were Keith Jackson, group chief risk officer at BUPA, Matt Taylor, group head of
risk at BUPA, and Peter Taylor, director at
Conducter Consulting.
In May the group convened again to
discuss the role of risk management training in sustaining a risk culture. Joachim
Adenusi FIRM, director of Inspirational
Risk, and Georgia Tsaikki, a group risk advisor for Amlin, were among the speakers.
A joint meeting with the Bermuda RG
is planned for June to discuss navigating
multiple international regulatory requirements. Sessions for July and September are
also planned.
IRM REGIONAL GROUPS (RG)
Botswana RG
IRM’s Botswana RG is soon to launch, aiming to act as a networking hub in the southern Africa region. Brian Chiyangwa
CIRM will be chairman of the group.
Middle East RG
Solvency II was the topic of the day when the IRM Middle
East RG met on 12 March at the Ritz Carlton in Doha. An
afternoon workshop was led by Adeel Mushtaq of KPMG.
44
|
North-West England RG
Lynn Stalker MIRM, a business risk manager at the Sellafield
nuclear site, delivered a presentation on quantitative assessment
to the North-West England RG on 17 May. Held at the Sellafield
offices in Risley, Derbyshire, Stalker looked at the appropriateness and value of quantitative assessments. A session on risk
appetite is scheduled for 11 July, along with an October seminar
on the people side of risk management.
For more information on RGs and SIGs visit www.theirm.org.
www.rmprofessional.com | June 2012 | Risk Management Professional |
news
irm
IRM FOCUS
World class Global Risk Awards to launch
IRM’s new Global Risk Awards
will be held in
London in the
first quarter of
2013.
Aiming to celebrate “world class”
risk management products, services
and people, the awards will recognise
the best and give organisations and
professionals the chance to showcase
their excellence.
“Learn meerkat lessons”,
says IRM chief
Top government scientist to address Annual Lecture
The man responsible for scientific advice when the UK is hit by crises has been
confirmed as the keynote speaker at IRM’s 2012 Annual Lecture.
Sir John Beddington FIRM, chief scientific advisor to the
British government with responsibility for the quality of
science-based evidence in government decision making,
will deliver his speech at the 5 December lecture.
Sir John has advised several governments and
international bodies on risk issues, including the Australian
and US governments, the European Commission and the
United Nations Environment Programme.
Having offered advice on crises such as the 2009 swine flu outbreak and the 2010
volcanic ash incident, Sir John is also charged with ensuring that scientific method, risk
and uncertainty are understood by the public, particularly around the misconceptions
and misunderstanding regarding climate change.
Invitations and booking instructions for the Annual Lecture and AGM will be sent to
members closer to the occasion.
IRM backs inaugural World Risk Day
IRM has lent its backing to the launch of
the first ever World Risk Day.
Taking place on 26 June, World Risk
Day will include a free global virtual
summit of risk experts to address best
practices. It is supported by organisations including Active Risk, the Risk and
Insurance Management Society (RIMS),
the Association for Federal Enterprise Risk
Management (AFERM) and the Major
Projects Association (MPA).
Steve Fowler FIRM, IRM’s chief
executive, applauded the launch of the
initiative, adding: “By drawing attention
to the value-add of well-structured risk
management, World Risk Day benefits
both business and the risk profession.”
Loren Padelford, executive vice-president and general manager, Active Risk,
added that the day would “elevate the
conversation around risk management
and setting benchmarks for the industry.”
As well as the summit, www.
worldriskday.com will also feature a
resource centre, a blog and a
benchmark survey.
Membership Renewals
Members are reminded that their annual subscriptions are due for renewal on 1 July
2012. Renewal invitation letters will be issued in early June and the online payment
facility will be available by 15 June 2012. Details of the 2012/2013 subscriptions can
be found on IRM’s website.
Risk professionals should embrace the
success of a fictional meerkat as an
example of how social networking can
link to modern business, IRM’s chief
executive told the institute’s Professional
Development Forum.
Steve Fowler FIRM, speaking in
Manchester, UK, on 23-25 April, said
risk professionals should be aware of
the link between trends such as one-inten pets being put on Facebook by their
owners and the success of Aleksandr
Orlov, a fictional meerkat who has
spearheaded the growth of Britain’s
fastest-growing insurance brokerage,
comparethemarket.com.
