5th edition

Business Risk
A Practical Guide to Protecting Your Business
consultant editor: Jonathan Reuvid

Managing

OPPORTUNITY

m

the power of financial management in business

CIMA Professionals drive some of the world‟s most successful organisations.
CIMA professionals work as an integral part of multi-skilled management teams and carry out a range of activities:

• the generation and creation of value
through effective strategic decision making and deployment of resource

• formulating business strategy to create
wealth and shareholder value

• plan long, medium and short run
operations

• determine capital structure and fund that
structure

• measure and report financial and non
financial performance For further information about CIMA, the Chartered Institute of Management Accountants visit www.cimaglobal.com

the power of financial management in business

Busines s Ris k
A Practical Guide to Protecting Your Business
5th edition

Managing

consultant editor: Jonathan Reuvid

London and Philadelphia

Publisher’s note Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and authors cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the editor, the publisher or any of the authors. First published in Great Britain and the United States in 2003 by Kogan Page Limited Second edition 2005 Third edition 2006 Fourth edition 2007 Fifth edition 2008 Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licences issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned addresses: 120 Pentonville Road London N1 9JN United Kingdom www.kogan-page.co.uk 525 South 4th Street, #241 Philadelphia PA 19147 USA

© Kogan Page and Contributors, 2003, 2005, 2006, 2007, 2008 The right of Kogan Page and Contributors to be identified as the authors of this work has been asserted by them in accordance with the Copyright, Designs and Patents Act 1988. The views expressed in this book are those of the authors, and are not necessarily the same as those of the Institute of Risk Management. ISBN 978 0 7494 5059 5 British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library. Library of Congress Cataloging-in-Publication Data Managing business risk : a practical guide to protecting your business / [edited by] Jonathan Reuvid. – – 5th ed. p. cm. ISBN 978-0-7494-5059-5 1. Risk management. I. Reuvid, Jonathan. HD61.M26 2008 658.15‟5– –dc22 2007052112 Typeset by JS Typesetting Ltd, Porthcawl, Mid Glamorgan Printed and bound in Great Britain by Cambrian Printers Ltd, Aberystwyth, Wales

org . Insurance and Risk) magazine • Access to the members‟ only section of the website which includes the members‟ discussion forum Networking opportunities • Membership of any of the special interest groups you want to join • Membership of your local regional group • Free Annual Lecture focusing on the topical issues in risk management • Discounted entry to the Risk Forum. the Institute‟s annual conference and dinner Recognition • Designatory letters (depending on your membership grade) • The opportunity to study for an internationally recognised risk qualification There are six grades of membership starting with Affiliate which has no entry requirements and is open to everyone with an interest in risk management. The two-day awareness course on the Management of Risk and Uncertainty is taught across the world and throughout the year. articles and job vacancies • A free subscription to Strategic Risk magazine • Discounts on relevant activities such as conferences and events from third parties • A free subscription to CIR (Continuity. networking opportunities and recognition. The International Certificate in Risk Management is an introductory qualification. IRM membership can support you throughout your career.The Institute of Risk Management The Institute of Risk Management (IRM) is risk management‟s leading professional education and training body. personal status and reward.org www. It is a not-for-profit organisation owned and governed by its members who are all practising risk professionals.theirm. It is designed to equip today‟s practitioners to become the risk managers of tomorrow. Become an IRM member and you get all the following included in your subscription: Information • InfoRM. Institute of Risk Management 6 Lloyd‟s Avenue London EC3N 3AX +44 (0)20 7709 9808 enquiries@theirm.org) or phone us on 020 7709 9808. the institute‟s bi-monthly magazine containing news. which is studied through distance learning. To become a member all you need to do is simply complete and return the application form from our website (www.theirm. Membership provides you with information. The International Diploma in Risk Management is a postgraduate qualification for the risk management professional. through the development of a solid. The IRM provides a broad range of courses to help you build your knowledge and skills. with no entry requirement. Whether you see risk management as your profession or as a key skill. progressive and practical set of skills which in turn enhance career portability.

So we all know that there is much to be done – but. do we have the skills to do it? A 2005 study2 by Lloyd‟s concluded that whereas global business leaders were taking risk much more seriously (in just three years the time spent by boards on risk management had risen four-fold).lloyds. businesses and economies all need better skills than ever before. Aon Corporation. 2005. Stakeholder expectations of effective risk management are also rising. When it came to reputational and market risks up to 65% of firms were unprepared.com advertisement feature .com 2 „Taking Risk on Board‟. There are specialist risk management skills and techniques that can be learned that will make life easier and improve results. 1 AON Global Risk Management Survey April 2007. www. Short courses in risk management include the two day Management of Risk and Uncertainty course offered by the Institute of Risk Management (IRM) – this is available either as a public course or can be brought in house and tailored to your organisation. The Leitch Review of Skills published in the UK in December 2006 concluded that world class skills would be the key to economic success and social justice in the new global economy but also warned that too many of us have little interest or appetite for improved skills and that employer and individual awareness must increase. including risk management. Organisations are becoming more aware of the complex risks that they face and are starting to put into place the processes to address them. www. there was a need for better education and training – less than a third of boards were training their staff in risk management skills and only 18% of board members had obtained such training themselves. back to Leitch. Improved skills and competencies are needed at every level and in every business area. Yet there is still a long way to go: Aon‟s 2007 Global Risk Management Survey1 found that over 25% of firms were not ready to handle the key risks identified – they had not undertaken any form of formal review and had not formulated a plan to deal with them. So how can an organisation improve its competence in risk management? Here are some pointers: • Get trained – it‟s right to say that all good managers are instinctively managing risk but there is a limit to how much you can make it up as you go along.aon.Achieving Competency in Risk Management Individuals. Lloyd‟s in association with the Economist Intelligence Unit.

• Get your act together – organisations that aren‟t good at communicating. Member and Fellow of the Institute of Risk Management respectively). managing or relationships won‟t be much good at managing risk either. Carolyn Williams Development Manager The Institute of Risk Management December 2007 advertisement feature . • Get in the experts – if you decide to seek advice from consultants or other professional firms then check that they also have relevant professional qualifications • Get the right tools – there are a number of risk management standards in circulation that will help you develop a systematic and organised approach. These range from the IRM/ALARM/AIRMIC Risk Management Standard .• Get educated – look out for the internationally recognised qualifications CIRM. Successfully embedding effective risk management across your organisation requires a healthy management competence overall. Link into other risk professionals via attendance at risk conferences or through membership of a professional body such as the IRM which provides local and specialist groups and an online community and resources. IRM offers affiliate membership to anyone with an interest in risk who wishes to plug into the international network. Other professional bodies may also have a risk management module available as part of their qualifications. which is a simple plain language guide for the average business manager through to the COSO standard from the USA which has a strong regulatory/audit focus • Get yourself a network – strengthen your risk management contacts and access to information resources. There are also an increasing number of specialist MSc courses in risk related subjects being offered by Universities. MIRM and FIRM (Certificant.

call +44 (0)20 8996 9001.95 UK (inclusive of VAT).New Confidence in your business continuity BS 25999-1:2006 Business continuity management. so that you know that you are assessing your organization‟s performance against this recognized standard. Code of practice BS 25999-1 is a code of practice that takes the form of guidance and recommendations. other electronic products and Conferences and Training Courses. which has now been withdrawn.com/BS25999online for details. FREE P&P to BSI Subscribing Members. providing a basis for understanding. CDs.95 Rest of the World (+VAT if applicable) – one-off charge added to your order of 10 items or fewer. Please contact +44 (0)20 8996 7555 or email ProductSupport@bsi-global. DVDs. and to be used by large.com/shop *P&P £5. Developed by practitioners throughtout the global community it establishes the process. size and nature of business. regardless of type. see www. © BSI 2007 . content and publishing dates may be subject to change. All prices. Price £90* Member Price £45 To order please contact BSI Customer Services quoting marketing reference code BCMB-SP Tel +44 (0)20 8996 9001 Fax +44 (0)20 8996 7001 Email orders@bsi-global. Price £100* Member Price £50 Multi-user licences are available. £9.bsi-global. VAT is applicable to all purchases of PDF downloads. BS 25999 Business Continuity Self-assessment Online Tool This new web-based tool contains 191 questions. commercial. giving you confidence in your BCM policies and procedures. JUST PUBLISHED BS 25999-2:2007 Business continuity management.com/BS25999online Sponsored by The BS 25999 series is applicable to all types of businesses.com www. Order Now! Price £225 + VAT This price entitles one user (one user ID and password) to unlimited use of BS 25999 Business Continuity Self-assessment Online for the period of their annual subscription.com for a quote to give access to more than ten users in your organization. developing and implementing business continuity within an organization and to provide confidence in business-to-business and business-to-customer dealings.bsi-global. principles and terminology of business continuity management (BCM).bsi-global.bsi-global. following BS 25999-1.com/Businesscontinuity raising standards worldwide ™ Standards and publications may also be ordered via the BSI shop at www. Specification BS 25999-2 specifies requirements for setting up and managing an effective Business Continuity Management System (BCMS) in the following areas: • • • • Planning Establishing Implementing Operating • • • • Monitoring Reviewing Exercising Maintaining and improving FREE DEMO A free demo of the BS 25999 Business Continuity Self-assessment Online tool is now available. For details of BSI Membership. visit www. Pre-payment is required by non-Members. public and voluntary sectors. BS 25999-1:2006 replaces PAS 56:2003. clause by clause. It is intended to serve as a single reference point for identifying the range of controls needed for most situations where BCM is practiced in industry and commerce. medium and small organizations in industrial.

By working with our clients and understanding their business objectives we deliver professional and pragmatic Our commitment to a partnership approach with our clients has benefited many of them through several rounds of funding. advice on the development of cost-effective IP strategies and their role as an essential element of any successful business plan. then please visit our web site or contact Peter Finnie or Arnie Clarke on +44 (0)20 7377 1377. leading to trade sale or IPO. If you want your IP advice in plain English from a firm with a true business perspective. .At GJE we specialise in supporting start-up and early stage companies and we are recognised by the Legal 500 as an industry leader in this area.

Keep the focus upon your reputation management Amsterdam • Brussels • Copenhagen • Stockholm • Oslo • Vilnius .

com .Analysing your exact position in the market is easy with the right tools and experience.com • • www. Media Intelligence.uk. CISION. Contact your CISION representative in London. We are just a phone call or a click away.cision. Cision UK Cision House 16-22 Baltic Street West London EC1Y • • • • 0UL Phone 0870 736 0010 Phone +44 (0) 20 7251 7220 • Fax +44 (0) 20 7689 1164 info. the world‟s market leader provides in communications management. Communication Insights.uk@cision. you with actionable insights and enables you to make more informed decisions.

• London • Stuttgar t • Lisbon • Chicago • Toronto • Hong Kong .

AA. cost-effective and integrated insurance solutions. XL Insurance is the global brand used by member insurers of the XL Capital Ltd group of companies. advertisement feature . XL Capital Ltd.by Fitch.Professional . Best. through its wholly owned subsidiaries.M.Casualty . Aa3 by Moody ‟s. XL Insurance has the expertise to cover risk exposures ranging from world-wide property/casualty insurance to professional lines. in addition to the quality and variety of our solution-focused products created to precisely meet your insurance requirements: . XL Insurance – intelligent risk solutions “XL Insurance” is the global brand used by member insurers of the XL Capital Ltd group of companies. environmental. reinsurance and risk engineering solutions with around 4000 staff globally.XL INSURANCE companies are chosen by the world ‟s leading firms for the strength of our capital and the depth of our experience.xlinsurance. Dedicated client relationship mangers work with underwriters and risk engineers to offer flexible tailor made solutions.Specialty Experience our strength: www. XL Insurance companies offer a global network of owned operations and partner relationships that allow us to provide service to the world's insurance markets with local knowledge and expertise in 80 plus countries. marine. fine art & specie. 2007. The XL Insurance companies have one or more of the following ratings: A+ by A.com The strength to cover business risks worldwide. Ratings accurate as of 7th June.Property . A+ by Standard & Poor‟s. energy and product recall insurance. As a global leader in its field XL Insurance helps industrial and commercial businesses manage their risk by offering comprehensive. is one of the world‟s largest providers of insurance. «XL Insurance» is a registered trademark of XL Capital Ltd.

Conclusions 35 Using management systems for risk management and corporate governance Nicki Dennis. Implementing management systems 42. Certification 44. Conclusion 15 Strategic business risk 2008: the top 10 risks for business Fiona Sheridan. ISO 31000: an international risk management standard 42. SAS UK & Ireland What is enterprise risk management? 30.2 17 1. Risk systems 35.4 39 . Best practice 43. Risk as the „new‟ quality 41. HSBC Operational Risk Consultancy Enterprise risk management 9.3 27 1. Regulation and process 31. Ernst & Young LLP The top 10 risks for business 18. by Steve Fowler. BSI British Standards Management systems 40. The Institute of Risk Management (IRM) Contributors‟ notes Introduction Part 1: Risk Management Strategy 1. Competitive advantage 44. Conclusions 25 Enterprise risk management and the role of technology: the answer to and cause of all our business problems Bart Patrick.Contents Foreword: managing the future. Systems 32.1 Enterprise risk management: breaking down the risk silos James Dickson Leach and David Breden. Chief Executive. The next five 24. The future 45 xxxiii xli 1 3 5 1.

uk lb learn more about u can prevent your company being next. you may want to visit our www. DEPARTMENT FOR BUSINESS ENTERPRISE & REGULATORY REFORM . our online filing service.gov. You need to register for a security code (issued by email) and an authentication code (issued by post to your registered company office) and then you can give us much of the information about your company electronically. is a far safer and more secure way to send us statutory information than using paper forms sent by post. It's also 50% cheaper to file your annual return online.. We will then only accept forms relating to changes of address and directors' details from you electronically.safe and simple Using WebFiling. We will not accept any of these documents on paper unless the company and directors authorise it.porate and ntity frauds are reasing significantly st common cases of corporate fraud involve forms ent to us showing changes to a company's details. ROOF PROtected Online Filing Once you have received your authentication code to file electronically.get the bigger picture The Companies House Monitor service enables you to keep an eye on your competitors. You know that certain company information lies within the public domain.f onitor Monitor . I9$. Fraudsters then use len identity of the company to order goods and s based on that company's creditworthiness. business collaborators and your own company and 'monitor' which documents have been filed into Companies House. you can then sign up to our new protected online filing service known as PROOF which is designed to reduce fraud still further. Here ee ways to prevent your company being next WINNER bFiling Webfiling . so what could be more efficient than information that could help or protect your business being available to you the moment it is filed? ype of'fraudis on the increase.companieshouse. subsequently prove to be false.

Two views of uncertainty 52. In summary 60 46 1. Communication. Risk management initiatives are fragmented 68. The long tail of digital content 74. We the gatekeepers 77. Reporting of reputation risk 86. Management of reputation risk 86. Future trends 86 Contract risk Robert Chapman and Dominic Healey. Identification of reputation risk 85.5 Embedding risk management – practically Lee Tricker. Procuring a service or product 95. Cision Inside the attention economy 73. Identifying champions 48. Identifying the board‟s appetite for risk management 90. Reputation 82. Chartered Institute of Management Accountants (CIMA) Introduction 81.CONTENTS xv • 1. Contracts 91. Mapping the landscape 76. communication. Thomas Miller Risk Management Introduction 46.3 81 2. Board accountability 90. Business planners fixate on certain types of risk 67. Carrots and sticks 48.4 89 . UMU. Appleyards Practical tools for thinking and planning with uncertainty designed-in 51. The future of news 79 Corporate reputation Gillian Lees. Political risk management is misaligned with business planning process 69. Siemens Insight Consulting Introduction 89. Risk assessment workshops 47. Risk managers fixate on certain mitigation tools 68. Understanding the organization‟s structure 47. Risk Dynamics 57. Social upheaval 77.1 Political risk James Smither.6 51 Part 2: Corporate Risk Concerns 2. Towards best practice political risk management 70. Building on existing foundations 47. communication 49. Search engine optimization and measuring search 76. Risk management applications 91. Control Risks Political risk is not recognized as unique 66. Conclusion 50 New perspectives in strategic risk Scott Hartop and Allan Robinson. Conclusions 71 Reputation and emerging communications technology Paul Miller. Causes of reputation risk 84.2 72 2. Conclusion 97 63 65 2. Delivering a service or product 93. Measurement of reputation risk 85. Identifying responsibility 90.

sas. With proven risk management software from SAS. All rights reserved.Meerkats post a lookout to watch for imminent threats.0108 . 474668US. in the USA and other countries. © 2008 SAS Institute Inc. ® indicates USA registration. product or service names are registered trademarks or trademarks of SAS Institute Inc. But you can. Other brand and product names are trademarks of their respective companies.com/meerkats SAS and all other SAS Institute Inc. They can’t predict when danger is on the horizon. www.

5 Managing reputational risk as a PLC William Cullum. Centre for Effective Dispute Resolution (CEDR) Preface 111. Rehearsing and training exercises 108.1 Managing risk through management systems Mike James.2 142 . McKinty & Wright The language of law 129. Corfin Communications Reputation: your licence to operate 98.CONTENTS xvii • 2. Tailored cover for industrial/commercial entities 123. Objectives 106. Testing the crisis management plan 108. How to get there 115. Mistakes to avoid 130. Traps for insurance buyers 122.6 105 2. Regulation and simplification 125. Is there any good news? 114. Strategic Risk Partnerships Ltd Insurance as a factor in corporate risk management 121. Learn what is expected of you 99. Conclusions 110 Conflicting priorities – best practice in conflict management Graham Massie.7 111 2. Developing a conflict management strategy 115. Crisis management planning 107. Adopting management systems 139 Using scenario analysis and stress testing to quantify and manage operational risk David Breden. So what should you do? 131 98 2. The principle of trust 126 Managing litigation risk: lost in translation Sean McGahan. Commercial Security International Limited (CSi) Introduction: the evolution of terrorism 105. The cost of conflict 112. Conclusion 118 Latent risks in commercial property damage and business interruption insurance Ian Drewer. Methodologies for 133 135 3. The internet: a frontier moves closer 101. Lloyds Register Quality Assurance (LRQA) The management of major risks outside the management system 135. Conclusion 102 Terrorism: rehearsing crisis management plans Roy Ramm and Neil Miller. What does the world say about you? 102. HSBC Operational Risk Consultancy Defining stress tests and scenario analysis 143.9 128 Part 3: Risk Issues in Operational Management 3.8 119 2. Never speculate 101. A universal condition 112. Current threat and motivations 106.

Synergi® manages all non-conformances. incidents. www.com Synergi Solutions AS www. audits.com detecting risk . communication and experience transfer. assessments and improvement suggestions. risk.synergi. Synergi® is a complete business solution for risk and non-conformance management. Synergi® covers all workflow processes such as reports. management.Reduce Risk with Synergi® All in one risk management solution Reduced risks mean reduced costs.synergi. corrective actions. risk analyses. analyses.

Conclusion 148 3.8 A shared business continuity challenge: protecting SMEs and the supply chain 185 Mike Osborne. The use of scenario analysis in the quantification of operational risk 148. Gill Jennings & Every LLP Introduction 195. The business risk environment 160. Advantages of scenario planning 146. A structured approach 198. Lloyds Register Quality Assurance (LRQA) The changing nature of risk 172. Assessing the loss exposure 180.5 163 3. Gazing at the crystal ball 167 Risks in the supply chain and how to manage them Tim Kitchin and David Lawson. What‟s the answer? 166. Shortcomings of scenario analysis 147. SunGard Availability Services (UK) Limited Misconceptions lead to complacency 165. Securing the brand 183. Conclusions 200 . BCM set to move up the corporate agenda 165. Mitigating the loss 182. Principles of supply chain assurance: the four Cs 175 Product recall: assessing risk in the food industry Ed Mitchell. Conclusion 184 149 3. The implications of BS 25999 for the supply chain 188. Culture and behaviours 155. Norland Managed Services Limited Introduction 149. The right tools for the job 160.3 Critical engineering and risk management: avoiding complacency Paul Saville-King. XL Insurance Company Limited Regulatory risk 177.1 Intellectual property or poverty? An IP risk guide for business Peter Finnie and Arnie Clarke. The changing nature of supply chain management 173. ICM Computer Group Disaster Cover Direct 187. Helping the supply chain 188 193 195 Part 4: Intellectual Property Risks 4. IP due diligence 199. Sources of information 145. What risk? 196.6 171 3.7 177 3. The five pillars 152.CONTENTS xix • developing scenarios 144. Chartered Institute of Purchasing & Supply (CIPS) Value generators and value protectors 157.4 157 3. A new model 156 The role of strategic purchasing and supply management in risk management Emma Brooks. Summary 162 Carrot and stick: why BS 25999 is set to change the way the UK does business Keith Tilley.

Innovation Centre. AL10 9AB 456 4136 Fax: 0845 456 4137 Web: www.leet Risk Profiler™ prise-wide comprehensive fleet risk assessment Make a real step change in fleet risk management: uce risks and improve efficiency to save time & money Risk profile & risk assess your sites and suppll chain Benchmark your performance internally & externally How do you make that step change? Use a comprehensive real time online Fleet Risk Profiler TM risk management methods Call today for details of an online demonstration Fleet Risk Profiler'.com Email: info@fleetriskprofiler.com ol to access business focused & commercially relevant .Herts. Hatfield.fleetriskprofller. College Lane.

commercial.Fleet Risk Management John Stevens. Resulting control measures normally only relate to the core focus of the initiative. this risk area is one that can not be ignored. within organisational aspects. both home based delivery and local retailer availability. insurance claims and premiums and diverted management time and resources. Yet with the importance of fleet transport. so road based transport methods have become the automatic choice. Initiatives typically deal with driver recruitment and training. accident data and post accident management. In turn this has raised concerns about environmental impacts and an increasing discussion about viable alternatives. They also need tools and techniques to improve the management of a broad range of fleet and related risks and to assist the process of integration with normal business processes. The use of fleet and related operations to satisfy organisational and supply chain needs has substantially increased over the last fifteen years. human resource issues. sites. Fleet risk management is often viewed as a pure operational level activity. So. It will also elevate fleet risk management to a strategic level activity. vehicle and personal injury accidents. ever increasing. vehicles. vehicle purchasing and allocation. procurement. management and operational levels. Managing Director. coastal sea transport has not stepped in to fill the gap. Research Our research showed that organisations with fleet and related operations need a sustainable reduction in overall fleet risks and costs. The growth of the internet and general consumer spending has created a demand for „instant customer fulfilment‟. Organisations are therefore looking for new ways to identify how they are creating risks across their total operations. Pressures are increasing to think of new ways to reduce and manage risks and exposures and maximise organisational benefits from improved risk management. Additionally. management support. commercial. finance. As a consequence. One that covers risks across a full range of business. The ability to benchmark internally and externally is a key requirement. whether directly or indirectly managed and how risk management can add new value to business success. It needs to identify and assess risks across the whole organisation and its supply chain. journey and delivery. operational and support functions. human resources and quality are only considered in their departmental silos and not fully integrated with fleet activities. with increasing outsourcing to overseas production. drivers. the supply chains of many organisations require the use of fleet and related services to deliver „just-in-time‟ fulfilment. with resulting benefits. plus it is advertisement feature . Land based alternatives to road transport have almost disappeared. Rarely does fleet management receive a high level of management attention and very rarely is it considered as a strategically important corporate risk to be consistently managed as a key aspect of the business. where does fleet risk management sit in this scenario and how can it contribute to valid solutions that maximise opportunities for an organisation. whilst minimising risks. The procurement of goods from overseas has grown significantly. fuel consumption. The integration of fleet risk management within an overall ERM process will provide an opportunity for an organisation to set a risk appetite for the management of its fleet and related risks and manage improvements and opportunities accordingly. Fleet Risk Profiler™ Fleet risk management is now a major risk to be managed in a consistent and holistic manner. while other organisational functions – production/operations. Enterprise-wide fleet risk management Fleet risk management should involve an enterprise-wide process for integrating the risk management of fleet and related risks at strategic. loads. traffic volumes have grown significantly and congestion is a top-ten concern and reality for many organisations.

be linked to the overall business performance measurement process and provide benchmarking functions. In addition any approach has to include a full range of risks at strategic. different risks and risk management needs. A model shows the key points: Fleet risk profiling concept and application The corporate risk assessment process provided significant benefits over traditional risk assessment methods. public and not-for-profit. across widely variable organisations. risk assessment and benchmarking process which used valid risk management methodologies. management and operational risk managing activities. health & safety. Fleet and related operations Fleet and related operations cover a very broad range of organisational and business activities in virtually all sectors of the economy – private. requiring the application of a specific mix of strategic. produced consistent advertisement feature . These types of organisation produce greatly different risk profiles. Some organisations do have management systems. We identified that current interventions are mostly compliance based. health & safety and they vary greatly in effectiveness. The primary development objective was to produce an online comprehensive risk profiling. The approach has been used successfully for over 15 years. Our approach was developed using a combined total of over 100 years of international experience in the development and implementation of fleet. but to meet a complete range of needs further development was required. business relevance and added value.important that any approach identifies the underlying causes of risk and also opportunities to improve controls to benefit the business. dealt only with a specific fleet management process and often use a „tick-the-box‟ approach. Fleet and related operations are used in a wide variety of road transport circumstances. commercially relevant and risk based. cover a full range of business functions. management and operational levels. Corporate risk assessment A logical starting point to create a valid and effective methodology is to build on an existing proven process.g. both in type and level. fire and business continuity risk management systems. There is clearly a need for a holistic approach to cover a full range of fleet and related operations that could be part of an organisation‟s ERM system. operationally focused. but in the main these are focused on a compliance approach e. It was developed in response to the need for a process with a business wide focus that is comprehensive.

Risk ratings are based on a specially designed 3-D risk matrix. rather than an artificially imposed target. and across the whole organisation and its supply chain. commercial. as all sites can be assessed on a consistent and regular basis with results reviewed centrally online. detailed analysis and flexible non-prescriptive action planning guidance. User confirms responses and generates reports and benchmarking data. Organisations that can most benefit from the application of Fleet Risk Profiler™ are:  Logistics.com and 0845 456 4136. User selects „Relevant‟ risk elements. giving proof internally and externally of proactive risk management. especially as the content is applicable worldwide. adaptable. John Stevens is Managing Director Risk Frisk Ltd – john. It can be used as an internal standard. Users‟ responses generate an Operational Risk Profile Level (ORPL). Total value of risk ratings for an ORPL generates an 'Initial' Site Target. The total value of User responses generates a Site Achievement. 6. Fleet Risk Profiler™ can also reduce the cost and improve efficiency of internal auditing. for site-by-site and multiple sites and organisations‟ supply chain. vehicle types. „Final‟ Site Target is compared with Site Achievement to generate a Site Performance. management and operational levels.stevens@fleetriskprofiler.outputs and covers all types of fleet and related operations and risks at all levels. 3. risk-based consistent method of identifying and assessing a full spectrum of fleet and related risks. The development of a risk-based focused action plan based on the organisations' risk appetite leads to reduced risk exposures and costs. Those not relevant re-adjust the „Initial‟ Site Target. The ORPL allocates risk ratings to each of the 250 + risk elements. The process needed to be flexible. enables an organisation to focus on its relevant risks. advertisement feature . road freight/haulage transport users and suppliers of such services  Those with diverse operations in respect of load types. 8. The setting of a relevant risk managing target. Fleet risk profiling™ benefits Fleet Risk Profiler™ is an enterprise-wide process for integrating the risk management of fleet and related risks at strategic. not related to specific legal requirements. so it could be used worldwide. site sizes and operational profiles  Those with multiple sites and multi-national coverage  Those who use/rely on an extensive supply chain and 3rd parties  Those with no organisation wide. 4. John is Chairman of the IRM Transport & Logistics Group and a member of the IOSH National Consultants Committee. Benchmarking options provide internal and external comparisons (including with fleet industry sectors) to enable an organisation to set a risk managing control level and resulting resource allocations. User enters responses to risk managing status questions.fleetriskprofiler. resulting in major benefits for an organisation and its insurers. 5. management information. Risks are covered across a full range of business. 2.com. using over 900 data elements. operational and support functions. 9. With the growth in multi-national organizations the process had to use generic risk-based content. Fleet Risk Profiler™ methodology The online real-time Profiler uses the following methodology: 1. The process provides a wide range of benefits and enables an organisation to set its own risk appetite for the management of fleet and related risks. including customisation of the content to meet specific organisational needs. 7. usable for corporate level reviews. www. Automatic reports provide a strategic overview. service offerings. It adds value to client and supply chain relationships by risk assessing and undertaking due diligence of supply chain partners.

market. please contact: Tenia Chatzinikoli or William Toner on 0207 602 7282. halcrow. including strategic. To find out how we can make a difference to your business. Consulting Environment Maritime Property Transportation Water Power At Halcrow we‟re driven by the desire to find innovative solutions to life‟s challenges. Halcrow. compliance.com or visit our website. Employing over 7. We apply a systematic and integrated approach to managing risk that involves the whole of the enterprise and delivers value. objectives are successfully delivered opportunities are maximised.000 people in more than 70 offices worldwide. Here‟s how. We offer informed. The best team for the job With an impressive track record in delivering 'best in class' risk management solutions. we can bring together the best team to help you reach your goals. we have an enviable breadth of skills and expertise at our fingertips.Managing business risk Here’s how. Whatever the issue. In tune you Our detailed knowledge of risk means we can appropriate risk management frameworks to support our clients‟ businesses. Working closely with our enables us to ensure controlled. financial and project. operational. balanced and unbiased advice on how to manage business risk. email halcrow@halcrow. Satisfied clients Our clients keep coming back to us for our experience. Halcrow's specialists are experienced in addressing the complete range of risks that face an organisation.com .

What makes a good brand? 210. Novagraaf Intellectual property: a short overview 203.3 . A better way 255 251 5.CONTENTS xxv • 4. Avoiding litigation 231 201 4.4 216 4.3 209 4.2 Securing key business decisions with strong IP rights Eric Achour and Jean-Louis Somnier. SAS UK & Ireland Introduction 242. The small and medium-sized company 221. Virtualization as a tool for business recovery 239. The task in hand 253. Real time: a partnership approach? 246. The groundwork 253. The future: patent auctions 222. Bird Goën & Co The commercial risks 217. Real-time maintenance 248. Recovery point and recovery time objectives defined 236. Beck Greener The cost of patent litigation 227. LOVEN Patents &Trademarks What is a brand? 209. ICM Computer Group Introduction 235. Summary: achieving optimum business availability for IT-dependent processes 240 233 235 5. Who owns the brand? 210. Technology and the business continuity plan 240.2 The real-time enterprise: the need for NOW! 242 Bart Patrick and Mark Elkins. The spectre of third-party patent infringement 222 Intellectual property litigation Jacqueline Needle. The need for NOW! 243. „When business meets IP‟ 203. In summary 212 IP risk estimation and management: the example of patents and patent portfolios William E Bird. Maintaining the value of a brand 211. Effective use of IP 229. How IT and business continuity can work together 238. Conclusion: IP is an „insurance‟ that mitigates business risks 207 Risk-free branding Keith Loven. Developing on the real-time platform 249 Creating a risk management software solution Andrew Birch. Is the cost of enforcement a reason to avoid protection? 229. The patent portfolio 220. The causes of downtime 237. Symbiant Introduction 251.5 226 Part 5: The role of IT in Providing Risk Solutions 5. UK litigation procedures 228.1 How IT can mitigate continuity risks Alistair King. Protecting a brand 211.

stressing its importance as a vitalbusiness asset for the entrepreneurs of the future. This is the UN agency for global IP matters. We are also committed partners with: • The European Patent Office {Head Office in Munich. Books.Businesses also need to be aware of related issues like trade secrets. ent owners can enjoy exclusive ts to their inventions for up to years.before considering whether or not to grant a patent. SUPPORTING INNOVATION IN THE UK British businesses prosper when they make informed decisions about intellectual property.ipo.uk 08459 500505 UK Intellectual Property Office is an operating name of the Patent Office •• . primarily graduates in science. and with non governmentalbodies too. gans or other signs of a trader's ducts or services. registering trade marks and designs. which they can acquire by registration. The owner opyright can licence copies daptations of the work (e. and ectualproperty rights protect.no istration is required. which are ponsible for 8% of our economy's ss domestic product. ers and magazines. Switzerland). slations.and provides simplified application procedures for patents. and leading on policy for all IP including copyright. Graduates in a variety of other disciplines are employed. All staff enjoy the opportunity to develop professional and personalskills.This right tects the core property of the 's Creative Industries. music. Patent examiners scrutinise both the technical and legal aspects of a patent application. e and reward creativity. engineering and maths. working hours.Trade Marks search services and advice on registration are also available. comparing the new invention against those found in patent databases.know how and confidentiality. The UK Intellectual Property Office also provides commercialsearching services to access the vast amount of technical information available in published patents of which over 30 million exist worldwide. part-time working and generous annualleave. PEOPLE AT THE UK INTELLECTUAL PROPERTY OFFICE The UK IntellectualProperty Office is based in modern premises on the edge of Newport. trade marks and designs which facilitate the acquisition of rights in many countries. Training is provided in law and on the wider aspects of intellectual property.IT Services and Finance. We also raise awareness of intellectual property in schools. and employs about a thousand staff.g. de marks can be registered to tect the distinctive names. e.protecting the ign is essential for dealing with pycats'. ·The Office for Harmonisation in the Internal Market {in Alicante. • The World IntellectualProperty Organization (in Geneva. they can greatly increase their profitability.Over 300 of them are technicalexperts working as Patent Examiners. movie rights to a book ). or d exclusively by the brand owner istinguish themselves from rivals retain the goodwill and reputation ted in their name. in fashion. ents protect new technology both products and processes.logos. work and photographs. and can that information as a springboard their own innovations. Registrations for trade marks and designs binding throughout the European Union are made here. A single patent application to the EPO can result in patent rights in over 30 European countries. for instance in the Trade Marks Registry.and can provide solutions to technical problems. colleges and universities.The marks can licensed or franchised to others.domestic liances or furniture. ware and computer games are protected by copyright. films. Where roduct's 'look' gives it market re. This avoids wasted effort and duplication of research. The UK IntellectualProperty Office offers family friendly policies. vision and radio programmes.Spain).The lic benefits from seeing details of entions when published. ROLE OF IP IN INNOVATION K's economy thrives on ative products and services.g. When they understand which rights they already own automatically.gov. The UK Intellectual Property Office helps businesses to understand the risks and opportunities which intellectual property presents. through seminars and our website for instance.what they can licence in or out and where to seek advice. The UK IntellectualProperty Office has been recognised both for its high levels of customer service and the way it trains and develops its staff.Germany). WORKING WITH PARTNERS The UK Intellectual Property Office works with other government departments and agencies which have a role in supporting British business. enabling them to strike nsing deals or keep rivals at bay lst they establish their brand. South Wales.ellectual Property Office •••• THE UK INTELLECTUAL PROPERTY OFFICE The UK Intellectual Property Office is the United Kingdom's principal authority on ellectual property (IP) with responsibility for granting patents. igns for products or graphic bols can be registered so as rotect the distinctive outward earance of a new product. flexible pyright is free and automatic. www.