Fowler said: “There is a link between
some of these things that people do
for fun on social networking sites and
business – we can’t ignore that link.”
Boardrooms embracing risk
Risk management is moving “from the
engine room to the board room”, IRM’s
chairman told delegates at the forum.
Richard Anderson FIRM said that
“risk management has never been more
important” than it is now.
He said: “It is moving from the engine
room to the board room and it is our
role to support that.”
Anderson added that it was a “privilege and pleasure” to welcome 300
risk professionals from over 20 different
countries. For further forum coverage,
turn to pages 40-43.
| Risk Management Professional | June 2012 | www.rmprofessional.com |
45
IRM
Membership
NEW IRM MEMBERSHIPS
Fellow
Richard Mackie
Eversholt Rail
Kevin Thomas
Ecclesiastical Insurance
Member
John DavisUK Power Networks
Lyndsey Gregory
Deloitte & Touche
Panagiotis Loizou
Ernst & Young
Gayle Marshall
Insurance Corporation of Barbados
Certificant
Haizam Abu Hassan
Telekom Malaysia
Omar Abu-Rish
Thames Valley Police
Carlos Arias
IFC - World Bank Group
George Baird
IMG World
Paul Brown
Gloucestershire County Council
Neil Buck
Aberdeen City Council
Blesie Bustamante
Manila Water Company
Wendy Chen
Swire Pacific
Carla Compagno
CADG
Pedro Cupertino de
Miranda Sonae Investimentos
Jonathan Davies
Co-operative Banking Group
Lindsey Downes ADAS
Andrew Dyson
North East Lincolnshire Council
Robert Elliott
GSH
Ryan Forsythe
Investec
Rebecca Fox
Shacklocks Solicitors
Richard Fraser
Shaw
Simone Freire-McKinnell ADMS Europe
(Aegon Direct Marketing Services)
Michelle Gardiner
De Beers Consolidated Mines
Alexander Guzman
Ecopetrol S.A.
Ross Harding
Ernst & Young
Martin Hughes
GPT Special Project Management
Mohsin Jagani
Abu Dhabi Retirement Pensions &
Benefits Fund
Ellie King
RBS
Andreea Licu
ING Pension Fund (Romania)
Hesham Mabrouk
Abu Dhabi Ports Company
David Marsh
Chris McQuaid
Nationwide UK (Ireland)
Claire MilnerUK Asset Resolution
Stephen Mortimer
EDF Energy
James Nelson
Rolls-Royce
Norlaili Nordin Inland Revenue Board of Malaysia
Iain Ogilvie
Scottish Water
Oyejumoke Okubadejo NHS North West London
Jamie Oliff
FM Global
Javier Perez-Blanco
Navarro
Eduan PieterseVBKom Projects
Mark Pring
Co-operative Banking Group
Chandra Raman
Mark Surveyor
Ruth Riddell
Wulvern Housing
Benjamin Romero
PPL Global
Chloe Rutkowski
DLA Piper (UK)
Lee Schneider
Co-operative Banking Group
Soo Wy Seng
QBE Insurance (Malalysia) Berhad
Nikki Sevens
Driving Standards Agency
Syed Shah
British Council
Matthew Shanahan
Canada Life International
Kanaga Devi
Shanmugam
Inland Revenue Board of Malaysia
Chas Staines
Integrated Risk Consultants
Andrew Voules
ICM Business Continuity
Dena Walker Virgin Media
Rachel Washington
ASA
Fiona Whitelaw
Chivas Brothers
Jey Williams
Capita Business Services
Mark Willis
Halifax
Diana Wright
Anthony Yuile
Syed Zain
Allianz Malaysia Berhad
Hassan Zaitoun
Dar Al Arkan Real
Estate Development
SPECIALIST
Pavel Aksenov
Thomson Reuters
Stephen BlottUK General Insurance Group
Lisa Boswell
MAPFRE ASSISTANCE
Mark Brown
Supreme Global Solutions
Martin Churm
Lynzi Harrison
Skandia UK
Julie Howell
Off House
Alex Jeppe
CAN
John Joyce
Allianz
Maalila Malambo
Blue Insurance
Paul McLarnon
Cunningham Lindsey
Helen Molyneux
Cambridge Risk Solutions
Ashok Narayanan
t’Azur Company B.S.C
Thomas Puschnik
Zurich
Suk Rathore
DNV
James Royds
Sempartus Consulting
Affiliate
Paul Ablin
easyJet
Edgar Ager
Secure Trust Bank
Solene AnglaretVeolia Water UK
Ali Anvari
Paul Attrell
ISOQAR
Lee Barnes
TFPL
Keith Bernhard
Alterra Capital
Kat Blyth
Ecclesiastical
Chris Boulden
BAE Systems Detica
Michelle Bucknor
Ecclesiastical
Gladys Cheung
Catlin
Jonathan Clarke
Reachable
Alistair Craig
Morgan Sindall
Steve Daniels
BAE Systems Detica
Thomas Delaney
Worcester City Council
Ann Doan CharitiesAid Foundation
Adriano Dondi
Civil Service Healthcare
Cynthia Emmanuels
Parallex Microfinance Bank
Paul Emms
Skandia
John EnochVoxsmart
Peter Evans
Carillion
Jennifer EvansVelrada
Vincent Geake
BAE Systems Detica
Maria Hadjipavlou
W. R. Berkley Insurance (Europe) Henry Harrison
BAE Systems Detica
Luisa Jefford
TFPL
Andy Langley
Ecclesiastical
Ayan Man
Mitsui Sumitomo Insurance (London)
Michelle Mifka
Coutts
Louise Parry
The Co-operative
Kevin Pearce
Aldermore Bank
Marcello Pizzichetta
Infrassure
Claire Quick
Ecclesiastical
Ben Rendle
BAE Systems Detica
Robert Scott
Wolverhampton City Council
Claire Sewter
BAE Systems Detica
Andrew Shefford
KPMG
Ben Stellman
BAE Systems Detica
Oliver Tardiff
BAE Systems Detica
Marcella Taylor
Dave Whitley
BAE Systems Detica
Helen Whittle
easyJet
Nick Wilding
BAE Systems Detica
Stephen Yates
Travelers Management
Zurich enrols all 150 risk engineers
All of Zurich’s 150 risk engineers (see IRM News, page 44) have become institute members. Congratulations to all of the
below on joining us:
Kevin Abbott David Allison
Jack Ashworth
Ian Avis
Graham Brazier
Steph Buckle
Bert Campbell
Martin Clemmit
John Currie
Ralph De Mesquita
Ian Dunbar
Tony Fagan
Robert Foggitt
Brian Friar
Andrew Grantham
Chris Haseley
Sally Jenner
Gary Jones
Chris Knowles
Killian Liston
Fabio Lupo
Shelley Marshall
Bernel Mayers
46
|
Ade Adeyemo
Catherine Aislabie
Huw Andrews
Alex Arteaga
Mike Aspinall
Tim Astley
Mark Barry
Stuart Blackie
Stan Brejza
Sarah Brown
Joan Burstow
Luca Bussani
Gavin Chalmers
Bradley Clarke
Philip Coley
Peter Coulsey
Rupert Damms
Ian Dann
Paul Dean
Martin Dippnall Andy Dyehouse
Steve Elgar
Paul Farmer
Robert Farrell
Neil Ford
David Forster
Lisa FrostYojana Ganda
Brian GreenVivien Gumble
Angela Hodder
Gary Howe
Michael Johnson
Simon Johnson
Sharon Kearns
Mick Kelly
Marc Leblanc
Stephen Leveritt
Stuart Lloyd
Michael Long
Kevin Lyons
Mandy Maris
Bev Martin
Raida Mashal
Geraldine McFaul
Philip McManus
Aeid Albelwi
Stephen Arundale
Helen Aston
Carole Booker
Curt Bryant
Jo Caley
Ian Clarke
Carl Coulter
Malcolm Davies
Derek Downham
Alan Ely
Paul Feltham
Jerry Fox
Richard Geary
Ady Hall
John Howe
David Jones
Louisa Knight
Lynne Liddiard
Davina Lonsdale
John Marriott
Gordon Matchett
Ross McMillan
Ronan Meghen
Tracey Moore
Oluwaseun Oladiran
Richard Parslow
Nicola Phipps
John Platt
Alan Ross
Jim Smith
Nick Strong
Cliff Vaughan
Tilden Watson
David Williams
Mark Middleton
Kevin Morris
Peter Oxenham
Rhodri Pashley
Howard Pilling
Andy Price
Paul Rowbotham
Nicol Smith
Nigel Tribe Andrew Ward
Gordon Weir
Alison Wood
Mark Midgley
Stephen Mills
Emmy Muandingi
Steven Mulry
Kevin Parker
Claire Parker-Harrison
Sarah Pearson
Rod Penman
Clive Pinch
James Pinner
Owen Rees
Paul Richards
Liz Sheehy
Dale Sibanda
George Solarski
Ian Stanton
Justine Trimmer
Claire Tutt
Ann Watson
Les Watson
Robert Whyte
Alex Wicks
Ian Wrightson
Become an IRM member
IRM membership can support you throughout your career, whether you
see risk management as your profession or as a key skill. Membership
provides you with recognition, networking opportunities, knowledge and
career support. To find out more about becoming a member visit:
www.theirm.org/joining/JOjoining.html
www.rmprofessional.com | June 2012 | Risk Management Professional |
thought leadership
IRM
IRM FOCUS
Future thinking
Carolyn Williams MIRM provides her regular round-up of the latest issues, ideas and initiatives
from IRM’s thought leadership activities
Woodford, ex-CEO of Olympus and Jim
Sutcliffe, chairman of the UK Financial
Reporting Council’s codes and standards
committee, which has responsibility for
the Turnbull Guidance on internal control.