CoNTENTS xxvii • Appendix: Contributors' contact list Index Index of advertisers 258 265 269 .

You’ve quantified your personal injury litigation risk. Now let us help you control it. After the event: By ensuring that claims are handled in alignment with your reputation and integrated into your risk management processes. Sean McGahan LLB CIRM on +44 (0) 2890412820 or email sean.co.co.mckinty-wright. During an incident: By creating a powerful evidential function in incident management procedures.uk . www.mcgahan@mckinty-wright. Before it happens: By maximising the evidential function of your risk management process.uk. For further information contact our Head of Litigation Risk Management.

called “tort”. 3. especially the predictable exposure to personal injury claims. you will have encountered language on the issue of risk that sounds vaguely familiar. An employer‟s duty to employees is an example. If the “standard of care” you exercise is lower than a court would expect. then a court will hold you liable to pay compensation for the damage caused. messages that are there to be communicated are being lost in translation. This response can be counterproductive. and this contributes to someone sustaining a loss. which sets out how much risk is acceptable and when you will be held liable if a risk materialises and causes damage to others. How much care you have to exercise is determined by an objective “standard of care”. 2. Take a zoo. THE LANGUAGE OF LAW The law uses language similar to the language of risk management but that language is interpreted in a different way.Managing Litigation Risk-Lost in Translation Sean McGahan. Unfortunately this does not automatically translate into more successful outcomes when claims are made. an attack by a penguin is likely to result in the victim being more embarrassed than anything else. The greater the risk the greater the “standard of care” will be. On the other hand. you are deemed to owe a “duty of care” to others. Tort law sets lays down that in certain circumstances. That can be because of a misunderstanding on the part of an organisation as to the health and safety measures the law expects of organisations and an inability of organisations to communicate effectively their choices on risk to courts. The standard of care required to guard against visitors being injured by animals will vary according to the threat posed by a given animal. You then see apparent profits of business units decreased or even wiped out over the medium to long term because of claims against your organisation. Put simply. The purpose of this Article is threefold: 1. To provide a steer on how to create a better capability to defend decisions on risk taken by your organisation and communicate more effectively in court. If a visitor was attacked by a lion serious injury or death is the likely result. So the law requires a higher “standard of care” applied advertisement feature . To explain to you Compulsive Risk Assessment Psychosis (CRAP1) and Conpiratorial Risk Aversion Policy (CRAP2) mistakes you can make by misunderstanding the language and processes of law. Compensation for personal injury is the classic example. What can be done about this? Since 98% of personal injury claims in the UK succeed. McKinty & Wright Does this scenario sound familiar? You apply the tools and techniques of risk management (RM) and gain a deeper understanding of the costs of claims and litigation. To show you how the language of RM is a different language to the language of law. talked to lawyers or been in Court. a standard recommended response is to increase health and safety measures. An example will let you understand this. There is an entire body of law. In order to determine the “standard of care” courts are meant to look at the “magnitude of the risk”. Understanding this difference is a key to unlock controls that may reduce your residual risk If you have ever picked up a legal text book.

especially catastrophic injuries. This is because the overall process by which the issue of risk is considered by courts is very different from an RM process. Unfortunately it does not quite work out like that. Instead semantic tests. Also. So in theory if you use a sound methodology for setting a risk appetite for your organisation the law should be capable of coming to roughly the same conclusions using its process. There is also no audit of decisions to ensure a level of uniformity of decision making. which actually increases the effect of this advertisement feature . The Courts make decisions on risks without using the methodologies generally recognised in RM as key elements of high level decision-making. In the absence of contrary evidence on risk the legal process therefore has an inherent process bias in favour of setting a high “standard of care”. The result is that in the absence of good evidence on risk being given to a court. in theory the law has a means for determining what a given organisation‟s risk appetite should look like. CRAP MISTAKES TO AVOID The failure to recognise that courts have a basic approach to risk means you can easily adopt an approach to controlling the risk of claims and litigation. the law takes into consideration the “costs of preventative measures” and the “social value” of the activity being engaged upon.to lions than penguins. there is a natural tendency to take the view that some additional precaution should have been taken. of establishing the “probability of an occurrence and possible consequences. this is language which you can place a meaning on as its sounds pretty much like. Although monetary values are placed on injuries in the form of an award of damages to a successful party. these monetary values are not used to counterweight the monetary cost of precautions to prevent injury. Written judgments of courts are full of examples of variances in the “standard of care” impose by courts. “cost benefit analysis” and “defining your context” or “setting strategic objectives” in an RM process. Was there a risk? And was there anything that could have been done about it? Faced with an accident resulting in injury. All this means there is scope for differences in interpretation of the “standard of care” imposed by different courts. such as “reasonableness” and “practicability” are utilised. The standard of care set by the courts in individual cases can vary greatly.” In setting this “standard of care”. the House of Lords overturned the decision of the Court of Appeal on the “standard of care” that a council should exercise towards people who choose to swim in a lake. in the leading case of Tomlinson v Congleton. Courts have a naturally tendency to set a low risk tolerance. which sits well with the fact finding capabilities of a trial. Taking all of this together. judges cannot be blamed for sometimes taking a fairly basic approach to risk. A court should recognise that if the “magnitude of the risk” posed by an activity is tolerable. The law turns its back on using quantitative analysis in deciding the “standard of care”. So if you think about it. the “social value” of the activity should overrides concerns about the magnitude of the risk. Again. courts do not use quantitative analysis. RM utilises a whole range of analytical tools to make decisions about risk tolerance and you can also rank risks by creating a risk profile. A court cannot use any of these methods and is wholly dependant upon the evidence presented to it during a trial. For instance. this idea of setting a “standard of care” on the basis of the “magnitude of the risk” looks like part of an RM process.

Often the perception is gained from the results of a few cases that have went to trial or even stories in the media. or below the “standard of care”. the law interpret this. evaluation. practices and procedures become increasingly risk averse. and suggesting things that could be done about them. Courts will generally err on the side of causation and find the organisation liable. You generally see this in organisations that do not have an overall RM process in place. It sounds straightforward but few organisations actually do it. Adopt a recognised RM standard and apply that to your riskscape. The intention behind this process is to reflect the perception the organisation has of the “standard of care” expected in law. If you identify something as a risk in isolation from a risk profile. which are hampered by the policies and procedures that do not fit the organisation. It would of course be open to the Plaintiff to call evidence to attack the risk tolerance set but if the process is robust there may be little to attack. This takes two forms.process bias in favour of setting a high standard of care. The following are just some of the steps that can be taken. The result is an organisation gets flooded with documents identifying risks. then a court lacks any inherent tools to base a rejection of the risk tolerance set. Compulsive Risk Assessment Psychosis (CRAP1). The biggest mistake is to adopt CRAP risk management. You see this behind many of the most criticised rulings on risks by court. Elements of an RM process are introduced that are not part of an overall process. advertisement feature . not as you would. The MRI scan is objectively the superior methodology. analysis. without overall evaluation. The result is you are found liable. Policies and procedures become risk averse and conflict with operations. and dismissed the claim. SO WHAT SHOULD YOU DO? Plan ahead to take part in the trial process before incidents occur and claims are made. It is worth noting that in the leading case of Tomlinson v Congleton. If a school bans children running during break time and a child is injured while running because staff on the ground disagree with the rule and so do not enforce it. As a result individuals and operational units depart from policies and procedures in order to achieve objectives. 1. reporting and treatment of risk based upon quantitative analysis. These documents give the impression to a court that the risks identified should be guarded against. The other problem with this approach is it creates divergence between an organisations objects and its RM. Courts are not there to rank risks for organisation. In this form of CRAP. This phrase was first coined by John Adams. As those breaches occur the policies and procedures then become the basis for showing a breach of the “standard of care”. In terms of decision process for a Judge to do so would be like one doctor attempting to second guess another doctor‟s diagnosis based in an MRI Scan by using a CT scan. courts are not going to do it for them. as something to be ranked. This is the essence of litigation risk management. while still complying with the law. Conspiratorial Risk Aversion Policy (CRAP2). If an organisation has not ranked its own risks and set a risk appetite. the House of Lords decided on a lower “standard of care” than the council itself proposed to exercise. If an organisation becomes risk averse then this will simply encourage a court to reflect this risk aversion in its decision making. If there is clarity of what the objectives of an organization are and clear assessment. but generally as something that is above your risk appetite. the school may be found liable because it failed to follow its own “standard of care”.

Form a litigation team for handle claims with roles clearly defined. the plaintiff. Winning in court requires effort. 5. translate into effective evidence for court.uk advertisement feature . Organisations need to be able to deliver a message on risk loud and clear in a courtroom.2. Often a message on risk cannot be communicated as processes have not been put in place to recall what an organisations‟ attitude to risk was at any given time in the past. If you don‟t. Communicating in court is not a straightforward process for organizations. 11.mcgahan@mckinty-wright. Too often it is assumed that the processes of health and safety investigations. Often they don‟t. Upon resolution of a claim. “The harder I work the luckier I get. then there may be little logic to the selection of claims to accept and claims to reject. There are health and safety absolutes and other issues that involve balancing risk and opportunity.co. Lawyers cannotgive evidence and so cannot be the voice of an organisation at a trial. Most organisation have little or no voice that can be channelled into a trial process. You will then be able to speak to a court in language it can hear and understand. 9. 8. Check that your organisation has the ability to capture events as they occur in a manner that will not be counter-productive in court. They sit inthe witness box and can actually speak passionately to a Judge. Trials are designed to allow individual personalities a voice. to ensure that no unit or individual in an organisation comes away from participation in dealing with a claim with the wrong lessons learnt. 7. 4. 3. An individual starts with an advantage over organisations as a result. Align objectives for defending claims with business goal otherwise your claimshandlers may adopt an approach to claims that creates risks to your objectives. They can also recall evidence from memory or simply make evidence up. If you have not thought about litigation risk management before now then think about it. Debriefing should be held regularly. Translate your message on risk into language that the law can understand. Without the voice of a witness in the first place they can do very little. Create a voice for your organisation. 10. Do not allow your health and safety practices to diverge from the risk tolerance set for an organisation. The system by which evidence is introduced to Judges ina trial grew up before you had large corporate organizations. Failure to do can foster CRAP RM. such as route cause analysis. record all lessons learned by applying a managed approach to ligitation in a systemised way so that lessons are learned and the litigation capability of your organisation can improve over time. Witnesses are called by lawyers to give evidence in a witness box.” SEAN McGAHAN LLB CIRM is head of Litigation Risk Management at McKinty & Wright Solicitors Direct Dial 02890412820 E-mail: sean. To quote Samual Goldwyn. Get a memory for the organisation. Use your risk appetite as a means of determining which claims you will fight. This can be done without undermining the risk process and makes the process court friendly. rather than having a silo mentality 6. If you don‟t your message may be misunderstood by a court. In most litigation you are sued by an individual personality.

Equally. it is too easy to look solely to previous results to predict what might happen in coming years. however. children commonly tend to be more open to new ideas and concepts than adults. for their entire life. Change is therefore never predictable and the past is not always a good guide to the future. This approach to management is becoming increasingly discredited. British Petroleum‟s clever rebranding as „beyond petroleum‟ and Apple Computing‟s product extension into mobile entertainment and communication devices are but two cases that illustrate this trend. Yet one day a black swan might cross their path. So is this a good thing. Two further examples illustrate this apparent lack of predictability. and what relevance does it hold for the management of business risk? It is true that many musical artistes produce their best work in their early years – at a time when they can both look back to experiences but also forward to an unknown but exciting future. exciting and shiny world with fresh experiences around every corner. such changes are introducing quantum shifts in the world in which we live. For children. completely counter to all their experience. possibly even more dramatically. the future is a new. a warming planet or global terrorism. Whether it be the risks and possibilities posed by social networking technology. Imagine someone who. In business. technological innovation tends to be driven by the young in a way where experience and education can be married to openness about what possibilities the future might allow.Foreword: managing the future As adults. Today‟s successful business managers therefore have to be as open to the risks and possibilities of the future as they are to the experiences of the past. So called „black swan syndrome‟ is becoming an increasingly important issue in this. Therefore. had only seen white swans: it would be natural for that person to predict that the world might only contain white swans. our approach to dealing with future events tends to draw strongly on our past. . the information age.

helping to drive several species to extinction. media bias that might induce us to focus on any one element of risk to the exclusion of all others. with as much attention given to the side effects of internally or externally driven change as to intentions. Indeed. insurance and strong human-resources and stakeholder-engagement strategies. Today. The message therefore is loud and clear. Management of risk and reward is an integral part of good corporate strategy. The reason? Following German unification. the colonists tried to create a brave new world of opportunity in the image of the one they had left behind in Europe. effective risk . as well as what. • understanding. political. Safety is found partly in experience.theirm. In eastern Germany. thus developing organizational flexibility. Such unintended consequences of actions provide invaluable case studies of how adverse effects can flow from actions taken to mitigate completely different risks. through governance.• xxxiv FOREWORD In New Zealand. A risk-free world is impossible to achieve. „managing risk‟ ranked first out of 10 current business issues for those surveyed. • cultivating people networks and hence a broader understanding of both the nature and scope of likely changes in social. cleaning materials hitherto unavailable in the east became available. using our own „risk radar ‟ to determine who. Rabbits shipped in as a source of food ran rampant in the absence of natural predators and diseases. brought in to deal with the rabbits. in a worldwide survey of 400 senior executives carried out late in 2006 by a major global consultancy. the incidence of childhood asthma. The greatest risk for any individual or business is to seek a completely safe and benign world and so miss the very opportunities that should be staring us in the face. geographical and technological factors. Stoats. to believe. but also in learning to live with and exploit the risks around us. once lower than that in the west. is now at the same level as that of western Germany. • conducting scenario analysis within our approach to strategic planning. It needs skills and experience to execute well. and education and training to facilitate this is available from a range of organizations across the world. such as that available to download for free from www. but businesses can aid their survival and growth by: • placing a high premium on sustainability.org. There are no simple rules to getting this right. as in the two examples above: the risk of hunger (in the case of New Zealand) and infection (in East Germany). but not being diverted by. but this improved sterilization had the effect of making children more susceptible to developing asthma because their immune systems were not fighting infection to the extent they had before. • building resilience and safety nets. instead turned their attention to local ground-nesting birds. most of New Zealand‟s native species are gone. neither is it desirable. • using one of the many commonly available risk management standards.

fascinating and vital subject. This book provides a range of insights into this immensely broad.FoREWORD xxxv • management is fundamental for business performance. Steve Fowler Chief Executive The Institute of Risk Management .

The registered office of all UK member companies is 117-119 Whitby Road. develop. underwrite and market flexible insurance products tailored to your customers’ needs. 2341082) and Assurant Life Limited (registered in England no. 3264846). Slough. Assurant General Insurance Limited (registered in England no. We are committed to delivering innovative products and services that work for your business. Which is why we specialise in innovative.com UK member companies: Assurant Group Limited (registered in England no. mortgage and insurance brokers as well as retailers. Talk to us today to see if you can benefit from a partnership with Assurant Solutions 0870 152 6000 uksales@assurant. building societies. possessions. SL1 3DR .covered We understand what is really important to people. authorised and regulated by the Financial Services Authority. flexible insurance products that protect your customers’ most valuable assets – their home. Mortgage payment protection Loan protection Credit card protection Income protection Warranty and service contracts Personal accident Credit card price protection Credit card purchase protection Focused on being the leading insurer of niche protection solutions we design. manufacture. Assurant is a Fortune 500 company working with some of the leading banks. 3264844). income and health.

quantify them. Simple ERM Framework As I have mentioned before. the success of any framework depends on how it is utilised by the management team. He may well cross the road safely without checking the traffic.Enterprise Risk Management Framework I think of risks as being threats to achieving your overall objectives. The premise is that a greater understanding of the risks facing a business significantly increases the probability of meeting their overall objectives. In many ways the key principles of an ERM framework are being utilised by many businesses and managers almost without thinking. However. The knowledge also enables the management team to better decide which avenues of business it should explore as it will have a much better understanding of the risk/reward profile. it will be more likely to succeed if management understands what could go wrong and what steps can be taken to minimise the probability of this occurring. Any risk framework should provide value to the business by enhancing the likelihood of the business meeting its objectives. but he has a far greater likelihood of success if he first looks left and right to check whether cars are coming. The benefits to the business therefore improve as the business gets larger. A key measure of a successful business is whether the ERM framework being used on a day to day basis is actually helping the business meet its overall objectives and whether there are measurement tools in place to evaluate the ERM framework's effectiveness. For example the scale and complexity of a framework used by a large multinational financial institution will be different from that used by a small start-up business with fewer than 10 employees. it is essential that the framework is tailored to the size of the business. An enterprise risk management framework (ERM) is a process that enables the management of a business to understand all the risks it faces. A framework advertisement feature . whatever they may be. if a business ploughs ahead trying to achieve its objectives without considering possible disruptions. over time. The difference that a framework adds is that it ensures that all key managers are thinking of risks in a similar way and that the business itself has a higher chance of concentrating on the key issues that may prevent it from achieving its objectives. For example a pedestrian faces the threat of being knocked down by a car when he crosses a road. Therefore. assess the adequacy of controls and report on the current risk profile of the business. Similarly. it may well succeed.

I would summarise these key principles as follows: 1.that is so complex and time consuming to operate actually becomes a risk to the business itself. However regardless of the size of the business an ERM framework should involve some basic principles and cover key information such as the key risks facing a business and who owns them. Owners should be identified for each risk facing the business. As part of the consideration of each risk and the likelihood of it crystallising time should also be spent considering what additional actions should be taken to reduce the possibility further. quarterly or monthly) rather than arbitrarily deciding on a timeframe. This assessment should ensure that the business has a clear idea of its top risks that may impact the business. 3. Management are best placed to decide. The key is that you decide how often completing the exercise would add value to the business (e. It may be that only one or two individuals own the risks given the size of the business. My suggestion is to allocate ownership of a risk to the individual who is managing it on a day-to-day basis rather than simply lump everything with the managing director.g. 4. annually. This could take the form of introducing additional controls or advertisement feature . Be mindful of the size of the organisation and try and group risks into natural risk types that fit the business. assessing either the financial cost or damage to your reputation. Consider the likelihood of the risks occurring. This can be done in a number of ways. Identify potential improvements to control the framework. It is best to do this in a structured way and consider all the threats to success both internal and external. The key is that the impact is linked to overall targets and objectives of the business and that each risk is judged in a consistent manner. How often you do this depends on the size and complexity of the business. For example a medium sized business in a relatively stable market may decide that quarterly is sufficient for its needs whereas a large multinational may decide monthly updates are required. 2. 5. Assess the impact of each risk crystallising on the business. It is essential that a risk management framework cover all the risks facing the business as opposed to concentrating on a selection of risk types. But in practice I would expect the risks to be shared out amongst the managing director‟s senior leadership team.

This helps ensure that the overall reporting from the risk framework is tailored to the appropriate levels within the organisation and helps to embed the framework into the business (therefore significantly increasing the probability that it is used by the management as opposed to being a one off exercise that has some value which then fades away over time). Finally it is essential to check that the data is being used by the business and is in an appropriate form. Report the outputs of the findings to the appropriate management committee. for the output to be useful. A useful way to start the embedding process is to link the outputs into the overall governance framework of the business. Otherwise there is a danger that the roll out of any framework will only provide some initial value to the business during the initial roll out but then sit in the cupboards of management gathering dust and not being used. Ensuring the framework fits the size of the business is key here as. Again. it needs to be up to date and relevant and therefore the business needs to be able to support the production of the required data. Put simply they are more likely to use the framework to help them achieve their overall business goals if its output is in a straightforward format advertisement feature .strengthening the existing control framework. the overall management within the business will be able to give a strong steer on this. Their suggestions on frequency and format. I would suggest treating the individual management team as customers in this regard.g. does it wish to know what actions are being taken to reduce the likelihood of the risk crystallising and if these are on track. Obviously this will depend on the structure of the business and it may well drive the timing of the updates. the framework needs to be integrated into the day to day workings of the business. are they looking for a more comprehensive picture). Integrating into the Business For the benefits of an ERM framework to be realised. what they find useful and superfluous are very helpful. 6. Another way would be to highlight the key risk mitigation actions being taken by the business to the relevant Board or Audit Committee meeting and providing comfort as to whether they are on track. that it is happy with a simple top 10 of key risks. One way is to ensure that the latest risk hotspots are a standing agenda item at key management meetings. The reporting should also consider what the committee needs to know (e.

to discuss what they see as the key risks and compare these to the results of the overall framework. To do this the framework needs to fit the size of the business. Consideration at the start as to what is the appropriate level of detail required is important but all data should be independently reviewed to ensure that it is sensible and credible. The benefits of ensuring the framework fits the size of the business are key here as there is a danger that the risk manager. or whoever is responsible for rolling out the framework.that they find easy to use. advertisement feature . Key to this is to assess the risks and their likelihood of occurring consistently and ensure that everyone fully understands the impact of the risk crystallising. The other major driver to help ensure the framework is embedded within the organisation is to ensure the credibility of the data within the framework. either in a workshop form or a standing meeting. link into the overall governance of the business and present the output in such a way that they easily add value to the business. The result being that instead of analysing the output. The presentation of the results is important to helping achieve this. If this is done successfully and regularly across the business then the threats to objectives may be identified far earlier than would otherwise be the case therefore helping the business go on the front foot rather than react to events. Remember the purpose of an ERM framework should be to add value to the business and help the business achieve its objectives. the risk manager simply regurgitates existing information in a slightly different way to the management team thereby severely diluting the value of the framework. A potential way to resolve this is to ensure the risk manager has regular meetings with the key owners of the group. Summary The benefits of an enterprise risk framework are that it should significantly increase the probability of a business achieving its objectives. There is a danger that if this is not done then the outputs of the framework will be skewed in one direction or another and when presenting to a formal management team the key messages will be lost. identifying emerging risks and making suggestions on how to resolve these risks. will simply become drowned in the amount of data provided.

and as a partner for CDC Peat Marwick. William E Bird is a founder partner of the IP law firm Bird Goën & Co. a tutor of CEIPI and a lecturer at the Vlerick School of Management.000. As a senior consultant at McKinsey. He has also held senior management positions at ACNielsen in France (Market Research consulting and services) and at corporate level. which includes some of the world‟s biggest companies and major financial institutions. He has expertise in both common law and codified legal systems. IP licensing and setting up of spin-off companies. in IP law. technology transfer. David Breden is Managing Director of HSBC Operational Risk Consultancy and the architect of OpRisk Modeller. He is a European. He is currently Managing Director of Novagraaf in France. British and German patent and trademark attorney. He established Symbiant in 1999 with the aim of providing affordable web solutions for small businesses. Eric has nearly 20 years experience in management consulting and services companies. Andrew Birch started his first business when he was 19 and moved into software in 1989. a scenario-based commercial risk-mapping tool developed by HSBC to meet the needs of the Basel II AMA quantification requirements. The company now has a client base of over 20. He has been involved in operational risk management since 1995 and is a director and fellow of the Institute of Operational Risk. he has worked for a large range of clients in a wide variety of sectors.Contributors‟ notes Eric Achour holds an MSc in computer sciences from Paris Dauphine and Paris VI University. During the last 20 years he has worked as both a corporate and a private practice patent and trademark attorney in Germany and Belgium. and an MBA degree from the HEC School of Management. . Emma Brooks is senior procurement specialist at the Chartered Institute of Purchasing & Supply (CIPS). specializing in consumer goods and retail.

The Chartered Institute of Management Accounting (CIMA) is the only international chartered accountancy body with a sole focus on business. It offers a range of integrated political risk. Since its foundation in 1975. According to independent research conducted by the University of Bath School of Management. It is a worldleading professional institute that offers an internationally recognized qualification in management accounting. The activities of purchasing and supply chain professionals can have a major impact on the profitability and efficiency of all types of organization. as well as the UK. focusing on accounting in business in both the private and public sectors. He works in the life sciences department and has considerable experience of drafting patent attorneys‟ reports for IP due diligence exercises in this area. investigative.300 clients. It is the voice of over 158. institutions. Holland. security. An independent non-profit organization supported by multinational business and leading professional bodies. CIPS has approximately 44. high-ranking civil servants and leading academics.• xlii CONTRIBUTORS‟ NOTES The Centre for Effective Dispute Resolution (CEDR) is the thought-leader for dispute resolution in Europe and an internationally acclaimed trainer in mediation and conflict management skills. Commercial Security International Ltd (CSi) is a London-based company providing discreet and professional investigation and corporate security solutions for companies.000 members in 134 different countries. It is the worldwide centre of excellence on purchasing and supply management issues. has provided services in Ireland. including senior business people. CIMA was nominated as a UK superbrand for a second year running in 2007. CIMA‟s syllabus and examination structure are the most relevant to the needs of business of all the accounting bodies assessed. Control Risks is an international business risk consultancy whose aim is to enable clients to take risks and accelerate opportunities in hostile and complex business environments.000 students and members in 161 countries. Robert Chapman has supplied risk management services to over 40 companies. governments and private individuals. France and Dubai. and has published two books on the subject of risk management as well as numerous journal articles and papers. The Chartered Institute of Purchasing & Supply (CIPS) is the leading international body representing purchasing and supply management professionals. CEDR‟s mission is to encourage and develop mediation and other cost-effective dispute resolution and prevention techniques in commercial and public-sector disputes. . including 86 of the US Fortune Top 100 companies. Arnie Clarke is a European patent attorney and senior associate at Gill Jennings & Every LLP. Control Risks has worked in more than 150 countries for more than 5. He holds a PhD in risk management. Denmark.

Mark Elkins is the Head of Strategy for financial services. William was a top-ten-rated investment analyst. where his main focus is on the quantification of risk. Ian Drewer is now a consultant. His most recent role was with Market-Smart Ltd as director developing strategies and marketing programmes targeting the financial services sector. corporate and financial public relations. merger and acquisition (M&A). together with a long-term and direct experience of senior business and financial journalism. He is also a designated member of the Chartered Institute of Arbitrators and of the Institution of Fire Engineers. Logica and HSBC. Nicki Dennis is a publishing and information consultant to BSI Global. SAS UK. He has been working on the recent qualitative upgrade to HORC‟s software tool for modelling and combining different risks. The firm delivers a high level of contacts. His role involves working with the financial services sales and alliance teams to define the strategic direction of SAS in the UK financial sector. beginning his career as a retail bank manager. telecommunications and transport and leisure sectors. He joined the public relations (PR) industry in 1999 and over the last eight years has worked with businesses large and small on a variety of issues ranging from conventional financial calendar work to multimillion-dollar mergers and acquisitions through to highly sensitive corporate change and restructuring activities. Since then he has worked in a marketing capacity for various technology and banking organizations including Lucent Technologies. A former chairman of AIRMIC. Ian Drewer holds a Master of Science degree and is a fellow of the Chartered Insurance Institute of Risk Management.CONTRIBUTORS‟ NOTES xliii • reputational and forensic services to corporate. Prior to joining the PR industry. independent public offering (IPO) and general reputation management. government and non-profit clients worldwide. and campaigns of sustained media coverage around the financial calendar. Mark has an MBA from Southampton University Management School. Corfin Communications specializes in media. inside knowledge of how news organizations work. crisis management. he is the author of various articles and other published material on commercial and industrial risk management and insurance subjects. He has more than 20 years‟ experience in the financial services industry. Telewest Communications. James Dickson Leach is a risk consultant with HSBC Operational Risk Consultancy (HORC). James graduated with a first-class honours Masters degree in physics with astrophysics from the University of Bristol. having held senior risk management appointments in the pharmaceutical. Mark‟s responsibilities are to raise the awareness and understanding of SAS‟ solutions in the financial services market and to develop the role of SAS as a thought leader in the space. . William Cullum is Director of Corfin Communications and a very seasoned adviser.

uk . Paper & Packaging Real Estate Ship Building Sports Facilities Transport Utilities Wholesale & Retail Rushton International Ltd Sinclair House 11 Station Road Cheadle Hulme Cheshire SK8 5AF UK Tel: +44 (0)161 486 6611 Fax: +44 (0)161 486 6622 Email: enquiry@rushton.co.Meeting the needs of individual clients and insurance brokers. public. privately-owned businesses in the UK and abroad. across every sector: • • • • • • • • • • • • • • • Accountancy & Banking Aerospace & Defence Agriculture Automotives Chemicals & Pharmaceuticals Communications Construction Distilleries & Breweries Engineering & Machinery Finance Food Health & Education High Net Worth Household Goods & Textiles Insurance • • • • • • • • • • • • • • Listed Buildings Local Authority Manufacturing Services Mining Oil. Rushton International is recognised worldwide as an expert force in insurance valuations. education and health. Rushton International provides insurance valuations for virtually anything. Correct insurance cover is critical to business success Our expertise in valuations enables us to tackle virtually any assignment. Our highly-specialised valuers operate in all the main sectors including industry. We assess robust plant and machinery structures through to the delicacies of fine art. Don‟t leave it to chance. We work inclusively with Times Top 1000 companies and smaller. Gas and Energy Public Administration Public Sector Printing.

and can be prompted into seeking a valuation for a number of reasons. which has forced the company to consider everything else they own. Whichever way they have reached this stage. In the case of valuing buildings. The client will then act on a recommendation from either the broker or a third party as to who should undertake this work. the surveyor is able to calculate the reinstatement costs of those assets on a like-for-like basis advertisement feature . or that the company has suffered a fire or other damage which has alerted them to the fact that they are under insured (either because they didn‟t get a full pay out or that the amounts didn‟t add up when studied after the incident). leading UK insurance valuers Rushton International travelled to most countries in the EU. For example. companies make the mistake of consulting one of the big name Chartered Surveyors. normally on a fixed price basis. Frequently. building or installed a plant and been surprised at the cost. the process involves surveying the assets to assess what they are made of in addition to sizes and general construction details. but be capable of working in the geographical areas covered by the insured business assets. From this information. It is essential to consult a practice that predominantly carries out insurance valuations and is conversant with the type of assets relating to the business. whereas an insurance valuation practice divides its work by specialisation. the client will sit down with a broker or other adviser and between them decide to have a professional valuation. as a traditional Chartered Surveyors practice is usually centred on location. It is also imperative that the firm chosen should not only be an expert in their particular asset base and able to value the contents as well as the buildings. It could be that their insurance broker found discomfort with the existing cover. during 2007. Whilst their firms handle general property matters and may be skilled at valuing for market purposes or undertaking other building-related works such as lease renewals or rates discussions.Insurance Valuation and Risk Management Directors of a company have a duty to shareholders to ensure that their company‟s assets are adequately insured. and further field to place such as the US. Equally. it is necessary to agree a fee. This leads to another fundamental difference. A firm based in Cambridge is most likely to do work in and around the Cambridge area. Pakistan and Bangladesh. they may have constructed a new factory. it should not be assumed that they have the capability to deal with insurance valuations. Once the client selects who he or she considers to be a competent valuer.

If an improvement is made. then the client has to foot the bill. The valuer will envisage the whole factory and all its machinery being rebuilt on that one day and reach a figure.#18850 Rushton ED 24/1/08 6:48 AM Page 2 rather than with substitute materials. While. There are plenty of other anomalies for a client to be aware of. rebuilding a property in a better way is a whole new matter. with one rupee accounting for 35 rupees when made into five to seven blades. Buildings containing a great deal of steelwork have recently been susceptible to radical price fluctuations as the value of this metal can swing by the day. . Metal prices in general rose sharply a couple of years ago owing to world capacity not being able to keep up with demand. Putting all this information into practice. Contrary to popular belief. only this year it was discovered that millions of Indian coins were being smuggled into Bangladesh and melted down to make razors. a roof made out of a specific tile or slate might be much more expensive to put back than a substitute manmade equivalent. as there are still the same issues as buildings regarding health and safety and installation costs. Currently. The combination of soaring metal prices and the downfall of the dollar lead the US government at the end of last year to increase the penalties for melting down pennies and nickels for their copper and zinc content as a deterrent. There are also local authority requirements to consider and a wealth of health and safety issues. But while a property can often be built to a higher standard than before it was burnt down. or indeed accommodate wheelchair access into an either fully or partially destroyed property that had originally lacked these provisions. Listed buildings often have very strict requirements as many have to be reinstated in exactly the same form. Again clients can‟t insure for betterment. China is the world‟s primary consumer of steel and its guzzling dictates this volatile market. very often down to the materials used. plant & machinery valuations don‟t merely involve making lists and looking up prices in a catalogue. The principle of valuing contents for insurance purposes differs very little from that of buildings. the valuer will do what is termed in the industry as a „day one‟ valuation. It may be necessary to fit fire alarms or detectors in buildings that had previously failed to install them. Bearing in mind these unpredictable international news stories and their impact on the market. obtaining an accurate valuation is a complicated process and requires a knowledgeable practice to undertake it. but international events can also have a profound effect. For instance. but this isn't always so straightforward given advances in technology. It is at this point that two things have to be considered.

an insurance policy as a rule is for a 12 month period. and although the valuer is .Firstly.

Insurance valuation firm Rushton International employs a number of valuers that specialise in both plant & machinery and buildings and can offer many examples of asset miscalculation in the industry. saving the company a colossal sum should the stadium suffer major damage. an entire boardroom lifted from the company's previous offices all fit under this particular umbrella. towers and turrets was Grade II listed but the owners had mistakenly insured the building on a modern materials advertisement feature . The fine red-brick structure with stone mullion. One potent example is a valuation performed on a Victorian mansion house. This particular client of Rushton‟s had been using inflation indexing as a means of assessing the business but the client‟s broker had become increasingly concerned and suggested a professional valuation. The company has witnessed many jaw-dropping errors of judgement that could have cost businesses millions of pounds. The best reason to consult a specialist valuation practice such as Rushton International is to avoid the perils of under insurance. Fine arts. so much so that the client queried it. go way beyond pictures on the wall. During the intervening years a “desk top” approach is recommended ensuring values are kept up to date but without the need for a return site visit. Needless to say. detailed knowledge is especially vital in the area of Fine Arts. originally a private dwelling but now home to an independent school. he or she would need to have a view to what it would cost in just under a year‟s time in case a fire or other disaster strikes on the last day of the policy. Grinling Gibbons fireplaces and. But Rushton International could prove that the figures were indeed correct. the eyes and knowledge of an expert in this field can't be recommended more highly. of course. the valuer makes an informed decision on the replacement cost of the assets. Forecasting what may occur to metal prices and indeed labour costs over the next two years while construction is underway.assessing the assets on day one. even the most efficient of builders couldn‟t put a factory up in a day. Additionally. the overall value increased dramatically. Rushton International thoroughly recommends that companies seek a professional valuation every three to four years depending on any changes in the asset profile. Secondly. Because of the high steel content in the structure. One recent case involved a well-known sports stadium that had just been rebuilt. in one case. Even the most knowledgeable of insurance valuers call upon independent specialist to put a price on a piece of craftsmanship. Leaded glass windows. so it is also necessary to consider the period of rebuilding.

but the cost of replacing it is likely to have increased dramatically. Insurance valuing is a risky business on many levels. Essentially. leading to a loss of revenue. This is especially true of large companies that own a number of factories in various locations. advertisement feature . The devastating floods that blighted the north and west of the country earlier this year underlined the fact that insurance is not a luxury but a necessity. Not entirely as damning. it is imperative that a company protects itself by choosing a specialist valuation practice to analyse the cost of its assets. They may have had one of their locations flooded and will suddenly realise that they own a substantial amount of kit that is difficult to replace. signifying a staggering drop in insurance premiums. With so many factors to consider.basis. if they had no insurance to start with. Huge overestimations for annual inflation and failure to allow for decommissioned plant meant that a reduction of approximately one third of the original sum was recommended. the reinstatement cost was three times the price that they originally placed on the property and in the event of serious damage would have been disastrous. Old machinery can go on doing the same jobs for years. Shockingly. In addition to the 300% rise in homeowners frantically taking out policies when the water levels were rising. but surprising. this was not due to lack of insurance but to incorrect valuation of the business which augmented the length of time taken to access rebuilding funds. Had these companies sought a more detailed valuation of their assets then the process would have been much slicker and speedier. is the amount of businesses that over insure their properties and fritter away huge amounts of money on annual premiums. Or. but all too often an unexpected disaster suddenly highlights the deficiencies in the valuation process. However. What is riskier still is for a business to believe that it has the capabilities to undertake such an assessment themselves. insurance is only as good as the valuation placed on the assets covered in the policy. More often than not companies will realise that they have significantly underinsured their business too late. also has to be taken into account. Some setbacks can be predicted. many companies were not prepared for the disaster. Equally the time taken to replace it. In many cases. 2007 provided the most telling reminder as to why correct insurance cover is vital to protect businesses. Rushton International‟s encounter with an international manufacturer with plants worldwide is a particularly notable example. relying on handouts that have been too little too late. It is the responsibility of the business owner to do the right thing.

risk management and employee benefits organizations in the world. a division of Appleyards. the Americas.CONTRIBUTORS‟ NOTES xlix • Ernst & Young is a global leader in professional services. HSBC Operational Risk Consultancy is a division of HSBC Insurance Brokers Limited. initially being responsible for marketing and planning its operations throughout the international network. the Asia-Pacific Region.000 risk advisory professionals provide services that help clients assess. Mike James joined LRQA in 1992. Peter Finnie is a European patent attorney and partner in the London-based firm of Gill Jennings & Every LLP. He has worked with UK and US banks. It is the only major insurance broker that forms part of a global banking group. In 1996. He has in-depth knowledge on various risk management processes and techniques. The core of his practice is represented by UK start-up companies. accountancy. He has extensive experience of enterprise risk management and project risk management. committed to restoring the public‟s trust in professional services firms and in the quality of financial reporting. Dominic Healey is a consultant at Siemens Insight Consulting. quality and professionalism in providing a range of sophisticated services centred on its core competencies of auditing. for whom he advises on the development of IP strategies as an integral part of business planning and fund raising. one of the largest international insurance broking. improve and monitor their business risks. risk and business advice. Its 114. of which he is a certified risk practitioner.000 people in 140 countries pursue the highest level of integrity. transactions. R&D and infrastructure. He is a recommended patent attorney in the latest edition of the Legal 500. Scott leads the Strategies & Crisis group of UMU. From its network of member firms around the world. the Middle East and Africa. Dominic holds an MSc in risk management from the University of Southampton. including the Office of Government Commerce Management of Risk. helping organizations bring to life the futures they can shape and outperform the ones they can‟t. and in 2000 also became responsible for . As members of the HSBC Group. UK Government departments and European organizations in technology. With a product and services portfolio that is unrivalled in the UK. no other company can do more to ensure clients‟ operational availability. ICM Computer Group delivers optimum business availability in a way that is tailored to its customers‟ needs through a unique combination of managed availability and business continuity services. Scott Hartop is a specialist in strategic risk. The UK firm Ernst & Young LLP is a member practice of Ernst & Young Global. HSBC Insurance Brokers Limited shares an international network with offices in countries and territories in Europe. Ernst & Young‟s 14. he was appointed General Manager of LRQA UK. tax.

LOVEN aims to provide a personal service. Tim has edited the Journal of Brand Management. David was Training Development Manager responsible for designing. is co-author of Managing Corporate Reputations and Beyond Branding. he became Vice President of EMEA. after training and post-qualification experience in private practice and in industry. He has been a company director . is an IRCA-registered QMS lead auditor. Gillian Lees is one of CIMA‟s technical specialists with a focus on corporate and enterprise governance. and is directly responsible for managing LRQA‟s regional operations. developing and delivering bespoke client training packages. Keith Loven set up his own practice. with a Yellow Pages advertisement and fingers crossed. including risk management. clients did call and 18 years on he is still enjoying the diversity of the work. Fortunately. and with attorney contacts throughout the world. He is a qualified chartered accountant and has spent 10 years with KPMG in Chicago and London. Previously. In 2006. David Lawson is a management systems expert currently developing LRQA‟s assessment approach for business assurance. LRQA delivers a broad range of integrated services. a tool designed to help boards to engage in strategic issues effectively. she has been heavily involved in the development of the CIMA Strategic ScorecardTM. Tim Kitchin is a partner at corporate consultancy Glasshouse Partnership. David joined LRQA in 1991. Over the last couple of years or so. Through its business insurance methodology. Lloyds Register Quality Assurance (LRQA) is a member of Lloyd ‟s Register Group and is a leading provider of business assurance services. an EFQM Excellence Model assessor and a member of the CMI. Graham Massie is a director of CEDR (Centre for Effective Dispute Resolution) and a practising accredited mediator. including assessment and certification to international management systems standards and verification of environmental data and corporate reports. understanding the client‟s business and seeking practical strategic business solutions for clients. and is a member of the Institute for Social and Ethical Accountability and ethical marketing think tank „The Media Group‟. LOVEN Patents & Trademarks is a small firm with a spread of clients from SMEs and individuals to larger corporations in the UK and overseas. specializing in value-chain integrity and security. from patent drafting through to trademark disputes. Sean McGahan LLB CIRM is head of Litigation Risk Management at McKinty & Wright Solicitors. Alistair King is Technical Director of ICM Computer Group.• l CONTRIBUTORS‟ NOTES Lloyds Register UK Industry and Lloyds Register Inspection.

Jacqueline Needle is a partner of Beck Greener and a graduate in electrical and electronic engineering. Thus. Bart is an experienced financial services. analysts and professional bodies to deliver the strategic direction of SAS in the UK risk sector. Newbury and Slough. with extensive experience of multinational corporate consultancy. Bristol. Bart‟s role involves managing SAS‟ UK risk practice. fraud and intellectual property investigations. and in Scotland. operational risk. with over 950 employees at Norland offices in London. Mike Osborne is Managing Director of Business Continuity at ICM Computer Group.CONTRIBUTORS‟ NOTES li • in the United States and has established his own business consultancy practice. quality staff and quality service – Norland chooses to work with customers who accept no compromise in quality standards. Paul is also a regular speaker at international events and conferences in the communications industry where he has gained recognition for his original thinking on new media topics. market risk. Leeds. Paul Miller is a senior consultant at Cision. Birmingham. risk and technology professional. The business has grown to an annual turnover of £86 million on the foundation of high customer-retention rates. His remit covers credit risk. clients. Manchester. Norland Managed Services Ltd is the UK‟s leading and fastest growing independent engineering services provider. including surveillance. Ed Mitchell is Senior Underwriter for Product Recall at XL Insurance. SAS UK. He has held a range of high profile roles in the past for some of the most respected software vendors operating in the financial services industry. and working with the market experts. a company specializing in all aspects of corporate security. Ed specializes in coverages for the food and drink sector and leads the Product Contaminated and Recall Insurance team at XL Insurance in London. fraud and compliance across all sectors. she is one of a handful of British patent attorneys who are able to undertake IP litigation in the English courts. enterprise risk management. anti-money laundering. Bart has an MBA and diploma in management from the Open University. Established in 1984 with three core principles that remain true today – quality customers. market abuse. . He has many years experience in product recall insurance both as an underwriter and broker. Bart Patrick is the Head of Risk Intelligence. Neil Miller is a director at CSi (Commercial Security International Ltd). Jacqueline has an LLM in advanced litigation and is a patent attorney litigator. In addition to providing support and consultative advice to our clients on their media communications strategy.

Do you live an InterContinental life? For more details or to make a reservation. Here you can explore Saturn. for example.DO YOU ALWAYS COME BACK WITH EXCESS KNOWLEDGE? sn't half the enjoyment of travel going home with stories to tdl? At InterContinental we use our local knowledge of a place to hdp you truly enjoy it.Mars and the wonders of our awe-inspiring universe. home to the Greenwich Meridian.com INTERCONTINENTAL.a genuinely authentic and enriching experience that will provide captivating tales for years to come. please call 0800 1800 1800 or visit ntercontinental. HOTELS & RESORTS .By arranging in London. the opportunity to ook through Britain's largest telescope at the Royal Observatory.

hotel owners and managers.  Maintaining the continuity of operations at all times. With so many guests and staff. IHG Introduction InterContinental Hotels Group (IHG) is the world's largest branded hotel group by number of rooms.  A young family is killed by fire caused by a discarded cigarette.  A contractor is killed on site while servicing the lifts.  An outbreak of Legionella forces the hotel to close. it follows that risk. and so much business and property. The Group owns a portfolio of well-recognised and respected hotel brands.775 guest rooms. The objectives and challenges of Risk Management in IHG The objective of Risk Management in IHG is to make ~ and keep ~ our hotels safe for all of our stakeholders. but also between types of hotels.650 hotels. but it does  A young child drowns in a pool. with more than 31 million members. Holiday Inn and Holiday Inn Express.  Mitigating the impact of serious incidents by careful planning and preparation. across so many cultures and time zones. lease or franchise over 3.  An employee is killed while working on electrical plant that was not insulated. in so many countries. and nearly dies. Global Risk Management.000 from the safe.  An employee runs back into a burning hotel to try to extinguish the fire.  An Internet child abuser uses a hotel room to ply his vice. This means:  Championing the proactive management of fire. Mid-scale hotels are more used to being part of clusters of units acting as one. One of the challenges we have is to achieve these objectives when operating in less well-developed countries.  Ensuring the Company can deal effectively with any crisis.  Providing swift and professional claims-handling and adjustment. where background legislation and standards are generally weaker than in more developed countries. Crowne Plaza.Managing hotel risk around the world John Ludlow. staff. are significant. and strong and effective risk management is fundamental to the success of each hotel and the group as a whole. Senior Vice President. So what specifically are we talking about? It shouldn’t happen to a hotel manager. . manage. guests.  The night manager takes £25. hospitalises guests and generates adverse publicity for the hotel and the brand.  A celebrity guest is arrested for the possession of drugs and resists arrest.  50 guests fall seriously ill after a banquet. 543. including InterContinental. advertisement feature . especially fire. We also run the world‟s largest hotel loyalty programme. is a major factor in the group‟s day-to-day operation. too. We own. in nearly 100 countries and territories around the world. Priority Club Rewards.  Terrorists fire a rocket at the hotel. not just between regions and countries. H&S and security. .  Giving operators the confidence to focus on great customer service in the knowledge that they know how to handle a crisis. safety and security risks. Cultural differences.

 Establish and communicate roles and responsibilities rolling out „Best Practice‟ procedures and guidelines.  Establish common ways of working that the whole operation understands and uses. to ensure that everyone in the IHG community does the right thing to protect the long-term interests of the majority of our stakeholders.  Give owners and investors confidence in our brand with a solid risk management programme that reduces perceived investment risk and enhances our growth. however.  Embed knowledge from top to bottom throughout the operation. is truly global. of risk financing.whereas large hotels more often act independently.  Build a system that is low cost to adopt and run. DISTINCTIVE  Apply custom-built strategies and methods across all risk groups to give an integrated risk strategy. and maximise the benefits. national and local. and shared tools and platforms.  Roll out comprehensive and inclusive training programmes. REPEATABLE  Use a systematic approach that can be rolled out across the estate but is adapted to meet differing regional and cultural needs. whom we rely on to adopt our good practices. and copes with all the geographical and cultural boundaries that are inherent in our business.  Carry out regular reviews and evaluation of progress throughout the estate. CONSISTENT  Provide common policies and standards that apply throughout the estate.  Provide evidence of our care and safety standards to persuade companies to choose our brands for their employees. Our strategy The IHG Risk Management team has developed a culture and approach in which we work and learn collaboratively. and may not readily agree to follow a corporate strategy. our control is much more limited with our franchisees. and the benefits of preparation.  Focus on the risk issues that apply to the hospitality industry and our business focus within that. international. and the benefits of linking risk planning with the Company‟s Corporate Social Responsibility (CSR) strategies. Our other main challenge comes from our business model.  Address the operational impacts of hostile environments.  Minimise the financial impact.  Address the strategic impacts of risk. Clearly in the managed estate we can mandate how things are done.  Establish a culture of robust but controlled self-assessment of progress within every hotel. advertisement feature . What we do in risk management has to meet four important criteria: RELEVANT  Meet legislative requirements.

systems. Figure 2 The Risk Groups and Operational Activity cogs advertisement feature . staff. buildings. natural or man-made. Bringing the regional Risk Management teams together into a global team has proven to be a powerful and effective weapon in the battle to manage risk and meet our objectives and challenges:  The team of teams: The Risk Management function is now organised in a matrix. they say. processes. The different specialists work together in workgroups of related risks to ensure that all materials are understood and valid globally. Over time the assets change and their relative importance can reposition as the business evolves. . Figure 1 The impacts of risk Fourth: Take a common systematic approach We have developed a common systematic approach structured around risk groups and a system of operational risk mitigation activities. But this is NOT a complete strategy! Successful risk management establishes procedures to AVOID “stuff happening”. and reputations. and you must have procedures to react to events. . relationships. or of an accident or human error. can be wide-ranging and risk management must prepare for an array of potential impacts. that we have become one team across the world. we are stronger. Third: Understand the impacts you are trying to avoid or reduce “Stuff happens”. get back to business and compensate for loss and damage . Second: Identify the assets It is vital that we regularly refresh our understanding of what we are trying to protect. corporate risks and risk financing. future cash flows. Assets include guests. with three aligned regional teams supported by global teams dealing with global security issues.First: Build a global team Together. The impacts of a disaster. The regional and global teams are now so closely aligned and collaborate so freely.  Specialist knowledge: Team members are tasked with developing specialist knowledge in different risk areas and with sharing this knowledge globally.

learning tools and resources. and this demands great communication. In order to get the message across and to embed it deeply into everyone's daily working life. Each operational risk mitigation activity.  Communicate the policies and standards. Child and Staff Safety and Leisure. and develop supporting tools. we also assess them against a maturity matrix to evaluate how proactively they are managing their risks against a number of competencies. Hotel reviews and Area reviews provide feedback on progress and identify common issues and needs. However. It can deliver a single powerful and clear message. all-encompassing system with a value that is much greater than the sum of its parts. Fire Safety. and try to help people discover what really works by reflecting upon the impacts of poorly managed risk and by celebrating success stories.  Review: Reviews with operators are. only half the story. culminating in an assessment of the safety culture of the hotel. Each Risk Group must review and advertisement feature . retained or contractually transferred risk. and supply them with user-friendly tools to help them do a great job. Security.  Teaching people to fish rather than handing out fish: The cornerstone of our training activity is our Risk Management workshop. is designed to reinforce the others. and indeed into their psyche. We are also there for them in times of need or crisis: we communicate.  Measurement: We record incidents and claims from all the managed hotels and these enable us to see trends and issues across the estate. where we aim to teach people the value of our work. respond and co-ordinate. proactive and imaginative communication is required. and establish the policies and standards that will protect them. there is much more to it than telling people what to do.  Audit progress in individual hotels and provide feedback and more information as required. Training is deep and at all levels: induction. like “It shouldn‟t happen to a General Manager – but it does”. Key elements in the rollout are:  Communication: The team has developed the ability to communicate clear responsibilities and accountabilities to all stakeholders. and the ways of working. The operational activities function within a cycle in which we:  Identify and profile the risks for the business. represented by the Operational Activity cog.  Review and evaluate progress up the operational chain of command and update and improve our methods and our tools as necessary to meet changing risk demands and situations.  Address the issues of risk financing which normally take the form of insurance and claims. focus everyone on Crisis Management. through hands-on training. give them a structure and approach to use to become self-sufficient. to build the teams‟ capabilities. the next task is to roll it out. Fifth: Roll out the strategy Once the system has been built.  Maturity matrix: Hotels are not just assessed for compliance to our standards. and a consistent risk management mindset in every hotel throughout the Company. We aim to celebrate success but we will also hold people to account if necessary. skills. A strong risk management culture is required.  Implement common ways of working. Food Safety. The result is a comprehensive. Guest. it is important that no one discipline is weaker than the others.Risk Groups. knowledge and leadership. It isn‟t just about running a workshop and printing some handouts. passion and consistency of purpose. represented by the Risk Groups cog in Figure 2. We use story-telling. however.

 Risk assessments.report back centrally. awareness events and a suite of e-learning tools. so that we can all learn from our own and others‟ experiences. The Fire Life Safety Calendar is one of the most successful.  Forms and documentation to help hotels record and monitor events. standards and guidelines. risk awareness posters. including:  Policies.  Many different kinds of training and promotional materials that can be used and reused in both workshop training sessions and on an individual basis. Sixth: Underpin the system with user-friendly tools The strategy is underpinned by tools that support the activities. crisis planning tools and tests. driving a proactive culture towards risk. Figure 3 Fire Life Safety Calendar Some of the reasons for the Calendar‟s success are that it: advertisement feature . easy to use and readily accessible. These include „10 Minute Trainers‟. tests. self-assessments and checklists. and it enables the hotel to co-ordinate all its risk management activities and training programmes. which are engaging. tools in IHG‟s risk management armoury. and highly regarded. the Risk Management Action Plan. The calendar runs on the hotel‟s departmental PCs and is linked to the Risk Management intranet. By doing this we are able to learn together and build balanced capability across the business. activities to run in the hotels. The Risk Management intranet contains a wealth of information to enable hotels to understand and manage their risks. checklists.

 The number of hotels using the system well. Some of the challenges remain. Reflects all brand standards and operating standards. including the awareness activities. We can measure success by:  The high take-up of our workshops (and of our Strategic Risk Management Training award).  The popularity of the Fire Life Safety Calendar.  The reduction in both claims and the cost of claims.  The number of hits on the Risk Management Intranet. checklists and self-assessments. Our strategy is working. and the training materials.  The ability of the teams to prevent very serious incidents becoming crises and the effective management of any that do. judged by the maturity of their use of it.  Addresses the needs of everyone in the hotel because it is managed by heads of departments.  The dramatic increase in the number of incidents being reported. But we have come a very.  Saves on the printing costs of wall charts.  Provides immediate access (via the intranet) to all the other tools and information that a hotel needs.  The reduction in our insurance premiums and the improvement in coverage negotiated. advertisement feature . including extending our reach in less developed parts of the world and bringing our franchisees along with us. very long way.  Provides five languages in a single version (we have three Regional versions). Figure 4 One of a series of ‘10 Minute Trainers’ The strategy works! It is not hard to see the success of our strategy and methods.  Improved sales for IHG from corporate buyers and risk and security managers. However. we are not complacent.  The improvement in managing dynamic risks such as terrorism and organised crime. our team of teams and our common approach are a success and will only strengthen with time.

including Eastern Europe. technical experts and consultants from the industry. testing. Fiona Sheridan is the leader of Ernst & Young‟s Risk Advisory Services practice in London.CONTRIBUTORS‟ NOTES lix • Roy Ramm is Chairman of Commercial Security International Ltd (CSi) and a former Commander of Specialist Operations at New Scotland Yard. Intermediate and Senior Command Courses and the Federal Bureau of Investigation (FBI) National Academy Course in Quantico. smart cards. He has advised the United Nations. He has led a variety of consulting projects across sectors including . She is a chartered accountant with more than 14 years of experience in internal audit and risk management. fire and security. the Fraud Squad and the Firearms Response Units. James Smither joined Control Risks in 2000 and manages its global political risk consulting projects. and in Africa. electrical engineering. Allan Robinson is a natural scientist with expertise in the use of quantitative and qualitative techniques to support decision makers facing complex problems. holds an MBA with distinction from Ashridge and is a full member of the Institute of Incorporated Engineers (IIE). a division of Appleyards. Paul has qualifications in engineering. extortion. Roy has lectured extensively on law enforcement issues and is a regular and experienced contributor to the media on crime. From the development of policy. the Flying Squad. Virginia. He is a graduate of the Special. compliance. during his service he commanded the Serious and Organized Crimes Branch. and building management systems. Siemens Insight Consulting is the specialist security. the Russian Federation. a fellow of the Chartered Management Institute and a member of the BIFM. As a widely experienced career detective. crime and security-related issues. Roy was the Director of Scotland Yard‟s Hostage Negotiators‟ Training course and led the Hostage Response Team. including a period as a Business Risk Manager in a telecommunications company. business and finance. the United States. embedding and integrating risk and value management to ensure success. He has worked extensively in Europe. He is pioneering the reduction of risk in engineering services through a unique Critical Engineering and Risk Management (CERM) business model in collaboration with key account clients. he now leads the Project and Programme Risk group of UMU. training and managed security. national governments and police forces globally on policing. Her team of 100 risk and control professionals advise and assist companies and public sector bodies on how to understand and manage risk and assurance efficiently. Insight Consulting helps organizations to identify and manage risk in their IT operations. and also established the Met‟s Undercover Operations Unit. Asia and the Caribbean. Paul Saville-King is a Divisional Managing Director of the Critical Services Division for Norland Managed Services Limited. Paul has a robust background in all aspects of building services. After starting his career as a glaciologist with the British Antarctic Survey. terrorism and security related issues. continuity and identity management division of Siemens Enterprise Communications Limited. strategy and awareness through to the delivery of complete solutions comprising identity management.

t re .co.uk .Objectives. are 1982.uk lications dation Services is ces ices ervices er wart-software.

• In 2007 a Global Survey by Ernst & Young concluded that „Improved Communication on Risk with Shareholders may Increase Share Price by Reducing the Risk Premium they otherwise impose‟‟. This is probably due to regulation and. failing these two conditions you are inclined to „make-do‟. This article shares some of the key findings: 2. via the Audit Commission. It may be that any Corporate Business still looking for a Risk Deployment Model could do worse than starting with a visit to their Local Council. since 2002. Stewart Business Services spoke with around 60 Finance Directors and Risk Managers in both Corporate Businesses and Local Authorities. Conversely. you invest in an RM System. There are undoubtedly benefits in adopting an RM System . . . you buy an RM System. We felt that if we better understood the difficulties Enterprises were having in deploying the RM Standards then maybe we could design an RM System that went an extra mile. 2. . We were at one point advised by a leading plc that “We have RM Policies and Strategies for the Annual Report but.1 In 2009 CPA will be replaced by CAA – Comprehensive Area Assessments. If the Auditors threaten to qualify your accounts. there is not much underneath”. there were major organisations that. 3. if you scratch the surface. although looking to deploy a Risk Management System. • With an RM process in place residual risks can be better defined and in so doing can create a platform to reduce multi-million pound Insurance Premiums or to reduce the capital tied up in Self Insurance Funds. particularly. .0 Risk Management should help to achieve Objectives This self evident truth was endorsed by just about every Risk Manager we spoke to yet. Known as Comprehensive Performance Assessment (CPA) Local Authorities are regularly scored against a set of criteria that denote „what good Risk management looks like‟. This will require Local Authorities to work even more closely with their Key Partners to develop joint Local Area Agreements – incorporating improvement objectives – and thereafter to manage risk co-operatively. If you believe that Risk Management (RM) is the right thing to do. • Experience shows that employing RM considerations prior to any major project can produce insights that substantially improve the quality of the decision taken and the robustness of resulting actions.0 Corporate Business v Local Authorities Whilst the difficulties expressed within both groups were largely similar it was evidenced that the Local Authority population appeared to be slightly more advanced in the deployment of widespread (embedded) RM Processes. were unable to assess Risk advertisement feature . .0 Introduction A frequent perception with Risk Management Systems is that they are a „Faith Based‟ purchase. we at Stewart Business Software wanted to take a different approach. inspection routines that have been in place. and better supported any financial justification. amazingly. However. In so doing.Implementing a Risk Management System – What’s the problem? 1. whilst there is much advice to Corporate Business there does not appear to be such a uniform inspection regime. and there are many sources of a Risk Management Standard advising you how you should manage risk.

Subsequent analysis determined that only about 25 could impact their Objectives and were worthy of inclusion in their Risk Register. for a Risk Manager to arrange for the Key Executives to meet and agree a reasonably short list of Strategic Risks but rolling-out the process to include deeper organisational levels causes problems.against Departmental Objectives. from senior levels. This has the added advantage that serious problems are frequently caused not by a major Risk Event but by a collection of smaller yet simultaneous risks. there was a tendency for them to equate a Risk to a Threat rather than. then the Impact Scale on the Risk Matrix should be adjusted accordingly. Whether or not this formula transfers to all arenas is debatable.0 Capturing the Risks – Multiple Risk Registers This is an area where the make-do approach to Risk Management was in greatest evidence. and very satisfying. When placed into the Risk Matrix. It is comparatively simple. The better these smaller risks are managed. 4. the Impact of Risk also tends to lessen. The formula “ Threat x Vulnerability = Risk” is quite commonly used and maybe is entirely suited to a Data Centre or Information Technology intensive operation – where hackers and constantly evolving viruses are a persistent menace. Whilst they had agreed a set of Corporate Goals there were no Objectives recording the contribution that individual departments were to make. 4. 5. 3. these Risks often fall into the Group of Risks that will be „ Tolerated‟ rather than „ Treated‟ (actively managed). This works well within a .0 Determination of the Risks to be Managed We discovered quite a few Risk Managers with a Military back-ground and whilst this equips them with an admirable set of qualities for such a job. The time of the Risk Managers (and Senior Executives) can then be directed to moderating the Risks and Supporting the Objective Holders in executing the necessary Controls to diminish the chances of the Risk Occurring. for line managers.0 Embedding Risk Management This is the area where most enterprises were having difficulty.1 There are many Risks that can prevent an organisation from achieving its Objectives but probably the greatest is the failure to articulate what those Objectives are and to clearly communicate to each departmental team how they will contribute to the Objective‟s accomplishment. simply ask the individual Objective Holders “What could stop you from achieving your Objectives”? They are the people with the greatest knowledge and it is highly likely that the Risk Register will fill quite quickly. therefore identifying a pertinent set of risks. 5. for example. It is frequently the case that the Risk Matrix (assessing the Impact against the Probability of the Risk) used to assess Risk at a Strategic Level is also used throughout the organisation. and the level of delegated authority reduces. Such an approach can cause an adverse reaction to the roll-out of RM as it is seen as generating additional work without any resultant action or support. However as the process rolls deeper into the organisation and the delegated authority levels become smaller.1 An alternative approach could be to recognise that – as RM moves deeper into the Organisation. at a detailed level. was rendered impossible.1 Consider an alternative approach. an accident or failure. We came across one Local Authority that cocooned a dozen or so of its most Senior Executives in a Risk Workshop for a whole day during which they used the formula to identify more than 300 theoretical Risks. The majority of persons we spoke to employ an RM System based on Microsoft Excel and Word. 6. This will lead to a full range of action outcomes being produced at every level of the organisation – thereby ensuring that even smaller risks are actively managed. the lesser the chance of a „collective risk event‟.

advertisement feature .

at any point in time that they arise. Large Risks are not necessarily Strategic. if they fully consider the relevant risks when developing Strategic Plans and Determining Corporate Objectives then. Thirdly it supports the BC Managers by using the RM process to identify potential BC risks from every Objective Holder in the enterprise. Legislative. Finally by encouraging each manager to consider whether or not a risk. 7. in larger companies.0 RM relationship with Business Continuity Systems When given a choice between an RM system and a Business Continuity (BC) System. The author would contend that a Strategic Risk should be one that adversely impacts any of the Competitive Advantages or Major Assumptions on which the enterprise has based its Corporate Plan. has the potential to cause a reputational impact. Whilst such Strategic Risks may often be large. Competitive) however the risk-type that creates the most discussion is „Strategic‟. are clearly more Tabloid-Worthy than others. often disparate. . Strategic Risks may also have a Long Term Impact but they can occur. it is impossible to prove that an RM system is the reason that no disruptive events were experienced. to their individual objectives. 6. whilst many business cases exist on the benefits of rapid recovery from disruptive events. 8. 8.tightly knit company (one with narrow geographical dispersal and short lines of communication). there is a tendency for the spreadsheets “to multiply and evolve as though they have a life of their own”. This is because although some Reputational Risks are clear cut – like anything relating to Child Abuse – any market facing risk. The chief differences are that RM assesses Risk against Impact and Probability whilst BC also factors in Time and that RM plans for pre-event Mitigation whilst BC plans for post event Recovery. Secondly. However. multiple Risk Registers in order to produce regular reports is one of the biggest frustrations of many Risk Managers. could also impact a Key Business Process is likely to lead to a greater sense of Teaming and shared responsibility. if badly handled. some form of ongoing central management of the Risk Format will pay dividends in the longer term. and should be managed.1 Strategy is the remit of the Executive Team and. it seems that the BC system is easier to justify.g. Such an approach can also be applied to Reputational Risks.0 Types of Risk esp. including RM lessens the likelihood that BC plans will need to be deployed. ad hoc reports can cause major disruption and the results may be sub-optimal due to a lack of common risk recording standards. However closer inspection of the RM standards and the latest BC dictum from British Standards (BS25999) shows that there are more similarities than differences between the two processes. Firstly it eases the financial justification for the System and reduces the overall expenditure incurred. Strategic and Reputational Most companies have a range of risks headings that are appropriate to their business (e. these risks need to be advised to your PR departments in order that they may develop appropriate media management plans. Financial. Strategic Risk is frequently confused with either a Large Risk or a Long Term Risk. This is because. everything impacting any subsidiary Objective should be an Operational Risk. However no plan is perfect and all levels of personnel should be able to „blow the whistle‟ if they are in any doubt that they have identified a Strategic Risk. In this environment any short notice. 7.1 The hours spent cutting and pasting risks from.1 Integrating the two processes has several advantages. in normal conditions. Some such risks however. Whatever medium you choose to record your risks.

advertisement feature .

incorporates Process Continuity. but nothing ever changing. Following up such actions is one of the greatest problems cited by Risk Managers as they have no direct line responsibility and. As such it needs to be managed within a process that allows this. there are many other good systems available from independent suppliers. Evidently. Frequently Risk Managers try to overcome these difficulties by using Workshops in order to isolate groups of managers from their “day jobs” in order to focus on Risk Issues.co. 10. as RM is further embedded. Clearly any Audit may give rise to improvement actions to add to those already identified by the line management teams.0 Conclusion As well as MIMS RM.uk W: 01295 712955 M: 079 1025 4288 advertisement feature . General Manager Stewart Business Software. Such measures need to be well designed and properly executed. includes Risk Based Internal Auditing and helps to assure action-follow up designed to bring about Continual Improvement then. One Risk Manager described such Workshops as „like Groundhog Day‟ – the same people meeting regularly to discuss the same issues and agreeing the same actions. Article Contributed by Kelly Lehmann. by sharing our insights. We trust that. 9. It is best practice if these Control Measures are subject to Audit – either by a formal internal team or by the Senior Risk Managers. if such a process starts by assessing Risks against individual objectives (at all levels of the Organisation). such an RM process clearly underpins and demonstrates Good Corporate Governance and surely warrants prioritisation for Investment. E: kelly@stewart-software. we have given you some assistance in making your selection and in building your business justification. the span of control becomes increasingly difficult.1 One concern with the Workshop Approach is that RM is an imperative part of the “day job”.0 Substantiating Control Measures – Following up Actions At the heart of how well RM works are the Control Measures deployed. from Stewart Business Software.9.