Further details about the conference
will be included in Risk Management
Professional in September and will also be
sent to all IRM members, but if you would
like to pre-register your interest please
e-mail events@theirm.org.
Risk culture – IRM’s risk culture working
group has been undertaking surveybased research to support the group’s
discussions.
So far the group has been looking at
individual risk perspectives, organisational
risk culture and whether different cultural
models make it more or less difficult to
implement various aspects of risk management. Preparation of a first draft guidance
document is now underway. This will be
released for wider consultation in the
summer. Any IRM members who feel that
they have a contribution to make to the
work should e-mail Carolyn Williams at
carolyn.williams@theirm.org.
Vodafone perspective report on
exploring attitudes towards risk – IRM
has recently contributed to work undertaken by UK mobile telecommunications
company Vodafone aimed at raising
awareness of risk management and
business continuity among their corporate
customers. The work incorporates some
of the guidance of risk appetite produced
by IRM last year and can be found at:
http://www.vodafone.co.uk/consumer/
groups/public/documents/webcontent/
vftst162178.pdf
CfA risk governance national
occupational standards – IRM will be
contributing to a CfA – formerly known as
the Council for Administration – working
group that will be developing national
occupational standards in risk governance
for the UK. National occupational
standards set out the required
competencies and knowledge required
to undertake particular functions within
organisations. The new standards will be
issued towards the end of the year.
The IRM game – following a pilot
scheme involving IRM members around
the world plus some training sessions at
IRM’s recent Professional Development
Forum in Manchester, UK, the files for
the IRM Game have been placed in the
members’ area of the IRM website for
any member to access. The game aims to
help communicate basic risk management
concepts within an organisation by means
of a role-playing game.
IRM Risk Leaders’ Conference – our
third Risk Leaders’ Conference will take
place on 20 November 2012 in London,
focusing on risk at board level. Speakers
confirmed to date include Michael
Online Resource Centre (ORC)
IRM’s online resource centre for members
provides easy, searchable access to
hundreds of documents and links on
various aspects of risk management.
Recent additions include:
• UK climate change risk assessment – a
major report from the UK’s Department
for Environment, Food and Rural
Affairs (Defra)
• Future risk - social and economic
challenges for tomorrow – a collection
of expert essays commissioned by the
Chartered Insurance Institute
• Emerging risks 2012 – a report based on
a recent London risk seminar
• Turning risk into results - how leading
companies use risk management to
fuel better performance – a report from
Ernst & Young
Any IRM members who would like to
submit papers for inclusion in the ORC
should contact Carolyn Williams at
carolyn.williams@theirm.org.
Carolyn Williams MIRM
is head of thought leadership
at IRM
| Risk Management Professional | June 2012 | www.rmprofessional.com |
47
irm
Education
IRM FOCUS
Examination successes
International certificate
T
risk management and Application of risk
management. This was slightly lower than
the June 2011 session where 91 per cent
of candidates passed both papers.