Having supported more than 2. teamwork. SunGard Availability Services is the pioneer and leading provider of Information Availability services. Jean-Louis Somnier is an engineering graduate of the Ecole Nationale Supérieure de Techniques Avancées (ENSTA). pharmaceuticals. he has over 30 years of business expertise and is widely quoted on information availability issues in the press. TMRM is an independent risk management consultancy that provides objective advice to public and private sector clients in respect of risk management. loss control and risk financing (including captive insurance company feasibility studies). mining and defence. Ingénieur du Génie Maritime. and has appeared several times on BBC World Services radio to provide regional expertise. The XL Group offers a broad portfolio of high-quality insurance products and related services. marketing. Jean-Louis has 16 years experience in industry as an engineer and operational manager and 19 years as a patent attorney. Strategic Risk Partnerships Ltd (SRP) specializes in the design. SRP provides consultancy and operational services as support for in-house risk management units and/or as a wholly outsourced facility. Part of the Thomas Miller group of companies. cost-effective and integrated solutions. A well-known industry figure. Keith joined SunGard in November 2001 when it acquired Comdisco. business security and human rights. he is a qualified French and European patent and trademark attorney. including property. and holds a degree of the International Institute of Industrial Property Law (CEIPI). he has had articles published on regional and country-specific risks. according to client preference. is regularly interviewed by journalists on business risk development in Africa. SunGard has an unrivalled track record in the industry. Lee Tricker is Director of Thomas Miller Risk Management (UK) Ltd (TMRM). Ingénieur de l‟Armement®. He also teaches IP strategy classes at universities and secondary technical schools. casualty.CONTRIBUTORS‟ NOTES lxv • energy. and has developed bespoke products in areas such as supply chain management. including seven years as Managing Director of Novagraaf Technologies. professional and specialty coverage. development and respect. development. Keith Tilley is Managing Director and Senior Vice President Europe of SunGard Availability Services (UK) Limited. An African specialist.500 invocations over the past four decades with 100 per cent success. Furthermore. delivery and development.000 clients worldwide have access to their business-critical information systems. XL Insurance Group’s companies help leading industrial and commercial businesses manage their risks by providing comprehensive. excellence. helping to ensure that nearly 10. . implementation and management of insurance and risk management (including corporate governance) programmes for industrial and commercial clients. He is responsible for the company‟s profitability and all aspects of sales. The Group is committed to five key values: ethics. risk identification and assessment.

.. . Then implementing business integrated risk management processes.Fisk AD2 24/1/08 7 15 AM Page Use a strategic approach to manage your risks ke a real step change in health & safety risk management do we do things differently to manage your health & safety risks? using a Corporate risk assessment to identify potential management failures.. .

Running any enterprise will always involve risk – commercial. An essential element of the ERM process is to ensure that the identified risks and their control processes are closely monitored. can help to improve the management of the business and business performance. advertisement feature . but many H&S professionals still believe that the legal compliance argument is all that is needed. which involves 'taking a risk'. it is clear that organisations will have to look afresh at the way they manage theirH&S risks at strategic. These two factors are key to the achievement of the organisation‟s strategy. Risk Frisk Ltd Health & Safety needs to step out from the shadows and become a strategic business facing corporate function. organisations and in particular H&S professionals. business focused. sometimes called enterprise-wide risk management. Managing Director. commercially relevant and integrated with organisational policies and systems. Making a case on the basis of legal compliance alone. Any management system for managing H&S risks needs to be business focused and commercially relevant. must be balanced by the minimisation of risks wherever possible. no „new‟ regulations are introduced by the Act. By adopting effective ERM tools and techniques. Whilst. By changing to a risk based approach. is riskbased. The emerging method for managing the organisations „total‟ risks is “enterprise risk management”. appropriate to an enterprise but at a minimum legal requirements must be taken into account. financial. The H&S professional therefore must have the professional and personal skills and competencies to make a strong and valid business case for an appropriate level of resources and not just using legal compliance arguments. Without this approach H&S risks will not become an enterprise wide process. The H&S function can make an enhanced contribution to the organisation‟s overall management of risk if it looks both outward and inward from its current position and contribution. goals and objectives. tactical and operational levels. The health & safety (H&S) professional needs to embrace enterprise wide risk management to ensure that their input is framed using the „correct‟ language. and the key to maximising the opportunities for the enterprise from any new initiative. In a UK context the introduction of the Corporate Manslaughter and Homicide Act in April 2008 will require organisations to identify „how‟ they are creating risks and identify any current or potential „management failures‟ that could lead to a death of a person to whom the organisation owes a duty of care. Enterprise-wide fleet risk management Enterprise Risk Management (ERM) looks at risks that can occur right across the enterprise. be increasingly seen as organisationally relevant and make a significant contribution to organisational development and the achievement of the organisation‟s strategy and objectives.. is unlikely to establish a valid business case. but not to the extent that the new initiative is stifled or controlled to such a degree that any opportunity is reduced. operational risks etc. We use the term “Health & Safety Risk Management” because we believe that the risks to be managed or supported by the H&S function are much broader than typical H&S activities at a tactical and operational level. The process should take a risk-based approach to the balancing of risk minimisation verses opportunity management and not a risk averse legally compliant approach.Health & Safety Risk Management John Stevens. H&S professionals will be able to enhance their contribution.

It is clear that if an ERM programme is based on meaningful risk decisions. A model shows the key points: In order for H&S professionals to make a more effective contribution. So-called high-level „cost only‟ decision-making is symptomatic of many board decisions taken without much thought for the risk side of the equation. then many losses could be foreseen and preventive actions taken. It is clear that where H&S professionals operate at a strategic level within the organisation‟s strategic. increase job satisfaction and reduce stress. Risk management succeeds or fails based on altering managers and employee‟s perceptions. behaviour and performance with regard to risk. The management of risk is a vital part of managing any organisation. fleet. This approach has been used successfully for over 15 years. with a cross-functional remit. The above mechanisms are cross-functional and interrelated hence the need for the H&S professional's involvement at the strategic level. However.Health & Safety Risk Management The best way to build a strong business argument is to use a process that identifies how the enterprise is creating H&S risks and evaluating the implications of those risks. commercially relevant and risk based. Our approach was developed using a combined total of over 100 years of international experience in the development and implementation of H&S. An ERM programme helps to elevate the profile of H&S within an organisation‟s corporate governance advertisement feature . However. reward and sanction systems an developing work practices and procedures that limit human error. This will enable a case to be made as to how the risks could be better managed to benefit the business and as a consequence all stakeholders. an ERM programme should highlight the importance of risk assessments to the board/senior management and ensure that both cost and risk are taken into account when management decisions are taken and implemented. they are ideally placed to make a significant and effective contribution to enterprise wide risk management. fire. manufacturing processes and business continuity risk management systems. attitudes. H&S risks are not fully taken into account during typical „insurance/financial‟ focused business risk management processes. rather than merely making decisions on an arbitrary cost basis. It was developed in response to the need for a process with a business wide focus that is comprehensive. Success will depend on effective training. performance management. business and operational processes. they need to build a strong justification for their involvement at a strategic level.

In so doing. including continual improvements in their H&S management systems. If H&S processes are established as part of the way that the organisation operates. Organisations respond much better to the use of business and commercial focused interventions. so that the business case for H&S risk management is made using both sides of the cost versus risk equation. It is imperative that H&S professionals understand and talk the language of the boardroom so that H&S management systems are accepted as part of normal business and operational processes. inevitably. the risk actually resulting in a loss) and the cost of risk prevention (i. and can see the added value of good/best practice if it is explained in business terms. especially at board level. as the H&S function often only operates at the „operational‟ level. H&S professionals who seek to increase their influence „up the management chain‟ will be more often asked to contribute at a „tactical‟ and „strategic‟ level. Effective CG processes within an organisation must include a Health & Safety Risk Management process and business decisions must consider all risks and consequences of a business strategy and its implementation. Additionally. whilst minimising the risks. but should focus on advising management and employees. This minimises the need for constant „fire-fighting‟. The organisation‟s H&S professional should not be required to be the management systems policeman. This ensures that H&S considerations are taken into account on a cost versus risk basis. This is approach is much more effective than just stating „we have to comply with what the law says‟ which. CSR and ERM are „on the agenda‟ of senior management.g. customers and a supply chain. They need to view their organisation. Summary H&S professionals need to work with an organisation to implement business processes that are integrated with normal organisational processes.riskfrisk. where CG.e. as a complete system so that business processes that are implemented complement one another and are designed to ensure an integrated. implementation and ongoing monitoring of these processes. John is a member of the IOSH National Consultants Committee and Chairman of the IRM Transport & Logistics Group.e. This gives the H&S professional an increasingly important role to play at board level in order to ensure that organisations fully adopt the ERM/CSR/CG principles and processes. is a poor motivator. In this way H&S professionals can help the organisation to manage its opportunities in a more complete manner. organisations will find themselves moving towards the ultimate goal of continual improvement in all their business performance indicators.(CG) and corporate social responsibility (CSR) systems and identifies the need for the „safety net‟ to be extended to include all potential organisational stakeholders e. thereby resulting in proactive resource allocation to ensure continual improvement. It is clear that a „tickthe box‟ legal compliance approach will no longer suffice and will no longer „protect‟ the organisation from its duty of care responsibilities. the control measures) in economic terms. non-business focused manner. H&S professionals must be able to quantify both the cost of loss (i. consistent and non-duplicating approach. the H&S function often approaches its role in a risk averse. advertisement feature . or client organisations. added value and not uncoordinated „ red-tape‟. then H&S will be managed as a normal part of management and employee activities. It is traditionally difficult for H&S professionals to participate in CG and CSR processes. John Stevens is Managing Director Risk Frisk Ltd – www. This approach is appreciated and welcomed by organisations as most are looking for flexibility. Management and employees must be involved in the design.com and 0845 456 4136.

This page intentionally left blank .

or environmental management risks. This fifth edition of Managing Business Risk is organized around the core risk areas of management strategy. and the threats to identity. .Introduction While every edition of Managing Business Risk reflects the growing pervasiveness of manageable risk in all aspects of business. In Part 1. and the other from Corfin Communications on reputational risks for PLCs. each successive edition finds a new emphasis on topics of key concern that have emerged more recently. Ernst & Young and SAS UK & Ireland for their definitive contributions. there are important chapters from Siemens Insight Consulting. On the latter topic there are two new contributions in addition to a chapter on corporate reputation from CIMA. IP management and the role of IT. Norland Managed Services and XL Insurance Group. They are strongly supported by contributions from BSI Standards. Previous editions have focused on the risks arising from the application of IT systems and software. Political risk is addressed by Control Risks and terrorism by Commercial Security International (CSi). In each of these areas the focus of concern has changed from the fourth edition. ICM Computer Group and SunGard Availability Services to CIPS. or from the failure to observe best practice in corporate governance. who have written for the last two editions: one is from Cision on reputation and emerging communications technology. Part 3 covers a spectrum of issues in operational risk management from eminent risk practitioners ranging from Lloyds Register Quality Assurance (LRQA). on topics of corporate risk. databases and information security arising from the ever more intrusive internet. These topics are all of interest to the senior management of operating companies. Also in Part 2. the first three chapters are concerned with the identification and use of strategies for the management of key risks for business in 2008. Thomas Miller Risk Management and Appleyards. corporate concerns. I am grateful to the authors from HSBC Operational Risk. HSBC Operational Risk Consultancy. particularly those engaged in manufacture and manufacturing services. Part 2 focuses on corporate risks in the two areas of political risk and terrorism and reputational risk – both of critical concern today. the Centre for Effective Dispute Resolution (CEDR) and Strategic Risk Partnerships. operational management issues.

• 2 MANAGING BUSINESS RISK Part 4 is devoted exclusively to intellectual property risks and the five chapters are authored by experts from specialist firms practising in the field. the three chapters of Part 5. Their participation makes high-quality publication possible at a competitive price. Similarly. As always. which is focused on IT as a source of risk solutions. Jonathan Reuvid . are provided by ICM Computer Group. The publishers and I also express our appreciation to the organizations that have sponsored this edition or taken advertisements in the book. my thanks are due to each author personally. SAS and Symbiant.

1 Risk Management Strategy .

This page intentionally left blank .

Businesses have meanwhile moved from basic „common-sense‟ approaches used by employees every day up to an approach that can utilize large central risk teams or strict centrally controlled policies. HSBC Operational Risk Consultancy* Risk management is as old as business itself. companies have come across the same problems of scale that have had to be dealt with in many other areas (cash flow. and expertise has grown.1 Enterprise risk management: breaking down the risk silos James Dickson Leach and David Breden. from humble beginnings where the term „risk‟ simply applied to losing money that was lent or invested by a firm. Over time risk management has evolved. however. . In this move. reporting lines. in some cases with highly specialized modelling and forecasting teams working from thousands of points of data. up to today‟s market where there are as many definitions of risk as there are risk practitioners (perhaps more).1. The basic principle of taking risk in order to gain reward is a fundamental tenet underlying all commercial undertakings. etc) of *The views expressed in this chapter are the authors‟ personal views and do not necessarily represent the views of the HSBC Group.

.

The Intelligent Alternative Call: +44 (0)20 7991 2233 Email: insurancebrokers@hsbc. .com Issued by HSBC Insurance Brokers Limited.insurancebrokers. HSBC Insurance Brokers Limited is a Lloyd‟s broker and is authorised and regulated by the Financial Services Authority. At HSBC Insurance Brokers we strive to provide our clients with the confidence and certainty to pursue their objectives. HSBC Insurance Brokers has the depth of knowledge to analyse complex situations from multiple perspectives and develop innovative solutions that proactively meet the specific needs of our clients. Firm reference number 310240.Putting your risk management needs at the centre of our world. As one of the largest insurance broking organisations in the world.hsbc.com Web: www.

1. There are now areas of responsibility for different types of risk: generally day-to-day operational risks are managed by business units. This separation is a by-product of increasing sophistication. with guidelines and written statements of practice from a central risk management function. issues do arise when the complete picture of the risks a company is running is not available to senior management as a result of this segregation. are handled by specialist analysts and software programs. or other products or supplies critical to the business. Whilst this is not a problem in itself. may not have the same relevance or acceptance in all areas of the business.1. We can look at the banking industry to provide an example of this trend. The next step in sophistication is to gain the ability to recombine these risk management practices and forecasts into one complete risk picture that can be communicated easily around the company. managers and directors in all forms of risk and risk management. strategic risk is handled by the board or strategic teams. whereby the specialist knowledge held in a specific team. at least not to the level needed by large or sophisticated companies today. We do not have to go far back in history to find a race of bank managers for whom risk meant lending money to clients and a time when most decisions were taken by a branch manager who would also decide on commercial strategy for his branch within loose Sophistication of risk management Full integration into business management with input into corporate strategy Locally managed with central oversight and/or specialist teams Locally managed Figure 1. or risks like the price of oil. and allow balanced decisions about the overall risk profile to be made.1 Growth of business and increasing sophistication of risk management . there is not the time or ability to train all employees.• 8 RISK MANAGEMENT STRATEGY business.1 and is the philosophy behind enterprise risk management (ERM). This process of sophistication is illustrated in Figure 1. or centrally derived rules and procedures designed to minimize risk. special forms of risk such as market risk or credit risk in banking. This has led to segregation of risk management into several different areas.

capabilities and . and has a variety of applications and methodologies. as well as an evolution from. Only very large decisions would be taken by the specialist lending units responsible for affairs for geographic regions.1. The flow of risk management from local and reactive action to centralized control in specialist silos is now moving towards a situation where risk has centralized management and is treated as an overall exposure. utilizing the strengths. a method for risk quantification and mitigation and transfer options. procedures and guidelines. Market risk was the preserve of a specialist treasurer whose responsibilities centred on ensuring that liquidity ratios were maintained and matching the maturity profile of deposits and loans. whilst managed by all staff. which can be presented to senior management in order to prioritize management of those risks that the company feels need the most attention. It has developed credit scoring systems that reflect risk appetite in granting loans and remove individual judgement from such decisions.2. This leads us to question whether we should not be taking a holistic view of the capacity for risk across the firm.ENTERPRISE RISK MANAGEMENT 9 • guidelines provided by head office. and asking how much risk the firm is willing to take in each area of its risk profile. The result of this localized and unplanned management of risk was that banks became exposed to geographical and industry concentrations and in an economic downturn all clients could be expected to suffer because there was no central control on the industry sectors to which money was lent. Risk has therefore been centralized into silos within the banking industry and is managed individually. always considering how these risks are likely to overlap or aggregate. lending has moved away from the local manager to a central function that can control the level of exposures to market sectors or geographical concentrations. but whatever name it goes by. In its highest form it is integral to the strategic and everyday practices of the company. sophisticated risk solutions can be adopted. a system for identification and assessment of risk. but – as the 2007 sub-prime issue shows – the different types of risk interact. Components Enterprise risk management goes by a lot of names. Once that has been done. the idea contains certain key elements. will be controlled by central policies. traditional risk practices. Together these allow a clear risk profile of the organization to be compiled. Enterprise risk management Enterprise risk management is a combination of. A problem in the credit risk market in the United States exposed a weakness in the strategic funding position of a UK building society and led to a Swiss bank declaring a loss in its market portfolio. Market risk experts will control all aspects of company investment and operational risk. These will usually include some form of framework for comparing and contrasting different risk types. as illustrated in Figure 1. Since that time.

and what it will find „unacceptable‟ in terms of both likelihood and impact. there is a lot of variation between different risk types. Identification and assessment When identifying the risks that the company runs.2 Key elements of ERM financial positions of both the company and third parties in order to optimize the risk profile of the firm. Equally. but if it is combined with a volatile market or a market shock. as they assume that positions are all fully hedged in line with standard procedures. can combine with others to cause major losses. Often the key challenge of setting up an ERM framework is making it possible to count the risks that are more difficult to quantify alongside those whose impacts and likelihoods are easier to measure. such incidents might be more serious. the impact could be significant.• 10 RISK MANAGEMENT STRATEGY Identification and assessment Framework and monitoring Mitigation and controls Modelling and quantification Figure 1. while unlikely or minimal in their field. More importantly. risks can slip through the gaps. For instance. This often essentially boils down to what a company or unit will find „acceptable‟ as a risk. In much the same way that business units will not identify as significant some risks that might have a large impact on a parent group. Meanwhile the market risk team may not include this risk in their projections. separate risk teams may miss risks that.1. but in the same company‟s head office where members of the public might slip and fall. and especially those that are considered to be material. spills of non-flammable liquid at an oil refinery might not take a high priority. Such a concept is easily understandable when referring to losses occurring as a result of a risk that is assumed voluntarily – such . a hedged position being left open overnight may not register to an operational risk team.

effective measurement of risk is a vital step. energy firms‟ risk management experts and financial firms‟ market experts. and these should be recognized. or what risk of employee fatality is beyond the „appetite‟ of the organization? In such cases it is often helpful to speak in terms of risk tolerance and consider what scale of losses you are prepared to accept and at what level such losses begin to exceed what is tolerable. however. by recognizing that possible synergies can be identified in the treatment of risk around the company.ENTERPRISE RISK MANAGEMENT 11 • as an investment or a decision to grant credit terms. captive insurance companies. there are also possibilities for risk treatment optimizations. Finally. Equally there will be levels of diversification available. The benefits of placing all of these disparate areas into an ERM programme is that not only is there a single point of risk management that is responsible for the integration of the identified risks with their treatment. business recovery plans and backup facilities to the cost effectiveness and suitability of insurance programmes taken out by the company. Different areas of risk employ different modelling methods and different levels of data are available. This can range from internal controls such as health and safety procedures. the creation of scenarios forces the breakdown of risk silos as we consider the impact of an event across the boundaries of risk management responsibilities. which are assumed as a result of conducting normal business. Expanding the expertise. subordinated debt or organizational risk management. should all be consulted as to the part they can play in generating meaningful analysis of the identified risks. Internal sources of expertise. Without effective measurement. This can include solutions both on and off balance sheet: access to products such as dual trigger insurance. . Having a clear picture of the risks faced by the company as a whole can also allow more sophisticated approaches to risk controls and mitigation. such as insurers‟ actuarial teams. How many internal frauds are „acceptable‟. Quantification and modelling To evaluate the wisdom of investing in the mitigation or control of risks. These methods might range from mathematical forecasting to scenario analysis. equity and bond issues. Mitigation and controls A large part of ERM is the implementation and monitoring of the actions taken in the company to control either the likelihood or the impact of the risks it faces. prioritization of risk management efforts is a much more hit-and-miss affair. the decision is more complex. These correlations should then be allowed for in modelling the complete risk profile. for operational risks. and determining the inter-relations and correlations that might be found between different risks under the conditions described in the scenarios. fire prevention equipment. utilizing it and combining it with specialist consultancy or extra training for risk staff can reap huge benefits when planning responses to risk. ERM includes running larger scenarios of potential market downturns that can affect several business areas. or of assessing the cost effectiveness of this spending.

if risks are being covered by more than one set of controls. For example. The running of a successful ERM programme may well depend on the ability to bring these disparate groups together. Risk management is not always about increasing levels of control. Controls and mitigants targeted at material risks are always more effective uses of capital for a company than unfocused approaches that may result in an overconcentration on frequently occurring risks that are well understood whilst potentially fatal difficult risks are ignored. This should allow significant streamlining of the risk and control functions of the business as well as encouraging business unit buy in. Such a report should also concentrate on areas where future action can be taken. Communication between those responsible for managing each silo can facilitate the sharing of experience and good practice in terms of risk identification and the selection and execution of risk mitigation. . It can also encourage the elimination of needless controls. as well as recommending the „red flags‟ or areas where large amounts of risk are being run. as well as allowing double counting to be eliminated. along with costs (opportunity and realized) that can be associated with risk reduction activities. Risk reporting allows all risks to be on the right people‟s agendas. there is easy visibility across the risk types to those that are most significant for the company. Used in this way. rather than taking a simple blanket approach. rather it should be utilized where necessary to help the ERM manager. Combined risk profile Once the risks in a company have been evaluated. the actions of Nick Leeson (the Barings Bank rogue trader) would not have proved fatal for the bank if the Nikkei index had not moved violently against his positions due to the Kobe earthquake. together. Using the compatibility established by using a common framework. Whilst the Barings‟ case effectively highlights the need to ensure that essential control frameworks are enforced. rather than being reported in separate silos. a full risk profile can be generated. possibly for little gain. and the risk assessment should enable firms to identify redundant or excessive control structures. ERM forecasting from the risk profile can outline options for the future direction of the business. and expertise in these areas should not be wasted or diluted by the ERM message. as the report can be a transparent view of the units‟ risks.• 12 RISK MANAGEMENT STRATEGY It is important in ERM to get behind the risks identified in the different areas to see what really drives the risk exposure of the company. In other words the risk management framework and process is consistent across risk types but the way you manage and measure the risk will vary in line with the characteristics of the individual risk. Framework and monitoring Risk silos exist for a reason. The combined approach should ensure that no major sources of risk are overlooked. the fatal market movement illustrates the need to identify and monitor such drivers. and gaining a knowledge of their work will be vital for the aspirant ERM manager.

can help shape the future direction of the company. and matching the risk appetite to risk exposure is the principal aim of enterprise and operational risk management. These scenarios. no matter how small the initial monetary cost may be. assess and quantify both the risks faced by the company in the scenario and the effectiveness of the controls. Enterprise-wide scenarios Earlier. and the derived management benefits can be remarkable. Scenarios can also be run in non-extreme risk situations. When scenarios like these are used. as forecasts for possible future strategies. as all of these together form the enterprise risk management philosophy of the company. When dealing with new purchases or bringing two or more companies into line there is increased risk to the firm from sources as diverse as increasing operational risk exposures from the changing of systems between the companies. some are very risk averse. with few large companies these days willing to run the risk of negative press exposure. The key step here is that before the risk exposures can be matched to levels of risk tolerance. Risk tolerance is often the easier of the two areas to measure. loss of key personnel. along with those more focused on traditional risk exposures. three examples are given below. A large part of this is the comprehensive understanding of the risks run by a company. If such losses . the ERM manager or unit should look to their previously established processes and experts in the business to bring together a group of experts from within the business who can identify. if they do not have a robust system of risk identification and measurement in place. Culture and reputation also have their own effects on risk appetites.ENTERPRISE RISK MANAGEMENT 13 • Every organization has an appetite for risk. while others choose to run risks in order to maximize profits. and increased liquidity and debt risk as funding for the deal is paid down (see below). Mergers and acquisitions Enterprise-wide scenarios might be run in the situations outlined in below. as changing internal and external situations vary the risks being run. identification and modelling. An organization‟s risk appetite should be informed by and respond flexibly to risk management. This philosophy cannot be set in stone. and in turn the response to these risks. Alternatively it can be derived from analysis. thus ensuring ERM benefits the company and is not simply seen as a needless expense. Companies may be holding more risk than they realize. as it can be based upon guidance from the board. mitigants and proposed plans for dealing with them. covering future variation that might be expected in key markets or the launch of a new product range or area. The risk appetite will be affected by many factors unique to each organization. or whether a ratings downgrade would force the company into a much more expensive level of debt servicing. the use of scenarios in ERM was mentioned. Identifying and managing these risks allows the organization to better understand its own structure. both must be measured. for example by stress testing the balance sheet to find out what size of loss could cause a crisis in the company.

• 14 RISK MANAGEMENT STRATEGY Synergy building Merger or Acquisition Total risk capacity Future Acquisitions Bedding in Spreading best practice Net risk capacity Financial risk Non-financial risk Negative Risk Capacity exposes the business to Catastrophic Consequential Losses from even small loss events Figure 1. This is illustrated in Figure 1.1. the ability of a company to sustain losses will be compromised. risk management and mitigation should be a major focus in all areas of an organization following a loss. Taken on top of the effects of the first loss.1. leading to the need to reduce the risks being held in the company. increasing the likelihood of other risks occurring at precisely the point when a company can least afford another loss. Worsening market conditions When margins are under pressure. stakeholders may begin to question management‟s ability to handle the merged entity so tolerance of such losses is likely to be reduced. The avoidance of these consequential catastrophic losses is vital.3 Changes in risk exposure brought on by mergers and acquisitions are frequent or substantial. As such. a ratings downgrade triggered by a large loss can increase the liquidity risk of a company. the recovery process will often place strains on the remaining business resources. . as more cash is required to service any debt. After a large loss After the occurrence of a large loss in the business.3 which shows the changes in the risk exposure of a business during a merger or acquisition. these events can prove devastating.

as well as the approaches currently being taken to manage those risks. That said. Once this has been done. or disaster recovery plans and control systems. rather the approach taken must be customized for each company. business continuity. and allow these risks to influence the actions of the company. ERM can offer serious insight into the risk universe faced by a company.ENTERPRISE RISK MANAGEMENT 15 • ERM addresses this by making someone in the company aware of all the risks that are being run by the company. from an individual process right the way up to board level. future plans for management. there is no single methodology that must be adhered to. Conclusion ERM is only as effective as the willingness of senior management of the company to embrace it. and those that are recognized and being controlled by the different areas. In this way it can easily be seen that there is a definite philosophy behind the willingness of a company to treat its risks in a coherent and joined up manner. and possible risks associated with the company‟s strategy. uncovered areas of risk or areas that could be covered more effectively can be investigated in order to make the best use of the capital invested in risk mitigation. This can also include surveys of current insurance programmes. .

To find out what can be done. talk to Ernst & Young. by asking the right questions and helping to develop a comprehensive view of risk and risk management in their organizations. Our strategic risk relationships with 48% of the BusinessWeek Global 1000 companies have made us the global leader in risk advisory services.com/risk/letstalk # © 2007 EYGM Limited. . Businesses with a systematic and controlled approach to risk can confidently make decisions on both the threats and opportunities that risks present. But it‟s even harder in the context of a rapidly changing global marketplace where the risk profile of a business is continuously evolving. Don‟t risk risk.When climbing a mountain. ey. Managing risk is a challenge at the best of times. you don‟t always have time to admire the view. Their companies are better prepared for the unexpected and the unintended. But the advantages of getting it right are significant. We work collaboratively with them. All Rights Reserved. we help clients to adopt a cost-effective approach to enterprise risk management that makes best use of what they already do well. At Ernst & Young.

therefore. Risk Advisory Services. of some of the recent . Many companies have invested significant resources globally in risk and compliance initiatives.1. But strategic risk is often considered at such a macro-economic level that its implications for action by management can be missed and not acted upon. for example. be it expansion into new territories. Successful risk management. with much of the focus on financial and regulatory risk. and is an important dimension of good business management practice. and to operational failures. partly in response to legislative and regulatory pressures. re-engineering a supply chain. buying and integrating a new business. UK Leader.2 Strategic business risk 2008: the top 10 risks for business Fiona Sheridan. which may have devastating effects. Our experience suggests that there is a growing awareness that strategic risk can be a dangerously quick and permanent destroyer of corporate value (think. Ernst & Young LLP Risks are inherent in every forward-looking business decision. A great deal of work has been done in the area of risk management in recent years. or adopting new staffing models or technology. should be an integral part of an organization ‟s strategy planning and operational delivery capability.

enterprise-wide risk insight for management and the board. We have coined the term „risk performance‟ to assist organizations to both keep out of trouble and make their business better. Equally. regulation. . We consolidated the findings from the industry sectors to produce a ranking of the 10 most important strategic risks across all sectors. and approach to. strategic risk. Many large organizations have multiple risk-governance processes and infrastructures amongst various corporate and business units. to develop a picture of the main global strategic risks for 2008. strategic risk management has not benefited from the investment and developments in other areas of risk management. In addition. How many of these risk processes provide real insight to leaders to support their decision making as they develop and sign off their strategic aspirations? How many of these ensure that short-term and further off risks are considered. Ernst & Young have worked with Oxford Analytica. or undermine the competitive standing of the leading firms in the sector. finance. The top 10 risks for business To assist companies in challenging their view of. • the need for real-time comprehensive. economics and demographics.• 18 RISK MANAGEMENT STRATEGY large corporate failures or severe losses in stock market value). including business strategy. as needs dictated. law. to interview more than 70 analysts from around the world and from more than 20 disciplines. an international consulting firm. These have sprung up over time. medicine. leading to substantial inefficiencies. the sciences. we have identified specific strategic risks for 12 different sectors: asset management automotive (auto) banking and capital markets biotechnology (biotech) consumer products insurance media and entertainment oil and gas pharmaceuticals (pharma) real estate telecommunications (telecoms) utilities Industry panels rated the severity of each risk issue on the basis of the likelihood that a risk issue would either lead to severe financial loss. geopolitics. • increasingly broad and demanding stakeholder expectations. that risk-adjusted decisions are made and that measures are put in place to ensure that initiatives deliver to promise? These processes may prove insufficient to meet the demands placed on them by: • global competition. This could mean that an organization is unintentionally exposing itself to strategic threats – and missing an opportunity to drive competitive advantage by taking strategic risk-based decisions. and often operate in silos.

but may emerge at the top of the risk tables in years to come. We also report on the five risks that did not appear among the top 10 (though only by narrow margins). but this may change over time. for example: • • • • How does your company identify.2. assess. North America and the BRICs (Brazil.1) monitors three key components of strategic risk: • macro threats that emerge from the greater geopolitical and macroeconomic environment. This risk‟s top position was driven by an escalating regulatory burden in many markets. biotech. Regulatory and compliance risks: the greatest challenge The industry analysts we polled selected regulatory and compliance risks as the greatest strategic challenge facing leading global businesses in 2008. it is possible to challenge your view of and approach to strategic risk.ey. and compliance challenges as companies extend their value chains well beyond Europe. • sector threats that emerge from trends or uncertainties that are reshaping the industry.com. The 12 sector reports can be found by visiting www. such as the Audit Committee on strategic risk? • Who keeps an eye on the risk „horizon‟? • How is risk assessed in relation to strategic option evaluations? The remainder of this chapter explores the top 10 risks in more detail and their implications. Those on the outer edge are of slightly lower priority. Using the Ernst & Young Strategic Risk Radar. insurance. The Ernst & Young Strategic Risk Radar (see Figure 1. and rating the loss impact and the competitive impact.‟ . India and China). telecoms and utilities is further increasing this risk. • operational threats that have become so intense that they may impact the competitive performance of leading firms. The possibility of regulatory intervention in sectors such as pharma. not only between incumbents and new entrants. but between countries. Russia. The risks at the centre of the radar are those our panels believed will pose the greatest challenges to businesses globally. Such intervention could shape the competitive environment and drive fundamental changes in business models. manage and monitor strategic risk? Who has accountability for managing these risks in your business? How visible is their active management? Are senior management able to identify their strategic risk radar? What would it look like for your business? • What is the quality of information being shared in the business and with those in an oversight role. and it is designed as a key tool to assist management in identifying and prioritizing strategic risks. One telecoms analyst wrote: „Regulation has a tremendous effect on the competitive landscape.STRATEGIC BUSINESS RISK 2008 19 • The Ernst & Young Strategic Risk Radar is the result.

achieve more comprehensive enterprise-wide risk reporting to senior management and the board. ‟ As a result. reduce redundancy and so drive down costs.2.1 The Ernst & Young Strategic Risk Radar: the top-10 strategic threats for global business in 2008 Compliance challenges are particularly strong in highly regulated industries such as banking. insurance. pharma and biotech. .• 20 RISK MANAGEMENT STRATEGY Macro threats Energy shocks Global financial shocks Inability to respond to industry consolidation/ transition Regulatory and compliance risks Inability to capitalize on the emerging markets‟ rise Poor execution of strategic transactions Sector threats Radical greening Ageing consumers and workforce Operational threats Cost inflation Consumer demand shifts The Next Five • War for talent • Pandemic • Private equity‟s rise • Inability to innovate • China setback Figure 1. we believe companies may seek risk-convergence initiatives that allow them to coordinate the various risk and control processes. One banking panellist noted: „Banks are experiencing significant fatigue around managing the myriad of often redundant compliance and regulatory reporting activities. with a continually increasing regulatory burden. the cost of which is massive and burdensome. and perhaps most importantly.