Most of the November papers were
hree hundred and fifty five candidates sat the November 2011
examinations of whom 86 per
cent achieved a pass, merit or distinction
grade in each of the papers – Theory of
completed to a high standard, as shown
by the number of candidates achieving
merit and distinction grades:
Distinction
%
Merit
%
Pass
%
Overall % pass rate
Theory of risk
management
43
23%
70
38%
36
19%
81%
Application of risk
management
58
34%
63
37%
35
9%
91%
Totals
131
29%
133
38%
71
14%
86%
Comparison of pass rates June 2010 – November 2011
Nov-11 Pass rate %
Jun-11 Pass rate %
Nov-10 Pass rate %
Jun-10 Pass rate %
Theory of risk management
81%
87%
88%
86%
Application of risk management
91%
96%
89%
92%
Totals
86%
91%
89%
89%
International Diploma
International Diploma in Risk Management
The institute would like to congratulate
and have now completed the Internathe following candidates who were
tional Diploma:
successful in their Level 3 assignment
• Gayle Marshall
• Panagiotis Loizou
• John Davis
Financial services
Risk Management in Financial Services
46 candidates sat the November 2011 examination and the overall pass rate was 63 per cent. This compares with 29 students who sat
in June 2012 with an overall pass rate of 76 per cent.
Financial services
48
|
Distinction
%
Merit
%
Pass
%
Overall % pass rate
1
2%
7
15%
21
46%
63%
www.rmprofessional.com | June 2012 | Risk Management Professional |
directory of risk management professionals
To advertise in this directory please contact Steve Goood on +44 (0)20 7562 2435 or steve.good@rmprofessional.com
ENTERPRISE RISK MANAGEMENT
Harnser Group Ltd
69-75 Thorpe Road
Norwich NR1 1UA
Tel: +44 (0)1603 230534
Email: info@harnsergoup.com or
info@prismworld.org
Web: www.harnsergroup.com or
www.prismworld.org
PRISM® (Performance and Risk-based Integrated Security Methodology) is a
complete risk management framework that can be applied to any organisation
that faces security risks. It reflects best practice in security risk thinking and
ensures cost effective security solutions that support the delivery of strategic
objectives anywhere in the world. The methodology forms the basis of the
Reference Security Management Plan (RSMP) written at the behest of the
European Commission for owners and operators of energy infrastructure assets
across the European Union. In Q2 2011 PRISM® software will be available to
support the application of a consistent security risk management approach
across multiple sites.
Harnser Group is an international specialist in security risk management for
government and commercial organisations in areas of technical design,
governance and audit. Our aim is to deliver high quality advice and to
challenge traditional thinking about security risk to raise awareness amongst
other stakeholders of the impact on strategy, finance and operational decisions
made by organisations to protect and enhance shareholder value.
Active Risk
Active Risk Manager from Active Risk
1 Grenfell Road
Maidenhead
Berks
SL6 1HN
Active Risk provides software and services for the management of project,
portfolio, operational and true enterprise risk management. Active Risk
Manager™ (ARM) is the world’s leading web-based Enterprise Risk
Management (ERM) system.
Tel: 01628 582500
Fax: 01628 582600
www.activerisk.com
Active Risk was founded in the UK in 1987 and opened offices in the US in
2004. Active Risk Manager is used by major organisations around the globe
including BAE Systems, British Nuclear Group, Rio Tinto, Lockheed Martin,
Nestle, United States Air Force, NASA, London Underground and SABIC.
For further information and a detailed view of Active Risk’s products and
services visit www.activerisk.com or call +44(0)1628 582500 (EMEA) or
+1 703 673 9580 (Americas)
VALUATION
Charterfields Limited
International Asset Consultants
36-38 Cornhill, London
EC3V 3PQ
Tel: 0870 0434170
Fax: 0870 0434172
E: neil.warburton@charterfields.com
www.charterfields.com
Charterfields' insurance valuation services provide clarity and certainty in relation
to the insurance of material assets. This advice:•
•
•
•
protects a business against the consequences of under or over insurance;
facilitates more accurate MPL calculations;
determines fair premium allocation;
provides market confidence when placing cover; and gives impartial and
credible valuation data.
We act on behalf of major corporations, brokers and risk managers, covering all
business sectors around the world.
We offer a range of survey options, including cost modelling reviews that
provide risk managers with quick and cost effective initial advice on the
accuracy of declared values.