Global warming is also driving tighter compliance through supply chains. North America and Japan. Leading companies could lose their competitive edge if they cannot effectively respond to these new opportunities. A number of industries are experiencing dramatic shifts in consumer demand – often dramatic growth – as a result of rising average ages in Europe. with the 2007 worldwide credit crunch providing a real-life demonstration of how highly contagious such shocks can be across sectors and. forcing them to manage diverse regulations in different markets.STRATEGIC BUSINESS RISK 2008 21 • Other industries. where high-profile failures of some investee companies could lead to a loss of confidence among investors and lenders. biotech. oil and gas. In the future. A specialist in business strategy noted: „Managing regulations in 10 jurisdictions is one thing. As companies become more and more global. and many will need to have an aggressive approach to key competitors that may increasingly come from outside their sector. are experiencing increasing compliance requirements driven by global warming concerns. Sectors most affected by these shifts include pharma. While many companies have been in these key . compliance is becoming a greater challenge. continued financial innovation – which tends to disperse risks. indeed. And the woes of the US auto industry. weighed down by pension and healthcare costs. What happens when a firm has significant markets in 30–40 countries at varying levels of development and with very different regulatory traditions? ‟ The importance of understanding local regulations as well as major global industry regulations is crucial to those companies expanding their global reach. globally. The other strategic challenge posed by an ageing population is the need to replace ageing workforces. insurance and asset management. illustrate a third risk aspect associated with ageing workers and retirees – the human resources challenge. which can present a challenge to firms seeking to maintain their skill bases. Analysts were concerned that the sustainability of financial sector growth was more fragile than markets recognized. and the utilities sector. and as a consequence makes the detection of potential shocks more difficult – is likely to increase the potential for financial shocks. Other analysts were worried about crises spreading from alternative investment vehicles such as hedge funds or private equity. notably auto. notably for retailers. Ageing consumers and workforce: the quiet surprise The third-greatest strategic risk for leading global firms is the threat posed by workforce and consumer ageing. Global financial shocks: a risk experienced The second greatest risk to emerge from the study is the risk of global financial shocks. with a potential for dramatic fallout from excessive leverage. Emerging markets: the risk of failure The fourth strategic risk is a threat to competitive standing: the inability to capitalize on the emerging markets ‟ rise. consumer products.

. However. Part of the consolidation phenomenon has been driven by the global M&A boom. with sector influences shaping the nature of the transitions: an example is auto manufacture. An analyst in consumer products commented: „Over the next few years nearly all the increase in world population will take place in developing countries. banks will not be able to say they are global unless they are a major presence in China. In the meantime. „Only 41 per cent of developed market companies have a risk strategy for emerging markets. Partner. which several analysts believe may be slowing down. where value is added from using countries with a lower cost base. Global Financial Services Team. Recently.‟ Keith Pogson. large firms that drive down costs and target mass markets are countered by smaller „boutique‟ firms targeting better than market returns.‟ Ernst & Young. notably banking and telecoms. More active worldwide enforcement of the Foreign Corrupt Practices Act (FCPA) by the US authorities has resulted in large numbers of investigations and fines. with more than half (56 per cent) saying that no strategy is in place. global expansion into foreign and/or emerging markets has always carried with it traditional threats. because these emerging markets are going to be a major source of financial sector revenue and profit growth on a global basis. which are only exacerbated by damage to reputation and broader corporate financial health. may continue to merge. transition is likely to continue. operational. India and a few other countries. regulatory. other established markets will reach maturity. Ernst & Young Consolidation and transition: a constant refrain The fifth strategic risk is the inability to respond to industry consolidation and/or transition. Companies are entering these markets in search of opportunities for market growth. such as currency. the risk of falling foul of worldwide anti-bribery and corruption legislation whilst operating in emerging markets has intensified. Risk Management in Emerging Markets study. where the location of production capacity is shifting closer to the location of demand growth in new markets. emerging markets remain dynamic for developed market companies. October 2007 „In the near future. In asset management. On the downside. Other industries. or are being driven to them by the saturation of existing markets.‟ Strategically. language and cultural risk.• 22 RISK MANAGEMENT STRATEGY emerging markets for some time. global firms are finding a source of competitive advantage in their supply chains.

In the short term. but because operational challenges are not met. while others will go either too radically green or. process and technologies.STRATEGIC BUSINESS RISK 2008 23 • Energy shocks: more than just keeping the lights on In ranking the risk of energy shocks in sixth place. or carbon footprint. excellent execution and integration of small. but could pay dividends if consumer tastes and regulation shift quickly. Stakeholders expect M&A to deliver rapid bottom line benefits as a result of synergies. but postmerger integration is often slower than expected in respect of people. cost inflation has impacts all the way through the value chain. ranked eighth by our panel. Various potential causes of such energy shocks were noted. acquiring innovation or highly specialized personnel. This brings radical greening onto the risk radar in ninth place. highly strategic mergers. can have just as great a competitive impact: for example. real estate portfolio. And. going green is expensive. not because they are poorly conceived. contests for control of „strategic‟ energy supplies. particularly in the auto. including oil. asset management. from exploration to pipeline construction costs and refinery build. Radical greening: competing to meet consumer demands The pace and extent of the new „green revolution‟ in consumer behaviour and regulation is hard to predict – some firms will get the right fuel mix. . Fluctuations in energy prices and access to supplies pose a clear challenge to the energy industry. media and telecoms sectors. companies are being squeezed between these rising costs on one hand and a base of retailers with strong buying power on the other. or scale of products via specialization. Other industries are seeing cost become a centrepiece of competitive strategy. with substantial competitive impacts. Cost inflation: a centrepiece of competitive strategy Renewed volatility of raw material prices has helped cost inflation re-emerge as a strategic risk. a breakdown in relations with Russia. not green enough. where the best performing companies are those that control costs by achieving overall scale. the analysts recognized that no leading global company is immune. gas and utilities. or action to disrupt shipping through one of several key maritime choke points. Executing transactions: the risk of a plan failing Transactions undertaken in response to industry consolidation or transition may fail to deliver. a large swing in prices could also trigger economic shocks that could impact sectors such as insurance. This risk of poor execution was ranked in seventh place by our analysts. beyond the energy industry. consumer products and real estate. In consumer products. However. although mega-mergers dominate the headlines. including a US strike on Iran. In oil and gas. more likely.

Disease pandemic The lingering risk of a disease pandemic with market. We can expect a future of carbon labelling on products.• 24 RISK MANAGEMENT STRATEGY „This issue of climate change extends beyond just managing regulatory risk. Ernst & Young Consumer demand shifts: a challenge to all A demand for „green‟ products or services is one example of a shift in consumer demand. consumers are controlling the decisions about the content they receive and how they receive it. including those driven by demographic shifts. Climate change and the regulatory and consumer response must be seen as a fundamental strategic challenge. Infrastructure Advisory – Renewables. The next five Following these 10 top threats to global business comes a long list of risk issues with impacts that are – although perhaps less strategic – nonetheless crucial in a number of sectors. There would also be more subtle consequences. . and so our final strategic risk for business is the failure to anticipate and respond to consumer demand shifts. For instance. Analysts are worried that growth in emerging markets would mean companies may no longer be able to draw talent from those markets.‟ Factors such as the web. carbon trading worldwide and tight regulation and heavy taxes on carbon‟. The general theme across all sectors was the strategic challenge posed by consumer empowerment. including a dramatic shift in consumer demand that could have large competitive impacts on the pharma and biotech sectors. property costs and competition for expertise. such as growing consumer ageing. real estate and pharma. driving the content and distribution channels. this challenge may well move up the radar from current tenth place. Partner. In autos: „Increased interest in customization of products requires a shift away from mass-production philosophies. Any or several of these „next five‟ could easily rise into the top 10 in the near future. leading to increased wage costs. War for talent The well-publicized war for talent is already having serious impacts in some sectors. notably oil and gas. Waste & Clean Energy Group. asset management. Jonathan Johns. but there are many others trends that have already been mentioned. And it was noted that talent tended to concentrate and cluster. in media. economic and operational impacts is still significant and would have dramatic impacts in nearly every sector. deregulation of markets and globalization will lead to a rise in demand for individualized and customized purchase experiences. As technology continues to expand.

STRATEGIC BUSINESS RISK 2008 25 • Private equity’s rise The third threat of the „next five‟ is private equity‟s rise. A China setback Finally. Ernst & Young worked with a client concerned about the impact of avian ‟flu on their business. where companies have the potential to reap large rewards by addressing the risks better than their competitors. it identified numerous opportunities to tighten processes. A Chinese financial crisis could bring turmoil to markets and banks and insurance companies with large China exposures. The risks on the Strategic Risk Radar are a snapshot in time. Nevertheless. while some global companies are addressing these risks. long-standing patterns of innovation are changing. Companies have had to re-evaluate their competitive positioning in the light of this wave of M&A activity. and controls that have built sustainable protection for them. but considering them can help companies to challenge their own capability and be better prepared. there is a lingering risk of a China setback. A growth slowdown in China would impact on oil. never happens. Properly approached. Its impact has already been felt in many sectors. As markets mature. Many of them also offer significant opportunities. but risks constantly change. But as alluded to in the second „on the radar risk‟. with 9 out of 10 new products failing. fortunately. this risk can present some opportunities for substantial financial and competitive gains if anticipated and managed effectively. Conclusions The top 10 risks on the Ernst & Young Strategic Risk Radar and the five just below it are not predictions. another recent global Ernst & Young study1 found 42 per cent of global companies still had identifiable gaps in their risk coverage. even when the event. however. the risk of failure is high. Political instability in China or regions bordering it could seriously threaten global supply chains. For example. concerns about the stability of China‟s rise reflect the country‟s increasingly central position in the global economy. leading firms to replace internal innovation with an acquisition-based strategy. Working through scenarios and impact analysis. innovation becomes a greater challenge. driving restructuring and accelerating the rate of change. gas and mining companies. In a number of sectors. Inability to innovate Less well-known but equally critical is the inability to innovate. Like some of the other strategic risks identified. In a global economy. the process of strategic risk management can add value. company leaders need to keep an open mind about . a global financial shock might act to curtail private equity activity. Like concerns about the stability of the US dollar.

New Thinking on Internal Control) Copyright 2007. in case the risk does materialize. suppliers and customers. Companies will be better placed to reap the benefits of global opportunities if they: look outside their daily operations to predict potential strategic threats and opportunities. decision-making processes that explicitly balance risk and return. but only if it receives the right inputs and is then acted upon. as well as for advancing it. The risk assessment should also evaluate the organization‟s ability to manage and respond to the risks identified. Note 1. Ernst & Young Global Internal Control Survey: From Compliance to Competitive Edge. markets. understand the inter-relationships of risk around their operations.• 26 RISK MANAGEMENT STRATEGY where risks can come from. the leading practices we see suggest a risk assessment should be conducted at least annually and should cover strategic risk. To cope with the changing risk landscape. our research 1 shows many companies carry out these assessments with insufficient frequency and in many cases without the right people considering strategic risk. Ernst & Young accepts no responsibility for loss arising from any action taken or not taken by anyone using this publication. trading. and look to truly manage the strategic risks to their business. It should neither be regarded as comprehensive nor sufficient for making decisions. A radar is a key tool for protecting one‟s position. Ernst & Young LLP. . All of these need to be wired into management‟s „performance dashboard‟ to ensure realtime monitoring of events. All rights reserved Information in this publication is intended to provide only a general outline of the subjects covered. robust programme delivery of strategic initiatives and. finance. as well as operational. scenario planning and operational response plans to mitigate the loss. nor should it be used in place of professional advice. However. take a global view of their enterprise risk management capability. relevant factors include the existence of effective early warning indicators. financial and compliance risk.

But with the change in economic climates the drive is for risk neutrality where an organization should have neither too much nor too little risk. Very few people are risk neutral.1 lists the factors identified in the research. few would be seen as neutral. which is the state between risk seeking and risk averse. On a basic level we are either risk seeking or risk averse. Research into enterprise risk management trends. SAS UK & Ireland How risk should be viewed means different things to different people. conducted by SAS and Chartis. Table 1.1. .3. This goes for many businesses: some are seen as conservative. others as groundbreakers. highlighted a number of factors that are driving the desire of organizations to be risk aware and thus reach the ultimate goal of being a risk-based enterprise.3 Enterprise risk management and the role of technology: the answer to and cause of all our business problems Bart Patrick.

474668US. ® indicates USA registration.0108 . With proven risk management software from SAS. www. All rights reserved. But you can. product or service names are registered trademarks or trademarks of SAS Institute Inc.com/plovers SAS and all other SAS Institute Inc. in the USA and other countries. © 2008 SAS Institute Inc.Egyptian Plovers aren’t picky about where they find food. Other brand and product names are trademarks of their respective companies.sas. They can’t resist taking perilous chances.

Increased use of There is greater investment performance measures in methodologies. government Increasing local and and professional bodies regional regulation is continue to press for more leading to a fragmented transparency and consumer global understanding of risk. In order to and a demand for speed and maximize this.ENTERPRISE RISK AND THE ROLE OF TECHNOLOGY 29 • Table 1. It is also the case that reputation is the most precious commodity of any business. and minimizing the risk to this is of paramount importance. using assets to their best management systems. and leakages need to be minimized. The traditional silo-based approach does not deliver value to the business. processes is needed to drive the and systems. This needs to take into account changes to people. There is a drive to a joined-up approach to risk management and a retooling of existing systems to achieve this. losses accuracy.3. process and systems. You can trade nearly anything now with the massive growth in the derivatives markets. business away from just being compliant into riskbased performance.1 Factors driving risk aversion Driver Corporate governance and regulatory compliance Reason Impact Regulatory. Risk management is not just about protecting the existing value of the company but also about implementing systems to help risk shape value. protection. Risk trading Financial crime Risk is all about managing There has been a huge growth in fraud liquidity effectively. Risk-based performance management Breaking the silos SAS and Chartis Research – June 2007 . sophisticated modelling advantage.

3. multi-geography and multi-programme approach is seen as unsustainable. yet little progress seems to have been made in achieving this elusive nirvana. These changes need to occur across: • Culture: How does your business function? Is it conservative or risk seeking in nature? Are change management programmes an accepted norm in the operation? How will staff respond to moving to a more risk-based approach? Do they see and understand the benefits of changing activities to working in a risk tempered environment? Are your employees used to change? . People Systems Process Figure 1. Without the support of staff and a general understanding of risk. as illustrated in Figure 1. This is an overlapping picture as all these factors have an influence on the others. So how do firms get to achieve this enterprise risk management goal? This chapter discusses the elements requiring attention to succeed in achieving true enterprise risk management. To achieve enterprise risk management a company must work across three dimensions simultaneously.3.• 30 RISK MANAGEMENT STRATEGY This research identified the key drivers for companies seeking to achieve enterprise risk management. strategy and controls‟. More and more the multi-vendor. The definition we will use here is: an activity that „creates a risk-based approach to managing an organization‟s operations.1 The tri-dimensional approach to ERM People People are the most critical dimension of enterprise risk management. no enterprise risk management programme can succeed. What is enterprise risk management? The definition of what comprises „enterpris e risk management‟ (ERM) has been discussed by leaders in the risk management field for a number of years.1.

defining. • Cost: How much will it cost you to re-skill people or to buy in the necessary skills? Will the cost of change and new staff outweigh the benefits? People are the first element of risk appetite.2 demonstrates. regulation or financial considerations it will remain in place. they have also realized that the management of the company has the capacity to be more entrepreneurial/creative in driving additional value from the company.3. As such. Crucially. The issue here is not the individual regulations themselves but the ability of companies to use them as catalysts for change. and many risks can be found in the daily morass of process. if only the right balance of risk personalities exists. and have then used this credit to buy the company. the dimension of corporate risk appetite. Individuals will uncover areas where process can change. Does your business have sufficient expertise internally to cope with a move to a risk-led business? Do the current staff have the understanding of risk and how to use the tools available to leverage risk in delivering business decisions? Can you train staff or outsource the risk management discipline? • Creativity and entrepreneurship: Risk is not just downside. This includes all stakeholders. defining the culture of a company and how this culture views risk. Processes remain unchanged over time because unless a process is challenged by people. Risk personality and process As Figure 1. but in particular shareholders and senior management who control the destiny of the company. the question to ask is: „Do we have the creativity and the entrepreneurial skill to take advantage of this opportunity?‟ For instance. It must be used to deliver returns. .ENTERPRISE RISK AND THE ROLE OF TECHNOLOGY 31 • • Competencies: There is a shortage of good risk professionals in the market. alleviate or compound risk levels? Many organizations have grown organically over time. along with people. each business needs to have a balance of these risk and process types in order to function. Regulation and process Over the last decade the rate of change in terms of regulatory scrutiny has accelerated. it could be said that the leveraged buyout (LBO) of many companies has occurred when financiers have realized that a target company could support additional risk in terms of credit. Process will influence the ability of a company to manage risk. Process Does your business process cause. regulation has been a prime mover in accelerating process change across industries. Everything now seems to be subject to some form of regulation and many companies have struggled to keep up with this. so once risk levels are ascertained. sectors and geographies.

commodity and business. the ones they use). are the best indicators of bad process. The basic building blocks are data that is managed by a robust extract. and so are unwilling to follow them.3. Risk averse Individuals who always follow procedures as they see them as a protective shield are the most difficult people to get to adopt new procedures. transform and load facility to obtain.4 below presents an overview of the key building blocks and a road map for the enterprise risk management journey.3). All that is required is the ability to measure risk in a quantitative manner. This is where systems come in. This is not to say that regulation should be the sole driver of entrepreneurial activity. Process averse Individuals who wish to use process to achieve their own ends.3. and will pick and choose which processes to follow. cleanse and store the required data regardless of where it resides now. the potential to dynamically adjust the risk mix of any company has never been greater. existing systems can aid or hinder the process. While enterprise risk management coverage can be considered expansive. The technology process to achieving enterprise risk management starts at the base of the Risk Systems Pyramid. Systems Supporting people and process are systems. but it can be used as a catalyst to drive through a change process. . the Risk Systems Pyramid in Figure 1.3.2 Balancing risk and process types The regulation continuum The reaction of companies can be positioned on a regulation continuum (see Figure 1. Process seeking Figure 1. During the review of a firm‟s portfolio of risks. This influences the ability of the company to change and can drive long-term stagnation or competitive advantage. With the ever-increasing tradability of all types of debt.• 32 RISK MANAGEMENT STRATEGY Risk seeking Individuals who may be seen as disruptive and outwardly ignoring process may be the best indicators of good process (ie. Individuals who are conservative and feel existing processes are risky.

ENTERPRISE RISK AND THE ROLE OF TECHNOLOGY 33 • Stage: Attitude: Denial “Our current processes cover us for this regulation” Compliance “We have made changes to our process to follow the letter of the compliance regime – it is an expensive necessity” • Practical systems enhancements to meet the “letter of the law” •Siloed processes by geography/ business unit put in place •Cost minimization approach •Siloed changes •Process friction •Stagnation •Increased long term costs to catch up with market leaders who used compliance as a change catalyst Advantage “We view compliance as a key driver of change and use this to create competitive advantage” Actions: •None •Complete review of people. Analytics. Audit.Value at risk XIS .Treating customers fairly VaR .Internal . Without ensuring data relevance and accuracy. CRO.Operational SOx . the emphasis is on understanding from a business perspective the right sources of data and ensuring the quality of the data.Insurance IRR .CRO MARKETS/SECTORS ERM EPM Internal & external reporting Economic & regulatory capital management Ins.3 Risk appetite + liquidity = risk capacity Business focus Stakeholder CFO.Anti-money laundering BI . comms).3. Data quality Key ABM . market and .Markets in Financial Instruments Directive Op.FMCP .CRO Roadmap Monitor Loss data VaR • Fraud • • • .Strategic performance management TCF . .Business intelligence CRMS . . Credit Market Op. compliance. firms will typically operate separate credit. money laundering officer CRO.Cross-industry solutions Technical focus Figure 1.Human capital management Ins. all CFO. Storage.3.Enterprise risk management HCM .Enterprise performance management ERM .Activity-based management AML . insurance.Integrated regulatory reporting KYC . the higher levels of risk management cannot be achieved. BI XIS (for banking. As shown in the Risk Systems Pyramid. process and systems •Early change programs designed to maximize revenues opportunities •A better perspective of cost/ benefit •Linked up systems and opportunities to create process efficiencies •Ability to trade across platforms and markets •The ability to generate superior returns from trading efficiencies •Better way of clients and markets Outcomes: •Panicked late changes to become compliant •Loss of market share •Process friction leading to higher compliance costs •Poor process and system selection leading to long term disadvantage •Difficulty to make up lost ground on market leaders •Poor staff relations as the onus of achieving the panicked changes fall on them Figure 1.Data integration EPM .Sarbanes-Oxley SPM .Criminal networks Enterprise intelligence platform – DI.4 The risk systems pyramid At this level. actuaries. risk risk risk CRO.CIO Claims • CRMS • Risk • fraud Credit dimen• Ratescoring sions making • Loss reserving • CEO. CFO.Know your customer MiFID .Credit risk management solution DI .

financial and physical. Importantly. and the bank‟s reputation was damaged by a surplus of credit and market risk that was not managed. Many losses occur due to local or regional conditions. The long-term viability of a firm can be damaged more by the cost of losing its reputation than by the direct. Again. • loss reduction. The bank has suffered a fall in share value of 15 per cent since these announcements. as the threat of fines. with Federal regulation over this. All of this is related to reputation. in three different situations: . Typically these systems are installed for a number of reasons: • compliance. obscuring an enterprise view of risk. none of which are designed to be integrated with each other. no one solution can be applied globally to this. a siloed approach to risk can deliver regulatory compliance in a „tick in the box‟ manner. The siloed risk approach The first historical stage of enterprise risk management involves the tactical insertion of local and regional operational. remained. In the United States. with the regional nature of business leading to a range of approaches. The siloed approach also prevents companies using risk as a tool to guide investment strategies. an investment bank recently declared one of its funds „worthless‟ and another fund „vulnerable‟. The outcome of a siloed approach Over time. and each sector is subject to its own loss types. to a large extent. which are again overlaid by EU regulatory requirements. market and credit risk systems. has the effect of focusing the minds of senior executives. obvious financial losses it may suffer. Local jurisdictional variations will lead to local solutions being deployed. or in extreme cases custodial jail sentences. without ever providing an understanding of the overall levels of risk an enterprise runs. At this stage organizations have migrated to the second level of the Risk Systems Pyramid. Building on the risk silos to meet the next level of economic and regulatory capital management is often the stage that most firms stall at. governments make their own regulations. as in the end this requires new techniques and breakdown of the silos to succeed. For instance. these driving forces create a myriad of risk systems. In Europe. Compliance is by far the most powerful driving force. As companies have consolidated. compliance is state led.• 34 RISK MANAGEMENT STRATEGY operational risk silos. Reputation protection is a potent driver for risk management. Compliance drives regional silos. the regional solutions have. Operational losses can be reduced by having a robust management system for operational risk. Loss reduction concerns all types of losses. • reputation. having a number of complex market. credit and operational risk systems. processes and capabilities that create inertia within an organization.

Systems can have a beneficial effect overall. These cover qualitative (question and answer) and quantitative (data-crunching) analysis across a range of scenarios. Figure 1. this is only achievable in context of the changes to people and process that support the move to enterprise risk management. aggregated into an accessible and understandable view of risk intelligence available to the various levels of executives and staff involved in the measurement. . What areas need to be covered? When considering the range of risk systems that supports the business. • to aid the management of the risk profile of the business. They bring together qualitative and quantitative data into a cohesive and understandable format. However. Where risk systems impact the business Table 1. This data can be used in a number of ways: • to influence the future strategy of the business.6. • Second-generation risk systems offer the power to deliver an enterprise-level view of all risks. • We are on the edge of usability of first-generation risk systems.3. which as a whole influence the ability of the organization to deliver risk driven performance improvements. • Accessing data is less of a problem than it has ever been before.5 shows a picture of the range of risk systems typically available to a company. • when an investment decision is guided by the risk profile of this investment. this is driving the investment in and development of second-generation risk systems that can cope with increased product and data complexities.3. a complex picture emerges of data capture. • to change business processes for the better. Conclusions IT systems perform a significant role in supporting the goal of enterprise risk management. • when insufficient risk is being taken by the business in support of its business goals.3. Risk systems Risk systems have increased in popularity as a solution to compliance issues for several reasons: • IT now has the power to run millions of calculations across huge volumes of data.ENTERPRISE RISK AND THE ROLE OF TECHNOLOGY 35 • • when excess liquidity exists that can be used to create returns. and most databases can be read by third-party systems.2 below reviews each of the five impacts identified in Figure 1. analytics and reporting. management and monitoring of enterprise risk.

• 36 RISK MANAGEMENT STRATEGY Risk intelligence Risk governance Performance management Market risk Credit risk Operational risk Compliance Fraud Stress testing Credit risk Operational risk Qualitative Anti-money laundering/ terrorism Industry specific regulation Internal fraud Scenario analysis Credit scoring Operational risk Quantitative External fraud Operational risk Consortium data Financial regulation Health and safety Figure 1.6 The impact of risk systems on business .3.5 Range of risk systems available Financial impact Optimize Capital Increase profits Early warning system Visibility. auditable Risk-aware business process Data management & analytics Risk-aware culture Robust infrastructure Figure 1.3. foresight & agility Risk-driven performance Integrated view Consistent. transparent.

Notes Challenges Understanding where data resides and integrating this into a single view of risk. Robust Risk-aware infrastructure culture Risk-aware Better data management business and risk-based processes. This requires modelling of the business and data mapping. Strategies are Achieves a 360° view of optimized the business along with and gives it investment the ability choices. Integrated view Consistent. foresight and agility. Auditors can see where data came from and went to in a transparent process.2 Review of risk systems business impacts Feature Outcome Early warning Financial system impact Visibility. All investments lifecycle so can be appropriate modelled and actions can be taken stress tested against market to achieve optimum risk conditions. . Changing culture is the hardest transformation a business can undertake. analytics. Clean and accurate information is a basic requirement for any risk management process. liquidity usage to identify problems early and asset on in their allocations. levels. Getting a common definition of risk in the business. Integrating a diverse set of systems and processes. Optimized capital allocation and increased profits. Decentralized responsibility for risk management essential. Using IT to surface and measure risk can give management foresight to make the right decisions. perform. transparent and auditable process.ENTERPRISE RISK AND THE ROLE OF TECHNOLOGY 37 • Table 1. This requires systems to bring risk to the desktop. Creates a common mapping and understanding of the risks being run by the business so everyone can participate in the change. Adequate Understanding models to what optimum assist the level of risk business in the business needs to carry scenario and in order to stress testing.3. and a series of systems to make risk visible.

Today. stated that just 26 per cent of those surveyed have a well-structured plan for implementing enterprise risk management. enterprise risk management remains elusive as the underlying benefits will only be realized once the necessary people. which can only be accomplished within a strategic plan. In bringing together this disparate approach to risk management a firm will embark on a long road that will mix tactical solutions with long-term strategic thinking. The struggle to get to an enterprise view of risk is reflected in the complexity of the strategic roadmap that needs to be laid out to achieve it. . at various levels of operational and management structure and across business units and business functions. processes and systems are aligned. and the low percentage of companies that have indicated that they are planning to move to an enterprise risk management environment is a reflection of the complexity faced. The SAS and Chartis enterprise risk management survey. rather than an indictment of the potential benefits of an enterprise risk management strategy.• 38 RISK MANAGEMENT STRATEGY There is a wide range of manual and automated systems available to support firms‟ existing risk management structure. carried out amongst 410 risk professionals across the financial industry. Enterprise risk management is a massive corporate change management programme impacting the core of a business.

Corporate governance is the way in which corporations and other organizations are directed and controlled. BSI British Standards Management systems have had a bad press. Despite these criticisms. to improve their internal processes and procedures and to prove their competency to their customers. they stifle innovation and they are merely a guarantee of repeatability rather than quality.1. there are also thousands of organizations that successfully use management systems to save them time and money. ever since the problems arising from the separation of ownership and control of organizations has been recognized. Organizations such as Enron and WorldCom acted as catalysts . The subject has been around for a while. to some they cost too much. The reality for your organization is likely to be somewhere between these two extremes.4 Using management systems for risk management and corporate governance Nicki Dennis. This chapter will show you how using management systems alongside new risk management standards can help in two vital areas: risk management and corporate governance.

• 40 RISK MANAGEMENT STRATEGY

for corporate governance reforms; industry in both the UK and the United States has since become more focused on managing corporate governance appropriately and safeguarding stakeholders‟ interests. A spate of regulation has followed that has brought compliance issues to the very top of the corporate agenda. A loud fanfare accompanied the introduction of the Higgs and Turnbull Reports in the UK, which aim to strengthen the role of risk management and clarify the relationship between auditors, boards and regulators. Within the United States, a juxtaposition of the Sarbanes–Oxley Act and the personal crusade led by Eliot Spitzer (Attorney General for the State of New York) to prosecute firms and individuals who break rules has led to one of the most significant changes in US Business Regulations in recent years. Even with the introduction of new regulatory measures, it is clear that no firm is immune to the problems of poor risk management and corporate governance, and that initiatives introduced by the regulatory bodies such as the FSA should be viewed only as a base-line preventative measure. With the stakes so high for both senior management and board members needing to take a grip on corporate governance, it should be in their best interests to implement additional initiatives that safeguard both their organization and their own futures. Thus, it is recognized that there is a need for greater corporate responsibility and accountability than exists currently. This chapter aims to demonstrate the need for corporate governance and good risk management and includes a systems approach to adopting effective arrangements, in particular through the use of appropriate management systems.

Management systems
A management system is a way of running an organization that embraces its overall structure, its planning activities, responsibilities, practices, processes and resources for developing, implementing, achieving, reviewing and maintaining the policies of that organization. In short, it is everything about an organization. Thus when you are looking for a way of improving your risk management it makes sense to ensure that governance is at the heart of your chosen management system. Central to all of this is the idea of „risk‟. An organization ‟s top management should commit to establishing systems that will ensure that their strategic risks are identified and effectively managed. This system needs to operate at a strategic level and should encompass all of the organization‟s activities and the impacts they may or may not have on all stakeholders. The obvious conclusion is that the most innovative organizations wishing to get ahead of the marketplace should embrace additional measures that safeguard their business and create a „change-orientated‟ culture. Globally recognized „Management Systems‟, such as ISO 9001(for quality) and ISO 27000 (for IT security), can offer a unique combination of risk management and cultural change that encourages dynamic thinking and business improvement.

USING MANAGEMENT SYSTEMS 41 •

Within the context of corporate governance, the concept of using management systems as an effective risk management tool has been apparent for some time. Prominent examples include the Turnbull Report , which advocates the use of management systems as a mechanism to manage risk with regard to both the decisionmaking process and the day-to-day running of the organization. As it pointed out: „The system of internal control should be embedded in the operations of the company and form part of its culture.‟

Risk as the „new‟ quality
It is perhaps appropriate to draw parallels between the development of a quality culture in business throughout the 1980s and beyond with the current situation in risk management and corporate governance. This section describes how businesses have used standardization as the main process to drive through change and suggests how they might do so again. Think back to how the so-called quality revolution happened. It was slow at first and then gained momentum as companies pushed „quality‟ back through their supply chains. It became necessary to have a quality certification in order to even tender for some government projects – such was the confidence in the systems. Now we live in a very different world where our expectations are for products and services to „do exactly what they say on the tin‟ as the advert says. The support structure for this embedded quality was impressive, accompanied by new job titles: quality managers, quality control analysts etc. A new language was built with its own jargon of Pareto analysis, root causes and TQM. A formal structure of institutes and societies were founded for continuing professional development – The Institute of Quality Assurance and the American Society for Quality amongst them. Quality arrived and dug in. So how is „Risk‟ similar to this? It is similar because I believe that in 20 years‟ time our successors will look back aghast at the way we treated risk management at the start of the 21st century. In 20 years time risk management will be as embedded into our systems and processes as quality is today. The trick is to discover and describe how we get from where we are today to that position of truly embedded risk management. One way would be to copy the route taken by Quality. After all both quality and risk have their roots in statistical science. Quality developed from manufacturing as a part of the efficiency drive of the 1980s, when statistical process control charts helped operators to optimize control and improve on quality. Risk has its background in the mathematics of insurance risk. Both have strong links to probability, with the language of „expected outcomes‟ and „Monte Carlo simulations ‟ being used at the academic end of both subjects. Quality has its own language and so does risk; the latter is one with which all will soon agree. The ISO Guide 73 (new edition, due 2009) on risk management vocabulary is a good start in this tricky area. It defines risk as the „effect of uncertainty on objectives‟ and risk management as „an organization‟s culture, process and structures that are directed toward realizing potential gains whilst avoiding or limiting losses‟. If all the various risk-related organizations around the globe could agree to use these two definitions, then that would certainly be a start towards a shared concept.

• 42 RISK MANAGEMENT STRATEGY

ISO 31000: an international risk management standard
For risk management the time is ripe for agreeing on the „shared concept‟, and it needs to be a widespread agreement that includes governments, businesses, consultancies and trade associations. The International Standards Organization (ISO) is working on ISO 31000 which will be the first international example of this shared concept. The document is due to appear in early 2009, and I would urge interested readers to contact their national standards body (BSI in the UK, ANSI in the United States) and get involved in its consultation phases. The British Standards Institute is also working in this area, but was not the first to become involved. Most readers will be aware of the Australian and New Zealand Risk Management Standard and also of the IRM/AIRMIC/ALARM Risk Management Standard (taken up and supported by FERMA, the European organization for insurance risk managers), although neither of these has yet caught the imagination of business in the same way as ISO 9000. None of these could be termed a complete Management System Standard in that they do not have any accreditation linked to them, but they will certainly support organizations that use them. Similarly if your organization does not use management systems the new standards will still be of use. BS 31100 will publish early in 2008 and will be the UK‟s first attempt at combining good risk management guidance in the form of a standard. ISO 31000 will be much broader based than anything that is currently available. It will, at least, include business ethics, corporate governance, reputational risk, IT risk, business continuity, operational risk and insurance risk as well as risk assessment techniques. Pulling all these themes together into a future formal management system standard may be unnecessary. Even as guidance, the rewards in terms of increased confidence both in and for business will be great. Other gains will surely be more stable insurance premiums, as after implementing the standards the better management of risks will lead to lower levels of risk transference to insurance providers. Certification schemes may help too (see later in the chapter). A good example is in the area of business continuity plans and the schemes that are available for BS 25999. A business will want to work with suppliers that have „good‟ business continuity plans, but how should it define „good‟, especially when it cannot get access to those plans as they contain competitively sensitive information. An independent accreditation to a formal standard is the perfect solution. Everybody can agree that they are all working to the same levels.

Implementing management systems
Management systems such as ISO 9001 require buy-in from senior management, but also require every employee to have an appropriate understanding of the policies and procedures relevant to them. Over time, this encourages a cultural change of open and honest communication that is led by example from the top. The process of embracing internal control in this manner not only provides an organization with an accurate

USING MANAGEMENT SYSTEMS 43 •

overview of the risks associated with its business operations, but will also help identify opportunities in areas such as reducing costs and increasing efficiency. There are many different management systems available to help organizations manage operational risks. A combination can also be embraced to offer the organization a more holistic level of protection. The following is a selection of those management systems currently available: • • • • • ISO 9001:2000 addresses the quality of products and services; ISO 14001 focuses on the environmental controls within an organization; OHSAS 18001 deals with health and safety within an organization; ISO 27000 deals with information security within the business; BS 25999 focuses on business continuity management and resilience.

All of these standards and specifications have one thing in common: risk management. They are also based on the „plan, do, check, act‟ („PDCA‟) model. The model is consistent throughout the new generation of management systems and allows for organizations to integrate more easily their management systems to achieve the holistic risk management model mentioned above. This is particularly relevant as many of the existing corporate governance solutions in the marketplace have a financial orientation. In addition to easier integration with other management systems, the PDCA model encourages a culture of „continual improvement‟ within an organization. This can help to improve efficiency and unleash the firm‟s entrepreneurial spirit, whose potential was held back by the „tick box‟ mentality created by the desire to comply with new legislative reforms.

Best practice
So what is it that organizations should be aiming for? What would constitute best of breed in this tricky area? In my opinion there should be a strategic policy at top management level to focus on managing risk for corporate governance. This should lead to specific policies and arrangements to deal with specific risks. In particular, the policy should encourage a positive culture within the organization to make certain that strategic risks are identified, removed, minimized, controlled or transferred. Specifically the policy should: • • • • • • reflect the nature and size of the organization and the strategic risks it faces; commit to ensuring that management competence is established to control risk; commit to ensuring that a culture is established to control or exploit the risk; commit to internal control audits to verify the systems and policy implementation; commit to regular review of the strategic risks; commit to reporting annually to shareholders, auditors and stakeholders as appropriate.

• 44 RISK MANAGEMENT STRATEGY

Certification
Third-party certification of a recognized management system can give internal confidence that appropriate measures have been implemented to prevent acts of poor corporate governance. Certification also gives external stakeholders (that is, regulatory bodies and potential investors) evidence of a sound management structure. This achievement could be the final requirement to attract investment or to satisfy the London Stock Exchange‟s criteria for a share listing. Both the act of certification and the exit reports generated during the certification process can be used to produce an organization ‟s corporate governance report. Furthermore, with revisions in company law and corporate manslaughter, certification to one or more of the management systems mentioned can be used by senior management in a legal scenario to show that appropriate policies were in place and adhered to.

Competitive advantage
A combination of legislative compliance and third-party certification to a formalized management system may be viewed as a burden, but it can also be a source of competitive advantage. First of all, compliance with legislation is not viewed typically as a unique selling point (USP). Addressing the law of the land should be taken as the norm and any organization that shouts from the rooftops that it complies with relevant legislation is not really going to have any more credibility than their competitors. While compliance with legislation should almost be taken as a norm, it is undoubtedly a good baseline from which to implement additional recognized methodologies. It is these additional risk management methodologies and solutions that will offer organizations a USP within the marketplace. Implementation of one or more globally recognized management systems demonstrates to all stakeholders that the management of risk is taken seriously, and gives confidence for both trading and investment purposes. Implementing and achieving certification to a globally recognized management system is an aspirational achievement: it is a way for a company to benchmark itself against its peers and know that it is doing well. Potential investors can also take confidence from the fact that firms with certification to management systems such as ISO 9001:2000 will be focused on controlled growth and continuous improvement. Typically, financial investments are made on the basis of growth, and third-party certification can help give confidence to would-be investors, both individuals and corporate. This is particularly important in this more cautious 21st century. Furthermore, if the much-rumoured Corporate Governance Index is introduced, ISO registration would make a logical addition to the index‟s rating criteria. Trust is a significant business driver, and selecting those who manage risk appropriately is often difficult. A combination of a good corporate governance index rating and third-party certification can help demonstrate good governance and maintain trust.

USING MANAGEMENT SYSTEMS 45 •

The future
Following the actions of organizations that have caused a radical reform in legislation for corporate governance, firms have been forced to look closely at their risk management practices. While many of the reforms have been effective, it is clear that with scandals still hitting the headlines their introduction is not enough to protect stakeholder interests appropriately. With firms being expected to become great at ticking boxes to demonstrate compliance, perhaps the question should be asked whether this will leave enough resource for companies to be creative and drive themselves forward. Management systems and, more specifically, a combination of management systems and the new standards to create an integrated system, offer a holistic level of risk management unsurpassed in the marketplace. While many board members within organizations that are not yet registered to a formal management system are debating how many boxes they have ticked, those that are registered are moving their organizations forward with the confidence that they have robust risk management in place. With further reforms to corporate governance legislation inevitable, the only box that organizations will be required to tick in the future will be answered with a simple „yes‟ or „no‟. The question will be: „Do you have risk appropriately managed?‟

Further reading
M Robbins and D Smith (2000) Managing Risk for Corporate Governance , BSI, London

It is aimed at heightening awareness and interest in risk management throughout the organization. Thomas Miller Risk Management Introduction This chapter is intended to describe techniques that an organization can use to embed a risk management culture throughout its business. there is no single templated process that will deliver all things for all purposes. .5 Embedding risk management – practically Lee Tricker.1. and using champions who will keep risk management at the forefront of their co-workers‟ minds. but practical experience of repeating and refining these techniques with clients across the years has produced a methodology that is sufficiently disciplined and flexible both to expose problems within an organization and then provide appropriate solutions. Of course. thereby making sure that the risk management process can grow organically (with minimal pain) to meet the organization‟s developing and changing needs. promoting the benefits of risk management.

It is often more effective to build upon systems and processes that are already in place. delegation and authorization clear? Is there scope for confusion. and consequently into the minds of all its employees. There are no hard and fast rules with regard to selecting workshop attendees. the process of embedding must be driven by the board with the CEO being an ideal champion. The identification of risks (and opportunities) should be an inherent part of this. After all.EMBEDDING RISK MANAGEMENT – PRACTICALLY 47 • Understanding the organization‟s structure If risk management is to be successfully embedded within an organization. An organizational structure chart should be used (or drawn up as necessary) to delineate responsibilities right down to individual business unit level. For example. From the beginning. help to embed risk management in the minds of attendees. mindsets and cultures into an organization „from scratch‟. It is not unheard of for middle-level managers to overrule their subordinates. however. One example is the business planning process. To this end risk management can be effectively embedded within an organization if it is used as part of (and seen to be part of) existing processes. Are areas of responsibility clearly defined and separated? Are lines of communication. as they are mistakenly concerned that the recognition of risk within . widely used and generally accepted. it becomes necessary to select (with as much detail and forethought as possible) the individuals from within each business unit who should be attending risk workshops. that organization‟s structure must be clearly understood and defined. conflict can arise where a business unit manager refuses to accept or concede that there may be risks attached to his or her business operation that are not properly recognized or adequately controlled. which is where a practical and enthusiastic „buy-in‟ to the risk management process is one of the most basic building blocks of the whole process. Building on existing foundations It is often difficult to embed new processes. Risk assessment workshops One popular and successful means of assessing risk is by holding risk assessment workshops. conflict or duplication? This exercise lays foundations for the task of embedding the risk management process throughout the business. If the organization decides to go down this route. particularly if the workshops become a regular part of an established process (such as the business planning process). Workshops can also throw up important cultural issues. The simple act of involvement does. The output from the analysis of organizational charts is vital in identifying potential strengths and weaknesses in the structure of the organization. Business managers (and the board itself) should formally assess risk each time a plan is formulated or revised. there is little point in setting out objectives that are not realistic in terms of the risks that could threaten them.

but is this sufficient? Unfortunately.• 48 RISK MANAGEMENT STRATEGY their business units somehow impugns their abilities or performance. The review will also identify individuals whose roles make them natural „champions‟ by virtue of the fact that risk management is already an inherent part of their job. these people can be enrolled as the risk management champions for their respective business units. In larger organizations. This is a vital component of an embedded risk management process in which all staff are proactively managing risk. when staff members spot an unseen or untreated risk that exceeds their business unit/ division‟s risk tolerance. investment managers and treasurers. however. corporate lawyers and insurance managers. which needs careful management if it is to be overcome. it is important that a „no blame‟ culture is encouraged throughout the whole exercise and into the ongoing business. The primary objective of a workshop is to gain consensus from inside the business as to the real risks that it faces. Identifying champions As noted above. All such individuals can be used as the core of a wide-ranging and potentially influential group of risk management „champions‟ who can help move the organization towards adopting a culture where risk management is treated as a fully-embedded part of the organization‟s daily activities. Similarly. the short answer is invariably „no‟. Suitable individuals can be found from a number of sources. Something more tangible is often required and an organization‟s performance management system can be a very effective way of delivering it. risk assessment workshops will uncover business managers and other individuals who have an innate „feel‟ or passion for risk management. Where willing (and if appropriate). the ultimate „champions‟ of the risk management process should be the board and the CEO. or is outside their field of expertise. . This in itself is a culture risk. For example. Carrots and sticks „Champions‟ can help create a positive environment for risk management. the prevailing culture should encourage reporting of such risks without fear of retribution of any sort. The review of organization charts will locate points where „champions‟ can best be placed so as to operate with maximum effect. Examples include heath and safety and business continuity managers. This then makes it possible to consider the effect that such risks can have on the organization and its plans. In order for the organization to maximize the benefits of risk assessment workshop sessions. and identify how these risks should ultimately be controlled. the direct influence of the board will not impact on day-to-day operations and it will be necessary to identify others within the organization who will actively (and voluntarily) promote the virtues of risk management and „spread the gospel‟ amongst others within the business.

Managers and staff should be actively rewarded for doing good work and displaying positive attitudes towards risk management. If a manager or member of staff is responsible for controlling a risk. inherently vulnerable to being rejected or ignored. Conversely. The establishment of risk management committees and working groups can be of great value. we are working „with the grain‟ of the organization. by so doing. then this should be clearly spelled out as part of that person‟s duties and responsibilities. . Use of the performance management system again helps build risk management into an organization on the back of an established and recognized system. communication. ultimately. communication Risk management will not be embedded unless an organization regularly promotes the discipline in its communications with stakeholders. Developing openness. the performance management system should be able to deal effectively with individuals who display no regard for the necessity to manage risk.EMBEDDING RISK MANAGEMENT – PRACTICALLY 49 • The performance appraisal system should make managers and staff clearly aware of what the organization expects of them in terms of risk management. almost by definition. Again. The consequences of any such increase should be reflected within the individual‟s performance appraisal and. Sharing such data across the organization can allow different parts of the business to share best practice and learn from each other. rather than attempting to impose something new and different. Analysis of such data can be a valuable way to provide early warning of adverse trends and developments. they are helping the organization to reduce and control its overall cost of risk. After all. or taking an action that is expected to enhance the control of risk. Newsletters. is one of the most effective ways of ensuring that risk management will become embedded within the organization. risk reports. Equally effective (and possibly even more so in line with our theme of building on existing processes) is the inclusion of specific risk items on the agendas of existing committees and working groups throughout the organization. circulars – all can successfully spread the risk management message and demonstrate to managers and staff that they are working in a risk-aware organization that prizes its people‟s ability to manage risk exposures proactively within their own working environment. Communication. and thereby increase the prospect of their achieving their objectives. The failure to manage risk effectively can often lead directly to an increase in the organization‟s cost of risk. remuneration package. The maintenance of risk data is often sorely neglected in many organizations and this can only be to the organization‟s detriment. The positive experience of giving managers and staff risk information that will actively assist them to perform their jobs more effectively. which is. transparency and the communication and sharing of information throughout the organization is a powerful way of promoting the benefits of risk management.

identifying and appointing „champions‟.• 50 RISK MANAGEMENT STRATEGY Conclusion We have briefly reviewed some of the techniques that can be used to embed risk management within an organization. building on existing systems and processes. and communicating effectively – all can play their part in embedding risk management within an organization. when it can be demonstrated that risk management can provide real. tangible value to individuals within the organization. Ultimately. those individuals will actively want to continue to use it. using „carrots and sticks‟. Once this point is reached. refining the organization ‟s structure. . where necessary. holding risk assessment workshops throughout the organization (including at board level). Understanding and. the task of embedding is all but done.

UMU.6 New perspectives in strategic risk Scott Hartop and Allan Robinson.1. . A new perspective on strategic risk suggests that these may only be half-truths at best. This article explores another side to the conventional story that challenges many organizations‟ tendencies to build strategies purely on the kind of thinking that manages out uncertainty and simplifies complexity. Appleyards Practical tools for thinking and planning with uncertainty designed-in Are the following statements true or false? • Minimizing uncertainty supports growth in the organization‟s bottom line. • Focusing the organization‟s view of „what might happen‟ into a set of well-defined outcomes increases the capacity to successfully respond to future events. To use only tools that make neat and tidy assumptions about the shape of the future when approaching strategic risk could create a false sense of security and a narrow view of opportunities upon which organizations then base their biggest decisions.

Quantitative. We also know there are „known unknowns‟. secondly. Whatever the system being considered– a particular market. less simplified view of uncertainty is very hard to accommodate within frameworks built for a highly knowable world. that is to say we know there are some things we do not know. and highly interdependent upon. statistical models and itemized. small perturbations in which can change the shapes of things to come beyond recognition. rewarding and exhilarating discipline that will pay the business back in increasing returns for years to come. there are „known knowns‟. This kind of complexity makes any future event sensitive to a vast network of variables. . But there are also „unknown unknowns‟ – the ones we don‟t know we don‟t know. But this intuitive understanding is forced to take a back seat because of the underlying assumptions behind the available tools and widely accepted deliverables. manageable dimensions. creating powerful strategies with uncertainty designed-in can be a surprisingly straightforward. however near or far in advance of the present. As a result it is common for professionals to attempt to „help‟ the format they are using to reflect their real world intuition. Of course risk and strategy practitioners implicitly understand that reality is not as neat as this: the future. A less parametric. prioritized registers of discrete risks are well suited for understanding the organization‟s exposure because the future fits into a box with knowable. myriad other systems. Complementing existing practices with alternative frameworks. all subject to the same volatility and turbulence. a new project.• 52 RISK MANAGEMENT STRATEGY There are two reasons for this: firstly. a crisis prevention strategy – it is closely interconnected with.1. (Donald Rumsfeld. The following practical tools and ideas are offered as a departure point for organizations and senior practitioners ready to adopt new perspectives on strategic risk. adopting a new perspective also requires an intrepid business risk manager and chief strategy officer with the courage to challenge conventional thinking and reconnect their organization with the reality of uncertainty. 2002. then US Secretary of Defense) Consider Figure 1. plan B‟ type approach. Once managed into this „known known‟ corner. is seldom „knowable‟ with high confidence.6. risks appear highly quantifiable and strategic planning can follow a straightforward „plan A. Which quadrant is your current attitude to uncertainty pushing your organization‟s strategic knowledge towards? The upper right-hand corner looks attractive: high confidence in both what the organization knows and what it believes is knowable about the future state of the business and the world. poor support and failure to employ tools that are more suited for approaching the „messiness‟ of real-world strategic risks may be partially to blame. Two views of uncertainty Assumptions behind the tools used to create and manage strategic knowledge As we know. there are things we know we know.

appleyards.uk umu. A division of Appleyards .umu.co.

So an appropriate question might be: how many of the tools in your strategic toolkit start with these principles as their underlying view of the world and approach the future with its inherent complexity and uncertainty designed-in? Going left-field Stand in the upper left quadrant of Figure 1. but the nature of that knowledge has qualitatively changed: it is now explicitly understood that the future state of almost any aspect of the world is immersed in deep uncertainty.6.1 for a moment. in no small part due to the .6. More technically. this standpoint has moved from decision making under risk to decision making under uncertainty. strategic risk quickly becomes the business of complex systems and uncertainty.• 54 RISK MANAGEMENT STRATEGY Confidence in what the organization knows kno ws Known known unknown unknown orga nisa tion the wh at in HIGH rategic Knowledge Known known known known Belief in the „knowability‟ of the future LOW Belief in the „knowability‟ of the future HIGH Unknown unknown unknown unknown Confidence in what the organization knows Conf iden ce kno ws orga nisa tion the wh at in LOW Unknown unknown known known Figure 1.1 Perspectives on strategic knowledge Conf iden ce Viewed this way. From here the organization still has high confidence in what it knows.

Both frameworks. it is about preserving a lack of resolution where it belongs and uncovering a qualitatively different kind of intelligence more appropriate for the challenges of a less knowable world. cognitive and computer sciences) have established an abundance of tools for the „known unknown‟ perspective. • Inappropriately removing uncertainty and complexity via these underlying assumptions about how the future will unfold is damaging for strategic decision making. .NEW PERSPECTIVES IN STRATEGIC RISK 55 • fact that it is interconnected with other. To summarize: • Many of the widely accepted tools in the business risk toolkit implicitly design uncertainty and complexity out of the organization‟s view of the future. different sources of business experience and other branches of maths (and biological. Risk Dynamics (below) outlines how visualizing risk as a highly networked and dynamic system with multiple levers and intervention points opens up an invaluable new layer of insight.2) where it is arguably most valuable for (and most absent from) organizations thinking and planning for their futures. creating management options and supporting decision making under uncertainty. They push three kinds of strategic knowledge into the upper left area of the diagram (see Figure 1. physical. Just as business experience and mathematics have successfully provided a set of tools for building up strategic knowledge motivated by the attractive proposition of the „known known‟. And the good news is these two mindsets are not mutually exclusive. more realistic understanding of what could happen – but how do organizations draw value from this new and positively uncertain picture? At first it might seem a great deal less comfortable to stand in the „known unknown‟ corner but this need not be the case. Neither of these frameworks claims to have invented any of their component tools – they are all long-standing and well understood.uk) explores how a plural.6. accepted what cannot be known and changed its thinking accordingly. social. Future Arcs (http://umu.futurearcs. in fact. they can be highly complementary. The only way to make this uncertainty shallower is to be very clear about what can be known about it and what cannot. recombinative view of the future unlocks the organization‟s natural agility and resilience that might otherwise be stifled by more conventional. Embracing uncertainty rather than minimizing it is about taking an eyes-open and pragmatic approach that befits the reality of how the future can unfold. This trades false confidence for a richer. work to restore the uncertainty and complexity that is traditionally modelled-out. What they do claim is to assemble these diverse approaches into a coherent package that can be brought to bear on the business of strategic risk in a „joined-up‟ and practical way.co. linear forward thinking. The organization in the „known unknown‟ quadrant has high confidence precisely because it has drawn back the curtain. equally uncertain systems. following straightforward methods.

• Practical. real-world insights. • Restoring uncertainty and complexity can help trade false confidence for new kinds of strategic intelligence that support decision makers with powerful. .2 Moving towards the known Conf unknown iden ce • This is not just a downside issue: organizations willing to engage uncertainty see a much wider space of opportunities than those employing a conventional perspective alone.• 56 RISK MANAGEMENT STRATEGY kno ws Confidence in what the organization knows HIGH e Known Unknown 1 1 Assumptions assumptions orga Known known unknown unknown nisa tion the wh at in Belief in the „knowability‟ of the future LOW Belief in the „knowability‟ of the future HIGH Deep deep uncertainty uncertainty 3 Confidence in what the organization knows Conf iden ce kno ws orga nisa tion the wh at in LOW Tacit tacit knowledge knowledge 2 2 Figure 1.6. straightforward tools for designing uncertainty and complexity back in are under-utilized due to a lack of support in the risk arena and the perceived safe ground of standard good practice.

This clearly begins to re-introduce the missing uncertainty and complexity. Risk networks and impact families In order to build up a picture of risk as a system. isolated events.3 shows the process of uncovering key networks within the organization ‟s web of risks. Impact families are collections of risks that share the same impact on the organization. which opportunities become more important to pursue? As a picture of relationships between risks emerges. • increased ability to effectively communicate strategic risk. . Arranging risks around the perimeter of a circle and plotting their connections gives a rapid impression of the network‟s topography. a Risk Dynamics approach offers three key advantages: • visibility of important hidden structures. They are parts of a system. constantly reacting to changes within itself and the wider world.NEW PERSPECTIVES IN STRATEGIC RISK 57 • Risk Dynamics Designing complexity back in Risk Dynamics starts with the assumption that threats and opportunities facing the organization are not discrete. This system of risks and opportunities may look and behave differently from one day to the next. or their impacts to become more or less severe. This system is complex in its relationships. systemic properties. It is perpetually in motion. each in its own box. highly dynamic and much less predictable than the idea of risks as a list of self-contained concerns. it becomes easier to understand and manage their collective. • access to the sensitivity and responsiveness of the real system. An awareness of risk families enables decision makers to cope with or avoid such concentrated impacts. but how does this support robust decision making? In return for moving towards the known unknown and letting go of the idea that the future is knowable with any kind of certainty. „Risk networks‟ and „impact families‟ are two useful and intuitive tools for managing risks that take advantage of the exposed relationships in powerful ways. questions of the following kind need to be addressed: • Does the occurrence of this risk make any other risks more likely? • Are there any risks that must be prevented from occurring simultaneously? • Given this exposure.6. Risks in the same family might not modify each other directly but when they occur simultaneously or in quick succession their combined effect can be extreme since they act on the same pressure point. Risk networks are collections of risks and opportunities that modify each others‟ properties: an occurrence at one point in the network begins a chain reaction that causes other risks to increase or decrease in likelihood. Figure 1.

This is a vicious circle of interactions that indicates that a change in the likelihood of any one of these risks is in turn amplified around the risk network.6. A „virtuous circle‟ of mutually reinforcing opportunities is another common structure that can be intentionally worked into strategies.3. Two opportunities in Network A interact strongly to mitigate the negative feedback created by the risks. Such a self-reinforcing pattern is surprisingly common but hard to represent in a more conventional format.• 58 RISK MANAGEMENT STRATEGY RSK_01 RSK_05 OPP_06 RSK_03 OPP_07 OPP_08 RSK_04 RSK_02 Figure 1. the picture begins to more closely reflect the actual volatility . An insightful idea from systems thinking is that aspects of the real world can be thought of as feedback loops or cycles that are constantly accelerating or braking. a clear loop structure is visible in Network A.6. hidden structures Returning to Figure 1. Access to the sensitivity and responsiveness of the real system Since most individual risks now sit within a network of threats and opportunities that directly modify them.3 Uncovering Network A Visibility of important.

4 Scenarios for Network A . In this way a Risk Dynamics approach can actually increase the number and gearing of the levers available to managers to steer events. This extended view of individual risks also has the effect of revealing more intervention points for influencing any individual concern. Increased ability to communicate strategic risk effectively Risks and opportunities that cannot be communicated effectively cannot be managed. Scenarios for Network_A Short-term thinking driving Short-term Thinking decision making Driving Decision-making Network_A-RSK-01 Network_A-RSK-03 Network_A-RSK-04 Network_A-RSK-02 Increasingly Increasingly Distributed distributed Partner Base partner base Network_B-RSK-05 Increasingly reliant Increasingly Reliant On Key Organisations on key organizations Network_A-OPP-06 Network_A-OPP-07 Long-term Thinking Long-term thinking driving Driving Decision-making decision making Figure 1. Remembering the feedback loops concept. This is clearly important information to consider when basing critical decisions on a perceived level of exposure and deciding where to prioritize prevention and recovery resources.NEW PERSPECTIVES IN STRATEGIC RISK 59 • of future events. By situating a risk in the context of its networks and families it can be more vividly brought to life – this is particularly apparent when risks are visualized. a combined effect driven by making carefully orchestrated changes at multiple points in the same network is achievable.6. Small changes at any node can rock the system disproportionately. The preventative measures and recovery plans for risks in the same network will often provide effective supplementary control over their network siblings.

Risk Dynamics supports and integrates the application of techniques from systems thinking and complexity science into standard strategic risk practices (ie risk registers). Critical strategic decisions must be made in the short term that will have ramifications for commuters lasting decades.6. Many of the organization ‟s key assets have a life expectancy stretching above 30 years. opportunities and assumptions.6. Pursuing the opportunities for partnerships and planning in the bottom left of Figure 1. In summary Strategic decisions and the future with which they interact are a shifting and networked system composed of risks and opportunities. . In the fictitious case of Network A exposure mounts quickly as the business veers increasingly towards a scenario where its decisions are being led by a short-term outlook and its reliance on key organizations is high.4 is an example of a visual summary of the key messages for stakeholders involved with managing Network A. Note how the overlaps reflect the reinforcement and intensification of the feedback loop in Figure 1. The oversimplification underlying conventional registers reduces the organization‟s capacity to interact with and manage what is in fact a system.3. the industry itself will undergo massive change over this period. an approach closely based on the Risk Dynamics framework afforded the management team a clear view of their interlocking networks of risks.• 60 RISK MANAGEMENT STRATEGY Figure 1. Risk Dynamics in action UMU helped a major metropolitan transport organization to develop strategies for the future management of its diverse engineering asset portfolio. This rich picture of the complexity characterizing the underlying system revealed intervention points and opportunities for optimization that would not have been visible with a non-networked approach. Preserving and understanding the level of uncertainty surrounding the future of this system helped catalyze robust and agile thinking equal to the challenge.6. not a list.4 effectively pulls the system back towards a less exposed state. Risks fade in as they become more likely. forces and levers. Because these assets are highly interconnected.

resources -and to contribute your experience and insights to the Risk Dynamics open framework -visit http://umu.co.uk .NEW PERSPECTIVES IN STRATEGIC RISK 61 • For more information.riskdynamics.

This page intentionally left blank .

2 Corporate Risk Concerns .

com or +44 20 7970 2100 www. • Political and security risk analysis • Business intelligence and investigation • Forensics • Information security • Business continuity • Security consultancy and management • Crisis management and response • Travel security • Background screening For more information on Control Risks services please contact: enquiries@control-risks. specialist risk consultancy with 18 offices on five continents.com .control-risks.Global. independent risk consulting Control Risks is an independent. We provide advice and services that enable companies. governments and international organisations to accelerate opportunities and manage strategic and operational risks.

Business planners fixate on certain types of risk. companies often make at least one of five classic mistakes in dealing effectively with the political risks to their project: • • • • • Political risk is not recognized as unique. Political risk management is misaligned with business planning process. . Multinational companies are increasingly travelling to new locations to exploit previously marginal deposits. The need to operate successfully and with integrity outside a familiar and predictable comfort zone is itself an argument for comprehensive risk management. When such operations are in locations overseen by unpredictable administrations. the need to marry a capability to understand and anticipate developments in the political context of an investment with more traditional areas of business planning such as operational. Risk management initiatives are fragmented. set against a backdrop of continuing global geopolitical uncertainty. Risk managers fixate on certain mitigation tools.2. Control Risks Rising oil and commodity prices have created a dual phenomenon that has seen political risk return to the top of the business risk agenda.1 Political risk James Smither. financial and market risk management is especially prominent. However. and nationalistic governments are seeking to extract the maximum benefit from this growing desire to tap into their natural resources.

where the arrival of state-backed Chinese extractive companies – backed by government-to-government „soft loans‟ and often with dramatically different internal corporate governance and integrity standards – has significantly changed the rules of engagement for more established Western operators. Credit Market Competition Intellectual capital Demand R&D/ development Industry changes STRATEGIC RISKS OPERATIONAL RISKS Interest rates Liquidity Foreign exchange rates Environmental/ natural events Contracts Employees Security risks Property/ infrastructure Suppliers Products & services Public access FINANCIAL RISKS HAZARD RISKS Integration Customer challenges IT Board composition Supply chain Political risks Recruitment Accounting controls Culture Regulation/ legislation Externally driven Internally driven © Control Risks 2007 Figure 2.• 66 CORPORATE RISK CONCERNS This chapter explores the reasons why political risk is often mismanaged in these ways.1. attain or undermine governmental authority.1 Political risks co-exist with a number of inter-related internal and external risks . Hence rebel groups. or from weaknesses in governmental institutions. and even a company‟s local and international competitors can represent sources of political risk. movements of generalized community unrest. A classic example of this complexity is sub-Saharan Africa. and suggests a template for overcoming these pitfalls and arriving at a more effective solution. Political risk is not recognized as unique Political risk analysis is more than simply the study of politicians and policies in a given jurisdiction. Political risks are essentially all those risks that arise from the behaviour of actors attempting to maintain.