RISK CONSULTANCY
Risk Doctor & Partners
Risk Doctor Surgery,
Lower Heyshott, Petersfield,
Hampshire GU31 4PZ, UK
Telephone: +44(0)7717 665222
Email: info@risk-doctor.com
Web: www.risk-doctor.com
Specialist risk management support from Dr David Hillson and selected partners,
combining leading-edge thinking with expert practical application, offering
access to the latest developments in risk management best practice.
With an enviable track record in diagnosis and treatment, and a strong
emphasis on managing opportunities through the risk process, we provide a
unique approach to understanding and managing the uncertainties facing your
business.
Services are available worldwide, including coaching & mentoring, capability
benchmarking, process development, risk assessments, and skills training
directory of risk management professionals
To advertise in this directory please contact Steve Goood on +44 (0)20 7562 2435 or steve.good@rmprofessional.com
INSURANCE CLAIMS HANDLING & RISK MANAGEMENT SOFTWARE
JC Applications Development
Manor Barn
Hawkley Rd
Hawkley
Liss
Hampshire GU33 6JS
Tel: +44 (0)1730 712020
Fax: +44 (0)1730 712030
Email: jcad@jcad.co.uk
Web: www.jcad.co.uk
At JC Applications Development Ltd we believe that our commitment to
providing simple to use yet feature rich applications for claims and risk
management, is what has enabled us to grow a successful and satisfied client
base of over 160 organisations. Although our clients can occupy very
different sectors of business, for instance; UK Central & Local Government,
US Government, Commercial, sentiments converge when looking for a
proven technology solution provider.
If you are looking to improve upon the way you handle claims or manage risk
then JCAD have the right mix of products and services to guarantee a cost
effective and timely implementation.
RISK MANAGEMENT CONSULTANCY
Risk Management Consultancy
Ove Arup and Partners
The Arup Campus
Blythe Valley Park
Solihull
B90 8AE
Tel: +44 (0) 121 213 3000
Email: Rob.Davies@arup.com
Web: www.arup.com
Arup provides tailored Programme and Project Risk Management (PPRM)
support to its clients across numerous industry sectors (e.g. Energy; Transport
Infrastructure, Commercial Property), capitalising on the Firm's core
engineering and project management skills.
We provide these services at all project lifecycle stages, helping to manage
both threats and opportunities to cost and benefit streams. In particular, our
risk quantification expertise ensures we can reliably contribute to business
case development, procurement and delivery structuring, tender evaluation,
project controls during implementation and cost-effective transition to full
operation. Importantly, we've also developed a Monte Carlo-based decision
support tool for optimising asset management strategies.
As part of our PPRM service offering we specialise in five key areas;
• Project Risk Management (PRM);
• Quantitative Risk Analysis (QRA);
• Asset Risk Management (ARM);
• Enterprise Risk Management (ERM); and
• Business Continuity Management (BCM).
Risk Decisions Group
Whichford House, Parkway Court
Oxford Business Park South
Oxford, OX4 2JY
Catherine James, Office Manager
Catherine.james@riskdecisions.com
+44 (0)1865 718 666
Fiona Racher, Business
Development Director
Fiona.racher@riskdecisions.com
+44 (0)1865 718 666
www.riskdecisions.com
Risk Decisions have the expert people and the market leading training and
software that organisations need to develop their internal capability in risk
management.
Risk Decisions specialise in supporting government bodies and companies
undertaking large capital projects or seeking to manage risks in order to
meet corporate governance obligations, covering enterprise, business
programme and project risk management.
By providing an appropriate mix of consultancy, training, coaching and
software, Risk Decisions equips teams with the knowledge and the skills
needed to embed effective risk management practice into mainstream
business activities.
RISK MANAGEMENT INFORMATION SYSTEMS
Covalent Software
3 Hammet Street
Taunton
Somerset TA1 1RZ
www.covalentsoftware.com
+44 (0)1823 323239
Covalent ERM, used by 160+ organisations, brings risk management to life as
a dynamic process, rather than the static, disconnected approach offered by
spreadsheets. It streamlines the whole risk identification, assessment, treatment
and monitoring process, providing real-time profiling and alerts, regular
re-assessments and continuous controls monitoring. It facilitates proactive
management of risk, minimising likelihood and impact, and provides easy
tracking of mitigation plan progress and key risk indicators.
It also aligns risks with strategic objectives, giving full visibility of how risks
directly threaten those objectives and what's being done about it.
Covalent ERM delivers increased risk responsiveness, improved
governance performance and a streamlined, lower cost, dynamic risk
management process.