Risk management can be relationshipand negotiation-based on the one hand. but these types of risk are statistically highly unlikely to affect the vast majority of business projects. In a similar vein. the mitigation of such risks. is seen to do or is seen not to do – can dramatically affect its political risk profile. an unforeseen corruption scandal or a subtly enforced degradation in their terms of trade. there is often an understandable tendency on the part of company management to fixate on its more „headline-grabbing‟ areas. coups d‟état and terrorist attacks clearly all continue to occur around the world. Wars. An over-emphasis on the spectacular can lead to a sense of false threat perception. A similar flaw in political risk management in this respect can be an over-reliance on received opinion when assessing political risks to a project. There is. „so-and-so told me it was fine‟ and . Instead of simple attention to detail and reliance on testing and quality control procedures. insuperable bureaucratic delays. Finally. Political risks stem from intelligent actors who make a rational calculation about a company and its vulnerabilities. It can be hard to assess those calculations. Business planners fixate on certain types of risk In addition to misunderstanding the unique nature of political risk. for example. the mitigation focus is also different. a parallel under-emphasis on other less prominent or less dramatic types of political risk represents a lost opportunity to improve the chances of project success. political risk management requires understanding of value systems unlike your own in order to know how to influence behaviour. or to know what to expect.POLITICAL RISK 67 • A key understanding of political risk is that it is unique and generally defies attempts to quantify it or subject it to scientific analysis. This could include placing too much weight on the reassurances of a project‟s champion within the company or those of the host government that is seeking to attract the investing company – both clearly subject to bias – or on the „herding mentality‟ that an opportunity must be acceptably safe because so many competitors are already pursuing it. An investment‟s own behaviour – the things that the company does or does not do. Experience highlights the greater likelihood of companies facing losses or even collapse because of less glamorous risks such as radical activism. where they are a credible prospect. This underlines the importance of prioritizing the identification and. companies need to realize that they are themselves players in the political risk sphere rather than simply passive recipients of the risks prevalent in a market. and consequent weak decision making. Accordingly. Most other risks to a business or specific project arise from within the accepted value system and from mistakes made in routine tasks (such as design. These can be categorized as „I‟ve been there and it‟s fine‟. maintenance or audit). a dramatic difference between building a fence around a high-impact extractives project and engaging proactively with its surrounding community through the construction of consultation-based development and environmental protection projects. and protection-based on the other. nationalizations. especially because they often come from beyond the accepted value systems and „rules of the game‟.

• 68 CORPORATE RISK CONCERNS „everyone else is doing it so it must be fine‟. „Expect the unexpected‟ is a central watchword of effective political risk management. injury and subsequent litigation by affected parties on the grounds of duty of care. It can also be extremely expensive and may not even be required at all. The area of politicalrisk insurance can be particularly vulnerable to such „panacea‟ thinking. „prominent victims‟ or hand-picked „influence peddlers‟ when constructing a multi-party project consortium is similarly partial and. while financial compensation after a risk has materialized is obviously provided for through such a policy – and with it some mitigation of impact – an insurance policy alone will not reduce the likelihood of a risk being manifested. an audit team handles integrity and compliance issues. Risk management initiatives are fragmented A major reason why such sins of omission can occur is that responsibility for the management of risk within an organization is often fragmented or unclear. As alluded to already. a political-risk insurance policy can serve to assure lenders or shareholders and will of course transfer some aspects of state-level political risks. companies also sometimes place their risk-mitigation eggs in the wrong baskets. Risk managers fixate on certain mitigation tools In addition to focusing on the wrong types of risks to begin with. highly vulnerable to a location‟s changing political wind. of course. Few pundits or members of the global political and business elite would have accurately forecast the timing of paradigm shifts such as the 1979 Islamic Revolution in Iran or the 1989 fall of the Berlin Wall. Furthermore. executive management is likely to be responsible for high-level bargaining and partnering arrangements. such insurance alone does not usually provide cover against the majority of the less straightforward sub-state and increasingly common political risks already described. . mitigating the impact of a risk occurring is being prioritized over reducing the likelihood of it materializing in the first place. an over-reliance on implementing pure physical security measures at the expense of addressing some of the root causes of the security threats to a project can be similarly short-sighted: again. Typically covering the more „traditional‟ and cataclysmic political risks described above. However. The end result of failing to select appropriate and comprehensive political risk management strategies – in common with failing to understand the uniqueness of political risk and in fixating on the wrong risks to a project – can be that certain types of potentially devastating risks to a project or asset are not treated as thoroughly as possible or are even missed entirely. However. A number of investors are likely to have ignored clear warning signs of suffering ahead during both the Argentine and Asian financial crises of recent years for precisely this sort of reason. In many companies. and any number of undesirable consequences such as death. those that at least allowed for the possibility would have enjoyed demonstrable advantages over their contemporaries. Placing the emphasis on joint-venture partners.

Political risk management is misaligned with business planning process A final pitfall. is the misalignment of political risk management for a project with the planning and execution of that project. it can be too late. the department for operational health. in concert with the standard . a decision to „go‟ on an investment opportunity and even the formalized partnering or joint-venture arrangements needed for market entry for that opportunity are completed before a process of political risk assessment is even launched. the identification of assets at stake and the company‟s key criteria for success and failure for a venture should be being established even as the opportunity is first being identified.POLITICAL RISK 69 • while a separate finance department is responsible for purchasing insurance policies. safety and the environment (OHSE) and/or human relations may take responsibility for „duty of care‟ issues such as pre-deployment preparations and in-country staff health and well-being. leading to the development of a risk-mitigation roadmap in time for a go/no-go decision on the project and its eventual launch. The specific political risks that the project might face should be factored into the business case together with their potential significance for its anticipated cash-flow projections. including communications in the event of a crisis. best practice political risk management acknowledges the reality that political risks are never static. and hence a shared awareness of and co-ordinated approach to managing. of course. Meanwhile. A company can therefore lack a single entity with a total view of its project risk exposure(s) and an appropriate suite of risk mitigators. Perhaps most importantly of all. Security. In many cases. which can be either a cause or an effect of the previous four. just as an assessment of the extent and cost of mitigation capabilities required to manage those risks should be factored into the structuring of project costs during the planning and tender process. In best-practice political risk management. Finally. Another team completely – public relations – may be entrusted with the area of lobbying and press relations. and a contract is renegotiated or entire project expropriated. a full range of options for managing those risks should have been identified and evaluated. Accordingly. This underlines the need for constant reassessment and adjustments to the initial risk-management roadmap. In the most extreme and costly cases – often in large infrastructure and utility concessions in emerging markets – a true appreciation of political risk is only gained when a political power shift occurs. a key influence-peddler suddenly falls from grace. By which time. and so miss the opportunity for co-ordination to ensure synergies and maximum risk management effect. Such fragmentation of responsibility can prevent a collective discussion of. this means the ultimate absence of a single point of responsibility and authority – even if it is only a „virtual team‟ with appropriate representatives drawn from the various business areas – where the buck can be said to stop. supply chain management and the establishment of local relationships are often left to separate elements within local operational units. the risks to both a single project and a company as a whole.

Political risk management must always be objective. clearly assigned responsibility and executive buy-in are all critical to the success prospects both of this team and of the strategy that it is tasked with implementing. This will institutionalize a due and thorough consideration of the risks when it is still possible to act on findings. Visibility. In other words. The use of „devil‟s advocates‟ to corroborate or challenge management thinking is critical. Plan for the unexpected when • identifying a viable and cost-effective risk management strategy. The use of multiple political risk scenarios over an investment‟s anticipated lifespan – against which current assumptions and mitigation strategies can be tested and then modified to allow for differing eventualities – can be an invaluable tool in this respect. It should serve as a critical factor in shaping and reviewing strategy and be integral to the planning process for new business initiatives and projects. then.• 70 CORPORATE RISK CONCERNS performance monitoring of the investment carried out by the company. or at the very least make political risk a distinct issue of concern among the wider risk management team to avoid a fragmented approach to risk mitigation. Towards best practice political risk management Political risk. co-ordination and shared awareness between the relevant functions and departments of a business. • Look beyond the obvious when it comes to identifying political risks that may hamper or even kill a project. • Build political risk assessment firmly into the project cycle and „doctrine‟ for new business initiatives. and in turn enhance. and separated from the biases and motivations of parties with a stake in the success of a venture. political risk management needs to be an integrated process. Companies are advised to employ a number of relatively straightforward strategies to avoid the most common pitfalls that result in mismanaging the political risks to their projects and global footprint: • Understand the unique and challenging nature of political risk and the central role of human agency within it. • Consider creating for each new project a multi-functional political risk „task force‟. Companies should always use a structured decision framework to stretch discussions and avoid group-think when planning their risk mitigation. is a complex area that requires sophisticated understanding and a comprehensive approach. and help to avoid happening upon political risk when it is already too late. It should benefit from. especially for long-term engagements such as the construction of a mine or roll-out of a complex infrastructure project. Companies should always employ an array of primary and independent secondary sources in conducting research into political risk. Cross-checks . A solution can be to develop a virtual „competency centre‟ to learn about political risk and raise awareness of it in various business units.

Conclusions Despite the recent resurgence of political risks in crucial extractives markets in Latin America. with regular adjustment of a portfolio of mitigation options to meet changes in all three areas. Africa and the Middle East. business too often sees the management of these risks as a box-ticking exercise to satisfy external stakeholders. and deal with it in an integrated. planned way. needless risks being assumed and wasted resources spent attempting to manage them. with critical external reviews of the effectiveness of mitigation approaches also highly recommended. . not a one-off exercise to satisfy a checklist. political risk management is best viewed as a dynamic rather than a static process: as part of project planning and execution. Lastly.POLITICAL RISK 71 • and the use of devil‟s advocacy are crucial in helping to derive a clear perspective. In essence. its risk tolerance and the risk landscape within which it operates. it is a constant process of regular review of the company‟s exposures. with consequent gaps in its overall as well as project-specific risk management coverage (and also redundancies – often expensive ones – within its various business functions). Companies that recognize the unique aspects of political risk. A significant result of this attitude is that a company is left with no integrated perspective on the universe of risk. This leads to promising opportunities being shunned. generally perform best in areas or in operations that entail high exposure to a sensitive political environment.

2 Reputation and emerging communications technology Paul Miller. Thanks to recent technological advances and. says Taleb. The source of the market‟s fleeting alarm? An erroneous report of delays in Apple‟s product pipeline. the stock had made an almost full recovery. a poor substitute for reality. In particular. Not so long ago. attendant psycho-sociological developments. the Gaussian model cannot cater for extreme. including a three-month lag in the arrival of the hugely-anticipated iPhone. Within 15 minutes. straightforward argument: business plans rely on Gaussian probability distribution to predict the future. I would suggest. on influential tech blog Engadget. for a few minutes on Wall Street it had all the consequences of truth. Economist-polemicist Nassim Nicholas Taleb thinks risk managers have a problem with a reality. . such a real and immediate threat to reputation was the stuff of nightmares.1 While the story wasn‟t actually true. it is now everyone‟s reality. attempts to expose the shortcomings of contemporary forward planning models with a single. like any mathematical model. and this notorious bell curve is.2. His most recent book. The Black Swan. Cision On 17 May 2007. just after midday the value of Apple Inc on Wall Street fell by US$4billion dollars.

Furthermore. This development creates a new set of communications risks. and how many more would lap it up as consumers? It is not so much the technical aspects of Web 2. Stephen Fry. In addition.0 doesn‟t change that. genuine interactivity if you like. Regardless of an organization‟s Web 2.0 strategy (or lack of it). No doubt the big man (traditionally the „provider ‟) starts out with a greater claim to the audience‟s attention than the little man (formerly the „user ‟).0 state of mind is changing the communications mix – are essential in building for the long term also. from the British actor.0. but the lessons – how a Web 2. . „Web 2. The phenomenon known as Web 2. is: an idea in people‟s heads rather than a reality. Yet when users gather around a particular issue. the odds are that at least some stakeholders are already of this state of mind. with the unabated emergence – of the new.0 in identifying it as a state of mind. For those who enter into it.0 that defeated the media planners. Yet why should they have done? Who knew quite how many were willing to share pieces of themselves online. performance and overall business health are communicated.0. 3 I think Fry really captures Web 2.REPUTATION AND COMMUNICATIONS TECHNOLOGY 73 • one-off events – a Wall Street Crash or an 11 September. It is now also strewn across a vast and expanding universe of digital media channels. The essay that follows focuses on reputational issues. Web 2. It‟s actually an idea that the reciprocity between the user and the provider is what‟s emphasized. attention-grabbing material can help the little man to grow quickly. as well as asking big questions of old assumptions. The asymmetry of the web – download speeds almost everywhere faster than upload speeds – stems from its originators‟ failure to anticipate its emergence as a channel of self-expression. the reciprocity he describes means that „user ‟ and „provider ‟ constantly swap places. simply because people can upload as well as download. In other words. Inside the attention economy The reputation of an organization has always depended on the channels through which its values. But it does mean that reputation is no longer built solely on a framework of established communications hierarchies that is more or less fixed and readily understood.0 – a perceived technology that supports blogs and related internet self-publishing platforms and services – could be considered one of Taleb‟s Black Swans. Gaussian behaviour to such an extent as to make the latter a near-negligible factor in shaping future events. Consider the following definition of Web 2. the influence of the legacy channels fluctuates with the varying popularity – and indeed. broadcaster and author. the size of the crowd – and the status of its individual participants – can make it attention-grabbing indeed.2 Such „Black Swan‟ events overshadow commonplace. There are immediate risks to reputation as well as longer-term strategic risks. That few foresaw the emergence of self-publishing tools is written in the very core of internet architecture.‟ he says. but the mindset of its mainly young constituency.

The Long Tail. though not necessarily in toto. for example. With digital merchandizing.1. the globalization of communications. The research bears this out: while few studies show online media accounting for a dominant portion of the public‟s media consumption (even for those in the „digital native‟ demographics). microformats. what is stocked depends on value and inventory costs. a techno-utopian monthly owned by Condé Nast. Hence a wealth of information creates a poverty of attention and a need to allocate that attention efficiently among the overabundance of information sources that might consume it. 4 With so many channels now competing for attention. Nonetheless. as it has in so many other ways. with print leading the move away from centre stage. . Facebook was a social network open only to US college kids. In 2006. such that. perhaps wary of the devastation their subject might have in store for traditional media. In real-world stores. Sales types. which represents the power law y = 1/x. This trend is accelerated by an increasingly rapid proliferation of online options. the rule holds as the shopkeeper balances the two to yield favourable margin. in August 2007. The implication that they take nothing away is misleading.5 The „long tail‟ in question is an extension of the graph shown in Figure 2. for less time. he published a book. the wealth of information means a dearth of something else: a scarcity of whatever it is that information consumes.• 74 CORPORATE RISK CONCERNS Tech evangelists. Media consumption should be considered as an attention economy of the kind defined by Herbert Simon in 1971: In an information-rich world. catalysed what was already occurring – in this case. Anderson argues. some will inevitably lose out. often claim that new channels simply add to the communications mix. At the end of 2006. While reputations were seldom entirely localized according to the proclivities of local media. almost all have traditional formats accounting for smaller audiences. The long tail of digital content Chris Anderson is the editor of Wired magazine. One final self-evident complication: these services are global. a long tail of small sales – imagine the graph with the x-axis drifting through the book for several more pages – is sustainable through e-commerce. There are virtual worlds. it is extremely helpful in thinking about the digital-age attention economy.0 has. Although Google‟s business model proves that Anderson‟s tail can be flexed commercially. it received 6½ million visits from people in the UK. A surprising amount of human activity conforms to this power law. supported by the world wide web.2. social news aggregators. it is by no means a universal model for digital economics. inventory costs are near zero. and all of them mashed-up and recombined. have looked to it for validation of the 80/20 rule. which sketches its author ‟s vision for digital economies. What information consumes is rather obvious: it consumes the attention of its recipients. Web 2.

By the time we reach the extremes of the long tail. Somewhere in between is the reputation frontline known as the „magic middle‟. Such sites also tend to be more focused.1 Power law graph Mainstream content providers. the site‟s value to an organization can be more or less than the cumulative attention might suggest.2. whether on or offline. we find blogs and social network pages disliked even by their creators. Therefore.2. but in order to assess the risks (and opportunities) of any situation. serving niche interests better than do more general content providers. we must be able to measure them. drive-by search traffic at the other end (see Figure 2.REPUTATION AND COMMUNICATIONS TECHNOLOGY 75 • Power law y = 1/x y x Figure 2. What is the acceptable visibility for content with potential to affect reputation? How much of the tail must be watched? And where on the tail are the key sites for engagement? Which sites are the „gatekeepers‟ that grant content exposure at a critical level? Obviously the answers to such questions vary from case to case.6 It is populated with sites visible to a significant audience of (probably connected) stakeholders rather than a handful of (largely unconnected) consumers. a URL bookmarked in the browser. The audiences of these big-hitting sites themselves consist of long tails: habitual users in the big head. . sites are subject to less cumulative attention. Many habituals spend lots of time there. As we move down the tail from the big head. These outlets receive the most cumulative attention. It all adds up to a big head of attention. can be considered destination channels: a known brand reached for in the newsagents. a BBC or a New York Times. depending on whether or not the niche chimes with the activities of the organization.2). while numerous drive-bys quickly conclude they‟re in the wrong place and check out.

A map of the landscape.• 76 CORPORATE RISK CONCERNS Big head Attention Magic Middle Long tail Channel Figure 2. built on meaningful metrics. Therefore. but even so. Engagement metrics such as average-time-spent-per-user are widely available for online channels. but even Google‟s legion of tireless searchbots struggles to keep up with the entirety of the internet and its ever-lengthening tail. commonly available metrics can contribute to a detailed and strategically valuable analysis. and a search engine optimization (SEO) industry has grown up to support that goal. informs this strategy. more time needs to be spent with some parts of the distribution – whether in the big head. Strangely.7 Certainly one can achieve a good understanding of the popularity of destination sites through analysis of traffic.2. Search engine optimization and measuring search Communicators have long sought prominence in search engine results for their own material. for which unique users provide the most reliable indicator. There is no shortage of metrics for measuring online activity. the magic middle or even the long tail – than in others. for example). any monitoring must be accompanied – and filtered – by understanding. This data is subject to the same problems as any based on a panel of consumers. From a straightforward resource point of view.2 The long tail of digital attention Mapping the landscape The broadest hedge against risk involves extensive monitoring. professional communicators have been slow to grasp the metrics . in combination with an analysis of the number and nature of „user ‟ interactions with a page (comments on a blog post.

the most important search metrics are those quantitative and qualitative measures of the content and the pages linking to it. or so well told. but also with those for other media. some of the greatest amplifications. Ranking according to link data allows sites to be prioritized according to their likely search visibility. The number of views for a YouTube video.0. Online risk is managed by developing relationships with sites to extents that reflect their relevance and search visibility. While all of the factors listed above for measuring destination sites play a role in search performance. To the extent that hosted services provide their own metrics. to harvest links for the page or pages in question. But on looking across different platforms. When messages flow between media. search engines… as important as the above discussion is. Is a Facebook friend worth more or less than a MySpace friend? Is a friend known through a group more important than one with whom an application is shared? Is a vote for a story on Digg worth more or less than a vote for the same story on a Digg clone catering to a specific niche? The answer in each case depends almost entirely on the proposition in question. it will invariably pass through (or the original channel will become) a gatekeeper site (Figure 2. the flow of information through media channels is fairly consistent.2. seems to me as good an estimate of audience as those provided by micro-sized television panels. which largely entails dressing up content in accordance with known search behaviour and attempting. Social upheaval Destination sites. Information flows between different forms of media as easily as it flows between channels. But for any proposition. We the gatekeepers In the context of the day-to-day activities of an organization.REPUTATION AND COMMUNICATIONS TECHNOLOGY 77 • of SEO activity. that it becomes a mainstream issue. it also seems a bit Web 1. for example. the social sphere is measurable. not only with those for other online spaces. the chattering long tail is following an agenda set by the mainstream media. recent developments have all but destroyed any comforting semblance of linearity.3). The rise of social networks has not only increasingly confused this relationship. . Channels occupying separate media do not operate in isolation. the metrics threaten to get out of control. the main challenge comes in first making these metrics comparable. dilutions and corruptions in the content of those messages can be expected. But occasionally a story from the tail is so strong. legitimately or occasionally otherwise. although for most sites the relationship should amount to little more than voyeurism. For the most part. Because while the internet has since its inception made the relationship between content providers and consumers less and less clear. but it has done so in such a way as to make relationships themselves the key to finding content in the first place. On the way to the mainstream. on or offline.

which is built on the public (or at least. Even so. These sites will have performed strongly in search performance. more infamously known as Virginia Tech.3 Media information cycle Who are these gatekeepers? Frequently they are readily identifiable.0. The second is to some extent a corollary of the first: former content monopolies are losing advertising revenues to search advertising. gathering information from social networks. regularly monitoring and measuring this space is crucial to managing online reputation because. some journalists indulged in „digital doorstepping‟. They will be known to and read by mainstream media sources as well as their peers. The first relates to the increasingly questionable divide between public and personal information. These personal spaces became gatekeepers for the Virginia Tech story. non-private) exchange of personal information.• 78 CORPORATE RISK CONCERNS MSM „gatekeepers‟ „chatter‟ Figure 2. be they blogs. This is an extreme case that illustrates two significant and related trends in information distribution. new sites can become influential and established ones decline in influence far more rapidly than has traditionally been the case. Perhaps the starkest example of this „media content cycle‟ can be found in the response to the tragic shootings in April 2007 at Virginia Polytechnic Institute and State University. chatrooms or niche news sites. The shortcomings of this approach became evident when several offline mainstream media sources incorrectly identified the student responsible for the massacre on the basis of views expressed on the profile pages of some Virginia Tech students. social or otherwise. thanks to Web 2. Rather than visiting the scene. . the second the resource problems affecting the mainstream media.2.

Stephen Fry. but it still rushed to get the scoop on its bad Apple story. . they are the others. Looking at the distribution of media attention. where the newsdesk used to be the key point of interaction between professional communicators and news organizations. 4. are springing around personal lines of information exchange. he is a trader. Taleb. Anderson. effectively a mainstream online source. The Johns Hopkins Press. Retrieved from VideoJug on 26 July 2007. Baltimore. But where the mainstream has (or at least had) the resources to consistently validate its content. measuring the impact of a range of established and emerging channels in order to balance risk across them in both monitoring and outreach becomes a critical task. H A (1971). and increasingly capable of setting wider media agendas. Media consumption seems likely to continue shifting in favour of more personalized niche offerings. and the Public Interest. seem a potent breeding ground for reputational risk. Communication. Indeed. at the head. what will emerge to fill the void? At present it seems that niches. Hyperion. We have said that the long. There is an obvious vicious circle here: more advertising money into the tail means less resource. more efficient methods of distributing content. ed Martin Greenberger. Nobody would claim that traditional media have an unblemished record where providing trustworthy content was concerned. Web 2. 2. and has made his fortune betting against the future strategies of others. but the kinds of networks now accounting for more and more attention. If the mainstream is diminished. in Computers. At the same time. Engadget is a large operation with numerous staff. MD. Unfortunately for the risk managers. In such circumstances. Notes 1.0 (Video interview (Adobe Flash)). the jury is still out on the alleged wisdom of crowds. and less quality content. 5. not just for communications professionals. a number of major traditional media newsrooms have been redesigned to accentuate online influence. and so on. N N (2007) The Black Swan. The story was said to accurately reflect the content of an internal e-mail sent to Apple staff and later retracted. the internet has provided myriad other would-be attention magnets – and more importantly. it is obvious that even the least popular MySpace page accounts for some attention once given to a more traditional source. C (2006) The Long Tail: Why the Future of Business is Selling Less of More. Designing organizations for an information-rich world. Fortunately for Taleb. chattering tail feeds off a canon served up by the mainstream media. but for the business as a whole.REPUTATION AND COMMUNICATIONS TECHNOLOGY 79 • The future of news In the past 18 months. the internet has in many ways superseded it as the most important way in. of various levels of expertise. 3. Penguin Allen Lane. Simon. which in turn drives readers – and advertisers – down the tail.

Indeed.• 80 CoRPORATE RisK CoNCERNS 6. A term coined by Dave Sifry. the US online measurement firm ComScore recently suggested that a suifeit of internet metrics was creating paralysis among reputation managers. . 7. then CEO ofblog search engine Technorati.

• Although an organization‟s reputation can be harmed by adversity.3 Corporate reputation Gillian Lees. managing reputation may be easier said than done. at the time of writing. an organization can waste opportunities for building reputation through poor management of a crisis. It can mean that customers choose your product or service in preference to a competitor ‟s and thus make the difference between success and failure. perversely. But despite the difficulties. be built on notoriety. to the extent that. it may emerge from the episode with its reputation enhanced – simply due to the way that it handles the situation. On the other hand. For example: • A well-deserved reputation that has been diligently developed over many years can be seriously damaged in a day by circumstances that could be regarded as insignificant when set against the bigger picture. • A good reputation can. its long-term survival is in doubt. The case of Northern Rock shows starkly how a reputation can be damaged in a matter of days. organizations of all sizes and sectors need to be aware of the importance of reputation and the attendant risks. A good reputation can: . However. Chartered Institute of Management Accountants (CIMA) Introduction It goes without saying that a good reputation really matters.2.

It concludes by looking at some future possible trends in the field. authored by Dr Arlo Brady and Garry Honey. • Quality: reputation is a fluid concept. • enhance the organization in good times and protect it during the bad ones. The threat of the loss of reputation represents a major risk for an organization. Corporate Reputation: Perspectives of Measuring and Managing a Principal Risk. supplier attitudes and many other stakeholders. But what is reputation? It is useful to consider it in terms of 10 different aspects: • Perceptions of control: while an organization can create and control a brand. Nevertheless. Thus. It can also take a long time to shrug off a poor reputation. Reputation Reputation matters because it has a bearing on value. while the organization has the responsibility to protect and manage its reputation. A good one can be earned through hard work. measurement models. The chapter is based on a recent CIMA executive report. the organization does have control over its own behaviour and. reputation is something that is attributed to it by others. it only has indirect control over it. through this. but they also need to be looking for the upside opportunities to enhance their reputations. in particular: • • • • • causes. It can be argued that the reputation that Marks and Spencer had built up over many years was a significant factor behind its ability to come through its recent difficulties. Reputation is a major risk issue for all organizations and needs to be considered alongside all the other major risks such as operational. This chapter explores reputation in terms of 10 different aspects such as quality and ownership. employee recruitment. identification of reputation risk. What this means is that organizations need to mitigate against the loss of reputation. strategic and financial risks. but can be lost quickly through bad luck or incompetence. It then moves on to look at reputation risk in more detail. management. two leading experts on corporate reputation. It may not be identified on the balance sheet but it can affect investor confidence. can influence the perceptions of its major stakeholders.• 82 CORPORATE RISK CONCERNS • help the organization to optimize shareholder value (or an equivalent) by enabling it to attract customers and high-quality employees. The intention was that this would make a meaningful contribution towards the development of good practice principles in terms of reputation risk management. reporting. . Their approach was to interview a number of key industry players to obtain insights from a range of perspectives in order to stimulate discussion and debate.

Trust: reputation dictates how people behave and in whom they place their trust. Reputation as an asset: while reputation cannot be classed as an asset for balance sheet purposes. Reputation in itself does not constitute a risk. a good reputation can be seen as an asset to the organization. An organization may have long enjoyed a good reputation for quality. It is for this reason that stakeholder mapping can be a useful tool in reputation risk management.CORPORATE REPUTATION 83 • • • • • • • • • Apart from the dynamics of reputation. The board has prime responsibility for the organization‟s reputation. . but the threat of the loss of reputation is a risk and should therefore be reported as such. So. an organization has more control over its brand in that it develops a brand in order to sell its product or service to customers. Most organizations lack sufficient knowledge of the key drivers of their reputation and are therefore unable to take appropriate action to identify or protect against this risk from devaluation. As we have already seen. A risk to reputation occurs where the organization fails to meet the expectations of a stakeholder group. The possibility of this value being reduced represents a business risk. it is best reported as part of a narrative report. it can be argued that reputation is ultimately a matter of trust. but if a competitor then raises the bar. for example. Organizations must therefore understand who their stakeholders are and their relative importance. Reputation vs brand: reputation is not the same as brand. Reporting on reputation: in view of the difficulty of calculating a financial value for reputation. but it is important to do so. The key to effective reputation risk management is therefore the management of expectations. The value of reputation : as we will see. a supermarket may be regarded differently by its suppliers than by its customers. Stakeholders: an organization can have many stakeholders and it is possible to have a good reputation with one group and a poor one with another. the nature of the threat and the way that the threat was handled. Ownership: it is difficult to assign responsibility for reputation. Damage: the extent of damage to reputation caused by an event will depend on how easily trust can be recovered. This will depend on the prior state of the reputation. Any incident that reduces trust among any single stakeholder group can damage reputation. this reputation will be eroded. Reputation risk Reputation has a value even if it cannot be expressed in financial terms. reputation is influenced by too many different factors to make it viable to ascribe a value to reputation. a reputation is created by all stakeholders on the basis of their experience and expectations of the organization. In contrast. The severity of this damage and its cost will depend on the influence of the stakeholder group and its impact on the organization. its quality also depends on the relative values of the sector or its stakeholders.

the organization‟s reputation is dependent on the standards of the supplier organization.• 84 CORPORATE RISK CONCERNS Causes of reputation risk An analysis of reputation damage to corporations over recent years shows that reputation risk can be classified into three categories: cultural. which relates to meeting performance targets and satisfying customers. albeit reinforced by codes of conduct formulated by professional bodies and similar organizations. Legal risk. for . External risk These are risks to the organization from the outside. Ethical risk relates to self-imposed standards. Some may be imposed by a third party while others are discretionary. for example. a good example is provided by the loss of reputation (and of its existence) suffered by accounting firm. Environment risk can arise from the natural or commercial environment. This classification was tested in a survey with Strategic Risk magazine in 2006 and was found to be valid. Arthur Andersen. In essence. supplier. whether natural or due to human error. Operational risk relates to performance expectations and how well a product works. For example. Coca-Cola tried to launch a bottled water in the UK called Dasani. Things can go wrong due to incompetence or even arrogance. New technology alters the marketplace or a new overseas competitor enters the organization‟s market. mistakes happen and products need to be recalled. so leading to a major product recall. Mattel‟s reputation has been damaged by the failure of its outsourced Chinese manufacturers to meet required production standards. Managerial risk This includes executive risk . This was found to be tap water and the disclosure led to a hasty and expensive recall. Examples of good practice in this regard are held to be the recall of Tylenol in the United States and Perrier in Europe. The extent of the reputation damage will depend on how well this is handled. Association risk arises where a critical part of the organization‟s product or service is delivered by a third party. For example. Despite quality control. for instance. which fell foul of regulatory rules in relation to its audit of Enron. Other risks can arise from disasters. Google suffered reputation damage in entering the Chinese market and accepting censorship. Ethical risk arises when there is some inconsistency between words and deeds. They can be quite close – in the form of a partner. relates to regulatory rules and codes such as reporting regulations and company law. agent or contractor – or distant in the form of a natural disaster on the other side of the world. managerial and external. Cultural risk Cultural risks can be difficult to identify as they are embedded within the culture of the organization and relate to workplace practices and policies.

• The probability of occurrence cannot be forecast as reputation is linked to human behaviour. In addition. despite the fact that most interviewees agreed that it represented a principal risk that should be reported in the Business Review to comply with the new Companies Act. • The lack of ownership means that responsibility for vigilance is unclear. Measurement of reputation risk There are several methods available for measuring reputation risk. the bespoke model can be used as a management tool. • a bespoke approach that uses internal client information as an aid for reputation owners. which is notoriously difficult to factor into models. but the disadvantage that this fails to be stakeholder or issue-specific. but it cannot provide a comparison between different reputations.CORPORATE REPUTATION 85 • example. On the other hand. Identification of reputation risk CIMA‟s study on reputation risk did not find any organization that claimed to identify reputation risk specifically. Reputation risk escapes scrutiny for four main basic reasons: • The nature of reputation risk as a failure to meet stakeholder expectations means that it is a subjective perception of character that is determined by others. Reputation risk tends to be seen as an outcome from these other risks and is therefore not singled out for dedicated attention. . organizations claimed that this was adequately covered through existing operational and strategic risk reporting procedures. It is therefore intangible and not anchored financially. Instead. the final cost is only ever known after the loss of future business has been considered. The ranking model has the advantage of providing a comparative score. What all this means is that it is virtually impossible to calculate the cost of reputation damage in a meaningful way. • The cost of reputation damage depends on a wide range of factors. The most significant finding of the CIMA study was that reputation risk is not specifically identified. including competitor behaviour and market conditions. The reputation damage cost can only ever be really known 5–10 years after an event or even longer. the major Buncefield fire affected unrelated businesses in the vicinity of the plant. The two basic types are: • a ranking model used by some analysts who use published information to compare reputations.

to transfer risks. Organizations manage reputation risk in different ways. Future trends There is no doubt that organizations will need to continue to pay close attention to their reputation and the management of the attendant risks.• 86 CORPORATE RISK CONCERNS Management of reputation risk There are typically four responses to managing risk: • • • • retention. The fourth option. reduction. so any expression in financial terms is likely to be unreliable. Reporting of reputation risk Reputation risk is best expressed through narrative reporting. The Business Review in the new Companies Act places more emphasis on narrative reporting with a requirement for a „description of principal risks and uncertainties facing the company‟ and a „balanced and comprehensive analysis‟ of the business. transfer. reputation itself cannot be managed. Narrative reporting is a developing area and there is considerable scope for improving the reporting of risk and value. including risk reporting. There appear to be four different levels of commitment to this. First. There is no doubt that reputation risk forms an integral and important part of this risk report for many companies. As we have seen. it is difficult to ascribe a monetary value to reputation risk. Because it is determined by stakeholders. as shown in Table 2. this becomes more of a challenge as evidenced by the recent experience of Mattel and its recall of products manufactured by its Chinese partners. which has demonstrated practical and effective ways to improve narrative reporting. complex world.1. In an increasingly globalized. A major initiative in this field is the Report Leadership group. The following are some of the key issues that are likely to impact on the reputation debate.3. avoidance. the reputation owner can only influence their expectations as an act of risk management. Strictly speaking. there is the issue of determining business partners in whom an organization can place its trust without risking its reputation to an unacceptable extent. . is not possible in the case of reputation risk in that it cannot be insured or handed over to another organization. Therefore reputation risk management is actually expectation management through stakeholder engagement.

organizations also need to bear in mind the use of electronic media for both communication and opinion forming. Compliant with Turnbull guidelines in risk identification but little control over reputation risks. other than by having an agency retained to handle any problems if/when they arise.3. Sophisticated and sensitive. Supported by independent tracking of diverse stakeholder group attitudes. We have already seen how reputation is dependent on stakeholder perception and truth is often a victim of sensationalism. is opinion broadcasting without censorship or codes of conduct. Blogging. HSBC. the internet age of instant electronic information has provided another medium that organizations need to manage and monitor effectively. Managed by risk manager Reviewed as part of a corporate risk register but not measured (RM) or monitored by the corporate Operational interest strategy committee. Managed on a severity-of-risk Managed on an ad hoc basis by senior management basis responsively alongside all other operational and strategic risks.CORPORATE REPUTATION 87 • Table 2. A good reputation can be hijacked by a malicious fraudster. Not managed at all Reputation risk is not measured or managed in any way – it is not considered a risk worth measuring or trying to manage. for example. What this means in practice is that organizations will need to devote a much higher level of proactivity than was ever required before in order to protect their reputations. has recently had to scrap its decision to abolish . Second. Tends to be crisis-response only. for example.1 Management of reputation risk Commitment level Sophistication level Management process in place to handle risk to corporate reputation Controlled • Managed by chief risk officer (CRO) • Executive interest Managed • • Supervised • Unmanaged • Reviewed regularly by the chief financial officer (CFO) as a strategic risk and discussed at board level. and identity fraud is a major concern for financial institutions. reactive not proactive: fire fighting approach. Furthermore.

in turn. Adrian Slywotzky (2007) notes that the proportion of Standard & Poors (S&P) stocks that were rated A (high quality.uk . an online social community. on account of a successful campaign by students.com/ corporatereputation Report Leadership: Tomorrow‟s Reporting Today. It is only by shining a spotlight on the subject and assigning responsibility for it within the organization that progress towards commonly agreed principles is likely to be made. The Upside: How to Turn Your Greatest Threat into Your Biggest Growth Opportunity. means that reputation itself faces more threats.cimaglobal. As an example of this vulnerability. During the same period. Clearly. using Facebook. the significance of reputation is such that it should receive dedicated and specific attention by an organization‟s board and management despite the challenges associated with identifying and measuring the risks related to it. Capstone Publishing Strategic Risk magazine. this. organizations are under increasing pressure to understand and report on their key value drivers. free download from www. risk management requires more dedicated effort and attention than ever before. high risk) increased from 12 per cent of the total to 30 per cent. reputation is a highly influential driver of value and it will be a major challenge to develop common measures and ways of expressing the nonfinancial value of reputation and the related risks.• 88 CORPORATE RISK CONCERNS interest-free overdrafts for students leaving university in the summer.co.com or www. low risk) fell from over 30 per cent in 1980 to 14 per cent in the mid-2000s.com/reportleadership Slywotzky A (2007). see www. CIMA. there is concrete evidence that organizations are indeed facing a more risky environment than was previously the case.strategicrisk. C-rated stocks (low quality.cimaglobal. Third.reportleadership. Further reading Brady A and Honey G (2007) Corporate Reputation: Perspectives of Measuring and Managing a Principal Risk. see www. But as a good starting point. Finally.

The board is not immune. contract risks from a buyer and a supplier perspective are examined.4 Contract risk Robert Chapman and Dominic Healey. the media is likely to ensure that the news reaches a wide audience. In addition. the board will be held accountable. if the event is sufficiently high profile. An area of risk management that receives insufficient attention is contract risk. Siemens Insight Consulting Introduction The most important lesson of the last few years is that board members can no longer claim to be ignorant of business risk. Poor risk management has led to the loss of executive jobs. together with examples of good and poor risk management. Good risk management can capitalize on opportunities and secure business objectives. In this chapter. When the absence of adequate risk management leads to something going wrong. damage to reputation and loss of projected earnings. reduction in share value. . Positions will be vulnerable and shareholders will want to hold individuals to account in the aftermath of adverse events. as it invariably does. There is no longer any hiding place. The board needs to focus on those areas of risk that can have the greatest impact to their business.2.

Risk management can be one of the more exciting aspects of business – growth – through looking at new opportunities and how they may be taken advantage of. talking about risk management is about as motivating as planning a trip to the dentist. those organizations that are most effective and efficient in managing risks to both existing assets and future growth will. outperform those that are less so. When the subject is raised during the „lift speech‟. guides and books contributing to a wealth of knowledge on the subject of risk management. More importantly. the duty of the board . is still weak. But risk management could not be further from root canal treatment.• 90 CORPORATE RISK CONCERNS Board accountability There is now a proliferation of standards. Steps must be taken to ensure that the objectivity and perspective sought by adding non-executive directors to the board. The more pertinent question is „what is the board‟s appetite for risk management?‟ To some. a key challenge for boards all around the world is to develop a new rigour in their processes. The message has not got through that the mismanagement of risk can carry an enormous price and that effective risk management is a key enabler for meeting objectives and as such improving the balance sheet. it does have responsibility for overseeing management and holding it accountable. Board members need to enhance their understanding of risk management and in particular the risks associated with any form of business change. various forces have converged to push risk management into the consciousness of management and boards. eyes can glaze over and interest is lost. Carried out appropriately it can be energizing and very rewarding. and take pre-emptive action. Identifying responsibility While the board is not responsible for managing the business. a business that cannot manage risks effectively may simply disappear. The application of robust. effective risk management is not ubiquitous and would still appear to be elusive to some organizations. even within some FTSE 100 companies. in the long run. There still needs to be a transformation in the application of risk management from conformance to performance. is not undermined by their lack of understanding of risk management. While all large companies carry out risk management to some degree. However. In particular. to support decision making. In addition. effective risk management. its tools or its techniques. Hence. be sufficiently aware of the sources of risk within the area of business they are operating in. The solution is for board members to learn of the potential for adverse events. Identifying the board‟s appetite for risk management One of the common questions to be asked when setting up a risk process is „What is the organization‟s risk appetite?‟ But this can be premature.

carrying out a project. seeking additional finance. but to make sure that frameworks are in place that support the utilization of risk management throughout the organization. Board members should be prepared to ask tough questions and they should make sure they are able to understand the answers. submitting a bid for a major new commission. CFO and senior management to internal and external auditors. . The board should ensure that the information it receives about risk is accurate and reliable. as banks. In particular. developing strategic development plans (long-range planning). A series of questions need to be asked if an organization is considering such action. preparing business plans. entering into a joint venture. they should be fully conversant with the risk ownership profile of contracts and how risk management dictates behaviours. looking to penetrate new markets. Risk management applications Regardless of the size of an organization. commissioning new premises or acquiring existing premises to refurbish. Clearly the questions will differ depending on whether the organization is delivering or procuring a service or product. risk management should be applied to at least the following activities. evaluating opportunities. developing business resilience. the one area of risk that all businesses face at some stage is entering into a new contract. Directors should maintain a healthy scepticism and require information from a cross-section of reliable sources. acquiring a new company. Contracts Reflecting on the bullet list above. investors. from the CEO. shareholders and partners will increasingly expect to see evidence of a detailed risk assessment when reviewing business proposals of any substance: • • • • • • • • • • • • • • • • • entering into a contract. choosing between options. delivering a major commission. installing a new IT system. expanding overseas. preparing for and implementing organizational change.CONTRACT RISK 91 • is not to undertake risk management on a day-to-day basis.

as well as their own. The review of the risk registers within the tender returns will form a significant component of the tender evaluation process. Client organizations. The main reason why the Scottish Parliament Building project failed to meet its objectives (as cited in both the Auditor General‟s report and the subsequent Holyrood report) was the choice of the procurement route. which describes the identified risks and the proposed allocation of ownership. Hence. when deciding upon the allocation of risks. The tenderers should be asked to price the risks. clients must recognize that the more risk that is transferred to the contractor. • the effect that risk allocation will have upon the motivation and behaviour of the recipient. that tenderers will withdraw. when considering the allocation of risk to another party. The allocation of risks between the parties in a contract should be identified by the client prior to the tender process.• 92 CORPORATE RISK CONCERNS The three main functions of contracts are to define: • responsibilities (demarcation of work to be performed by the contractor and client if appropriate). for contractors will usually include contingencies within their tenders as a means of guaranteeing their return on investment in the event that risks allocated to them materialize. • the client‟s objectives (to implant motives in the contractor that match those of the client). In addition. Clients must recognize that different forms of procurement have different risk ownership profiles. • how risk transfer will affect all of the activity objectives. identify their proposed response categories and response actions. more likely. • risk ownership (how the risks inherent in the activity will be allocated between the contracting parties). There is a common misperception that the best way to manage risk is to transfer it and that such an action results in its removal. the higher the tender price will generally be (unless it is a very depressed market) or. Transfer of risk to the wrong party can actually enlarge a risk. The client should include within the tender documents a risk register. • the cost of the risk transfer. • the ability of the party to bear the risk if it materializes. The selection of construction management was cited as the single factor to which most of the misfortunes that had befallen the project could be attributed. and confirm the allocation of the risks between the contract parties within their tender. How this is approached will depend on the form of the procurement route adopted. consideration should be given to the following factors: • the ability of the party to manage the risk. (while working to publicly declared fixed budgets . need to recognize that they will pay for those risks that are the responsibility of the contractor.1 Surprise was expressed during the Holyrood enquiry about the selection of construction management when it was evident that the Scottish Office.

that virtually none of the key questions about construction management were asked. Similarly none of the disadvantages of construction management appear to have been identified. In his report Lord Fraser stated: it verges on the embarrassing to conclude. as I do. These questions need to be specific. how would we recover and how long would it take? • What would be the damage to our relationship with our client. had chosen a procurement route that offered no fixed budget and had a high degree of attendant risk for the client. for whatever reason became unavailable. several questions should be answered by the tenderer. relevant and engaging: • How much could we lose if we cannot satisfy the terms of the contract once signed? • Are we absolutely sure what we are required to deliver if we accept these contract terms? • What are the critical resources for the delivery of this contract and. our reputation and our standing in the market if we do not deliver this contract on time? • What is our experience of delivering this type of product/service? • Do we have adequate business continuity plans in place to cope with disruption to our premises? • Are the production/delivery costs fully understood? • What changes in the marketplace that are currently expected could impact on the contract? • If critical members of staff for the contract. if after commencing the contract they were lost/no longer available. how would the organization respond? • How would our share value be affected by adverse media if the contract resulted in litigation? • Are there any critical project dependencies? • Are there any aspects of the service or product that involve novel technology? . Delivering a service or product When considering risk management of delivery.CONTRACT RISK 93 • and being highly „risk averse‟).

5 Further compensation claims from other airlines are likely to follow. the executive in charge of the flagship A380 programme. and 20 per cent by the UK‟s BAE Systems. our shareholders and our employees. in addition to the loss of earnings. due to deliveries being put back by a year. So. resulting in a €2 billion (£1.• 94 CORPORATE RISK CONCERNS Case Study 1: Airbus (delivering a product) Airbus. the European plane-maker. instead of the promised 25. As president and chief executive of Airbus.6 Airbus at the time was 80 per cent owned by EADS. several executives have lost their positions. the European aerospace and defence group EADS.9 . However. Chief Operating Officer for Customers. In June 2006 it was announced Airbus chief Gustav Humbert had resigned over the A380 delays. I must take responsibility for this setback and feel the right course of action is to offer my resignation to our shareholders. He said at the time: the recently announced delay on the A380 production and delivery programme has been a major disappointment for our customers. and for allowing severe production bottlenecks to continue unchecked for months rather than fixing them immediately. BAE Systems has decided to sell its stake in Airbus. £8 billion) to develop. chief executive of BAE Systems.2 It is designed to fly between the main international hubs. Airbus will face further losses through compensation payments to airlines. 12 months behind schedule. The A380 production problems caused a publicly stated 26 per cent slump in the share price of the majority owner. when it became public knowledge. As a result of these delays. Airbus has admitted that it will deliver only nine next year. was dismissed.35 billion) reduction in earnings over the next three years. Mike Turner. seating more than 800 passengers across two decks. In September 2006 it was reported that the first of the 159 ordered so far would be handed over to Singapore Airlines. said he had „no regrets‟ about the sudden decision to sell off its 20 per cent stake in Airbus for £1. 4 According to Airbus staff. under the terms of its contract. and will be the world‟s largest-ever airliner. Champion paid the price for failing to inform the Airbus board promptly of the A380‟s mounting technical difficulties. it was reported. is an organization that has clearly failed to manage its production risks on its A380 „superjumbo‟ and deliver against its contracts with airline carriers. declared that it is standard practice to compensate contracted parties and said that „payments will be made for each day of delay in delivery‟. up to nine fewer than planned in 2008 and five fewer in 2009. Chief Executive Geoff Dixon of Qantas (one of the contracted carriers) has said that Qantas would be seeking compensation from Airbus. John Leahy.3 In September 2006 Charles Champion. The A380 has cost Airbus €12 billion ($14 billion.

when embarking on the Terminal Five (T5) project at Heathrow Airport. a clear lesson was that process.10 From a slide included in a presentation by Tony Douglas (Managing Director of T5). should be a key focus (Figure 2. several questions should be answered.CONTRACT RISK 95 • billion and insisted that major shareholders were right behind him. organization and behaviours. 8 BAE Systems also predicted that the European plane maker would announce further delays to the delivery of the A380 and was likely to unveil a hefty cash call in future. . together with leadership. Procuring a service or product When considering risks associated with procurement. gave considerable thought to the contracts they would engage in and the management of risk.9 The research they conducted into major construction projects prior to the commencement of T5 highlighted two key areas that seemed to undermine progress: cultural confusion and the reluctance to acknowledge risk. Again these questions need to be specific. The following list. A key component of all of these aspects of management was the mitigation of risk. contains the key issues to be addressed: • • • • • • • • • • • • Has the contracting party appropriate experience? Is the contracting party financially stable? Has the organization sufficient resources? What contractual commitments does the contracting party already have? Is the contracting party currently in litigation with other clients? What is the delivery track record of the organization? How robust are their processes? What are their management capabilities? Which of the organization‟s key representatives will be assigned to the contract? Is the organization able to deliver in the required timeframe? How will relationships be developed to engage the contracting party in delivery? How will risk management be addressed? Case Study 2: Terminal Five (procurement of services) The British Airports Authority (BAA). relevant and engaging.1).7 This was significantly lower than the anticipated sale figure of £3 billion mooted in April 2006. while not exhaustive.4.

BAA recognized that the risk associated with such a large infrastructure programme. Described by BAA as groundbreaking.11 The T5 Agreement is the legally-binding contract between BAA and its key suppliers. a bespoke commercial partnering agreement between BAA and contractors and suppliers . As a consequence BA took a unique contractual approach and prepared the T5 Agreement.12 . Risk management was seen as a key enabler for programme success. With this burden removed from contractors and suppliers. behaviours – Actively expose & manage risks – Actively promote & motivate success (opportunity) – Actively address behaviours & all key relationships • Leadership – Change & uncertainty is the norm – Risk is the square of the size e. Through the agreement BAA accepts that it carries all of the risk for the construction project.g 10x size = 100x risks – A different outcome means doing something different • No solution is a “dead-cert” T 5 The world‟s most successful airport development As a consequence of this research. BAA believed it would encourage contractors to solve anticipated problems. organization. would require a fresh approach to the way the project should be managed if it was to be built on time and within budget. integrate as teams and focus on proactively managing risk rather than avoiding litigation. coupled with the sheer complexity and scale of work involved. it is considered to be unique in the construction industry. It is a contract based on relations and behaviours. BAA bears out Apgar ‟s argument that those that succeed with new opportunities can better cope with risks and develop „risk intelligence‟ as a competitive advantage. The programme is currently reported to be on budget and programme.• 96 CORPORATE RISK CONCERNS Lessons Learned • Research from £1bn+ projects • Process.

CONTRACT RISK 97 • Conclusion There is a need for businesses to move away from compliance to performance in the way risk management is applied to businesses. The Holyrood enquiry. 7 April. BAE confirms possible Airbus sale. Among the business activities of business that most significantly either contribute to or erode performance are contracts. Sunday 2 July. Guardian. Tuesday. and provides over 1 million m² of commercial accommodation for more than 900 retail organizations at its airports. 8. Wednesday. The degree of risk transfer between a client and a contractor will dictate the behaviour of the contractor. Many of the 60 aircraft stands are designed to handle the 550seat Airbus A380s.com. It involves over 60 contractors. BAA owns and operates seven UK airports. and risk transfer can prove to be a false economy. 6. 5. says BAE. 11. BBC News (2005) Airbus confirms super-jumbo delay. Thursday.2 billion. Risks within a contract need to be made explicit prior to the contract being signed so that each party is fully aware of the risks that it will own and the impact they will have. 7. Guardian. The estimated cost is £4. A Report by The Rt Hon Lord Fraser of Carmyllie QC. 14 September. . should they materialize. 12. Notes 1. a company held by the Ferrovial Consortium.baa. 1 June. BBC News (2005) Airbus confirms super-jumbo delay. D Apgar (2006) Risk Intelligence: Learning to Manage What We Don‟t Know. Harvard Business School Press. For any business. 4. Friday. 2. 15 September 2004. The programme is being financed by BAA and BA will be the sole tenant. 1 June. equal attention needs to be paid to contracts that are entered into to either supply or receive services. Terry Macalister (2006) Airbus problems likely to continue. Boards need to become more informed about how risk management can improve bottom line performance. transferring its operations from other terminals and consolidating its business into one building 10. Wednesday. BBC News (2006) EADS and Airbus bosses both quit. BAA T5 Agreement fact sheet. BBC News (2006). Friday. 9. 3. 16 major projects and 147 sub-projects on a 260 ha site. The projects will boost Heathrow‟s capacity by 30 million passengers a year. www. T5 represents a huge programme of construction works.© Scottish Parliamentary Corporate Body. 11 November. 5 September. BBC News (2005) Airbus pays price of A380 delays. BAA plc has delisted from the London Stock Exchange and is now owned by Airport Development and Investment Limited. David Gow (2006) Airbus sacks third chief over A380 debacle.

In an ideal world. Why is it not there? Reputation: your licence to operate A wizened old public relations person once said that your reputation is your licence to operate. reputation management should be seen as everyone‟s business and be a central part of any enterprise‟s culture.2. Reputation management wraps up all of risk management. It is hard not to be impressed by people who work . In short. If you damage or lose your reputation. it is striking that the thing that should overarch the schematic „Examples of the drivers of key risks‟ is reputation. and if they are not listening then you cannot raise capital or effect a takeover or make the changes that will drive your business. Of course. you are out of a job.5 Managing reputational risk as a PLC William Cullum. this is extremely difficult to achieve. In an ideal world. people tend not to listen to you. but if you think of the businesses you admire you will note that they have done it. everyone in a company from the delivery driver to the receptionist to the chief executive. should recognize that what they do has an impact on the company‟s reputation. Looking at the industry‟s own A Risk Management Standard. Corfin Communications Risk management for a public company should perhaps be seen simply as reputation management.

He did not deliver. the other is to report to the markets or – as Michael Peters said – to be the business‟s chief story teller. don‟t confuse the story by confessing a strange love of disco dancing or erotic art. that is unforgivable. A failure to engage either at all or in a way that is appropriate to your business represents a serious business risk. On release. The disappointment amongst the guests was palpable. Britain‟s Navy took a huge reputational thump when some of its personnel were captured at gunpoint by Iranians. And that was it. Many just want to play with their train set. you can see that a successful culture becomes a powerful tool for promoting your business. Celebrities cannot afford to let their guard down. poorly rated – resulting in being bought out at well below your market worth and in losing your job. In a public company. be prepared by knowing what the world expects of you. as we all know that a personal recommendation is the best recommendation. for his part. Treat journalists. Employ a good PR firm with whom you can have frank discussions and take your role as the chief story teller or public persona of the business seriously. As such.MANAGING REPUTATIONAL RISK AS A PLC 99 • in great businesses and. whether it is a seminar or „just‟ a drinks do. especially in the Senior Service: little hurts like the pain of ridicule. having failed to apprehend that as senior executives in a quoted company they have two jobs: one is to run the business. Attending a drinks function recently. as a celebrity. you are a public person. They wanted him to amuse them – if only for a little while – with some nugget or insight from a world very different to their own. I know this seems obvious but it would be an easy bet to win if one claimed that many chief executives behave as if they owned the company rather than ran it for shareholders. fund managers and analysts as clients (it is amazing how well they recall who has messed them around…) and try not to believe that you are charismatic: you are neither Bill Clinton nor Philip Green. Mainly you got to the top because you are hard working and pay attention to detail. The risk to his reputation was ignorance of his audience‟s expectations and. When you go „on parade‟ for your company. thespian voice and walnut face. I suspect that he did not even realize that this was expected of him. You can be ignored – or worse. We live in a world obsessed by celebrity where our expectations of well-known people are absurdly high. a couple of their stories found their way into the press. More seriously. he simply thanked them. We British like our service personnel to have a stiff upper lip. a former senior military man of great bearing. People will tend to remember you for all the wrong reasons. Reverse engineer the issue and ask yourself what you would expect to see should you need to approach your business. And. Learn what is expected of you It is not just businesspeople who get this wrong. the guests were thanked for their attendance by the chairman. many are unwilling or uncomfortable about engaging with the broader world in order to articulate what it is that a business does and why it does it. a failure to understand what is expected of people in certain roles leads to likely errors of judgement. Again. .

and if your story is sufficiently robust then there will be no issue. Yes. This can often lead to them being seen as mavericks and their sayings deemed insightful. branch or pub. That is what makes a market. stuck with it but used professional managers to do the talking. If you don‟t like the spotlights. being private can still present you with reputational risk. Ask anyone who has worked in private equity over the last 12 months. you have to verify what you say about yourself in all that official documentation. This in turn confers upon you a responsibility for your brand or reputation. like the hugely successful Richard Branson and Philip Green. from a risk management perspective. employ a good PR firm that can help you stick to your messages. investors and analysts alike. As an aside. We can only speculate but. this does not work well. many people feel an emotional bond to „their ‟ store. Most of you will be familiar with Mike Ashley of Sports Direct fame. in spite of the best public relations advice and training. the management team goes on display for the first time.• 100 CORPORATE RISK CONCERNS Presentational risk occurs every time a company makes a statement. did not like the harsh and sometimes constricting focus of reporting to the City. Private equity got into trouble not because it was private but rather because: • its ambitions got ever bigger. people can say what they like when they like and need worry only about their customers. • its managers started to behave as if they owned the place (and maybe they did!). saving her breath for (to her and many besides) more important issues. like Anita Roddick. this is probably not the case. at the very least. third-party research and questioning. At an initial public offering (IPO) or listing for example. However. we always advise our clients to allow. thereby making him very rich – and perhaps on this basis he feels secure enough to ignore the complaints against him. They left the plc world. Some entrepreneurs. This is not as odd as it might seem. Here is a man who infuriates many in the City. As a private businessman or even as civil servant you may dispute the intellectual validity of the stakeholder but the emotional tie is real. particularly where those businesses have improved their lives. even encourage. Stakeholders do exist On the other hand. perhaps the first question for an entrepreneur to ask is whether he or she is psychologically suited to being a public figure. and especially in consumer industries. One of the things that infuriates people about government departments is that no one in the . Rightly or wrongly. try not to be too controlling in IPOs. Others. being private may give your reputation more elbow room. Investors initially rewarded Mr Ashley‟s obvious and very successful endeavour by buying a large part of his equity. As private businessmen. Sometimes. stay off the stage or. • the returns it appeared to be generating were disproportionately huge relative to the risks incurred. by apparently not giving people what they want – just read the press. • the businesses it sought to acquire were increasingly consumer oriented.

usually those from „left field‟. they expect to be able to learn more about your business than they ever could previously simply by searching the internet. and relevant to people‟s (employees‟. Some of these campaigns are ill considered and some are given a weight by the internet that is out of all proportion. Note also that a national newspaper recently carried an article on how to conduct a successful campaign. it started to alienate people because it refused to understand the risks attendant upon failing to manage its reputation. warehouses will always explode when fully stocked (think Buncefield here). They always do. For example. in other words to ask yourself what could go wrong in various parts of your organization and then to see what you might have to say to the outside world about this. Never speculate If a crisis does appear. It is best practice to nominate a crisis committee and to have a written methodology and cascade of contacts in place. civil liberties campaigns. animal rights activism. seek to ascertain whether there has been a sin of omission . think here of campaigns to improve the quality of a well known MP3 player. Moreover. by all means try to work out whether what has happened has been an accident. We once waited for a full-scale internet-driven campaign to blow up in our faces only to find that it consisted of three people standing outside a store in Slough. So if it is Christmas or the board is having a business review in France. customers‟ and yes. The other thing about this democratization process is that it allows people to launch campaigns against you and your products. will occur at the most inopportune moment. As for private equity. Nevertheless some campaigns do hit home. when it hits.MANAGING REPUTATIONAL RISK AS A PLC 101 • massed ranks of officialdom appears to bear that responsibility. In practical terms. how do you set about reputational risk management? The short answer is to perform a crisis audit. You should assume that any crisis. A key recommendation therefore is for a business to have a web site that is appropriate in terms of your industry. If it is. The internet: a frontier moves closer The internet continues to democratize information and this has two consequences for risk management. that is when trouble will come knocking. The other thing to understand is that a Crisis with a big C is rather more common than you might imagine. Others are simply libellous or illegal. stakeholders‟) expectations. Managing your company‟s reputation in the ether is every bit as important as managing it in print. People at the top mistook arrogance or indifference for privacy. And do appoint an emergency duty officer for the weekend. the campaign against HSBC that used Facebook as an organizational tool or even „Fast Food Nation‟ (although this came out of a book). Products will always need to be recalled at peak season. sales revenue and other such factors. transport employees will always go on strike at the height of the holiday period. The first is that more people know about your business. It is simply that most are managed.

Finally. namely Death. The unfortunate Gerald Ratner revolutionized the UK jewellery trade but is more frequently remembered for his remarks comparing a pair of earrings and a prawn sandwich that cost him his career. Conclusion To sum up then: your reputation is your licence to operate and a company‟s reputation should be everybody‟s business. and a negative cycle began. Do not speculate as to causes and certainly never speculate in public or to a journalist. if you do tarnish your reputation. Take advice from your PR company and do your homework so that you are well prepared.• 102 CORPORATE RISK CONCERNS or commission but do this behind closed doors. Think here of the turmoil at M&S and Sainsbury‟s a few years back when it became apparent that both businesses. It is then up to the board to act. So do not make mortal enemies. as we have seen above. and (b) time. finance directors are not supposed to be funny. they allow management to get an unvarnished picture of how the business is seen. Luke Johnson suggested that a damaged reputation can be restored by (a) making lots of money. CEOs last less than five years on average but good ones pop up in other places. If you do have boardroom issues. If you have had a crisis and dealt with it. There are good reasons for this. then move on. previously consumer darlings. The other thing is that board changes can become strategic challenges that in turn become front-page stories. had failed to move with the times. Don‟t . conducted properly. I might add that there is a third curative mechanism that is not to be recommended. The story moved from the business pages to food and fashion and then to news. During a crisis focus on remedies rather than blame and stick closely to what you know. Restoring the reputations and market shares of both businesses has taken time. media. for example. The first is that the lifespan of a job at the top is very short. Stick to your messages and don‟t go „off piste‟. analysts or investors – because. Expect things to go wrong and build this into your planning and communications needs. Don‟t keep referring to it in your statements and updates: the capital markets tend not to spend too much time looking in the rear view mirror as they are much too hungry for new opportunities. often stems from a misjudged remark or a misconceived notion about a business. can the situation then be retrieved? In a recent Financial Times article. What does the world say about you? Reputational risk. Don‟t keep getting worked over for the same old thing. quite often likes its stories done to death – try not to oblige. Another golden rule of crisis and risk management is to take your beating – but take it only once. Your reputation is at risk all the time but especially in a quoted company on public occasions. though. cash and considerable effort. Use perception audits as a valuable risk management tool – whether of consumers. The media. try to be discreet.

. and your reputation will remain healthy. Stick with what you know and are good at.MANAGING REPUTATIONAL RISK AS A PLC 103 • speculate but be prepared to take the blame once. if it is indeed something that you have done wrong.

our professional and enthusiastic team of consultants.comsec-international.For all your investigative needs…call CSi • Traditional investigations • • • • • • Surveillance Automated investigative software Corporate security Fraud investigations Employment screening and due diligence Intellectual property and brand protection www. Contact us: t: +44 (0) 20 7553 7960 e: neil. We also help to identify.miller@comsec-international.com CSi . discretion or integrity.comsec-international.Commercial Security International Limited CSi is a London based company providing specialist investigative services.com w: www. have successful first-hand experience of working in diverse organisations in the private and public sectors. expert investigators and operatives.miller@comsec-international. We provide clients with discreet and cost effective services of the highest quality for a variety of services in the following areas: Fraud Investigations • Surveillance and Protection • Asset Tracing and Recovery • Computer Forensics • Employment Screening • Due Diligence • Investigative Technology • Corporate Security and Risk Assessment • Brand Infringement Investigations. surveillance and corporate security for companies. governments and private individuals. CSi has international experience and has conducted a variety of security and investigative assignments worldwide. Led by Roy Ramm.com advertisement feature . former Commander of the Metropolitan Police. design and implement prevention measures and control risk from crime and recover losses how ever they occurred. The CSi team is driven by long-term values and are committed to business ethics that never compromise on quality.com a: 123 Aldersgate Street • London • EC1A 4JQ t: +44 (0) 20 7553 7960 e: neil. law firms.

But that is still not the full extent of the impact. all mean that most businesses in major commercial centres need to consider the impact of a terrorist attack or threat. whether it is transport.2. secondary targeting and misdirected attacks. central to the commercial life of the country. . as have hotels and tourist destinations. Commercial Security International Limited (CSi) Introduction: the evolution of terrorism If the history of terrorism tells us anything. Terrorists seek maximum impact by threatening infrastructure. broadcasting. power.6 Terrorism: rehearsing crisis management plans Roy Ramm and Neil Miller. All of these have been attacked or have figured on target lists. has previously been targeted by terrorists. The 9/11 attacks in the United States were a perfect example of the threat evolving in such a way that it was unique in its simplicity: the terrorists found a weakness and exploited it ruthlessly and with devastatingly lethal effect. Collateral damage through proximity to adjacent targets. Disruption and economic loss are primary terrorist objectives. communications or utilities. Similarly the banking and financial sector. it is that the threat changes in method and direction so as to defeat security measures and infrastructure.

Current threat and motivations Following the so called „spectacular ‟ of 9/11. philosophical and political strands that intertwine and run through the worldwide Islamic community and enjoy significant support. instructions and tactical coordination to take place with relative ease and anonymity. Whilst there is growing evidence of the existence of training camps in Pakistan and Afghanistan for British-born Muslim terrorists. loss of market position. • testing and rehearsing exercises. • crisis management planning. there is also increasing evidence that MFT is as much a „home-grown‟ problem as it is an external threat to the UK.• 106 CORPORATE RISK CONCERNS Objectives There is an abundance of evidence that whilst a badly handled incident can cause complete organizational failure. the Government will look to community and faith leaders for robust action to stem further growth. loss of data and damage to information systems. Unlike the paramilitary structures of the Provisional IRA. It appears to be based on a combination of ideological. there is no doubt that the major current terrorist threat emanates from extreme Muslim fundamentalist terrorism (MFT). This chapter aims to offer some reference points for assessing both existing security measures as well as implementing and rehearsing crisis management plans. physical damage to buildings. organizations that are perceived to have handled a crisis well will earn public respect. reputation damage through poor preparation. In any given terrorist incident your business could face: • • • • • death and injury – physical and psychological – to members of staff and clients. The structure of the threat presents particular difficulties. The first is communication: global internet and mobile communications now provide the kind of networks that allow the exchange of ideas. Two further factors distinguish the current threat from any previously encountered in the UK. Though it may be too early and extreme to define the threat as endemic. . In terms of motivation. the Madrid. albeit that the support is limited from most moderate Muslims. In particular we look at: • current threat and motivations. retain customer loyalty and become stronger in the long term. terrorist activity in one state is „justified‟ as a response to government action in another. The second is the emergence of the suicide bomber. vehicles and other assets. motivations. so far the MFT does not offer apparent organizational structures. Egypt and Bali bombings and the events in London in 2005.

As a situation develops. failure to have planned an established crisis management mechanism will exacerbate . • assess whether your neighbours may raise your vulnerability. Assessing current threats and asking straightforward questions should help determine the level of threat to your operations. trading partners. extortion and ransom. • consider your organization‟s physical vulnerability to the impact of a direct or neighbouring attack. • NOT assume it will not happen to your business. major systems attacks and reputation assaults. • instil a positive security culture. However. those responsible for maintaining continuity can turn a serious situation into a major crisis. • discuss with your human resources department whether your pre-employment screening processes are effective. you will need to appreciate how the threat of terrorism could affect your daily business and personnel routines. Whether as victims of direct attacks or of collateral damage from widespread and indiscriminate terrorist campaigns. criminal damage. • implement and regularly test your crisis management plan. • seek professional advice on other areas of threat vulnerability.TERRORISM: REHEARSING CRISIS MANAGEMENT PLANS 107 • Key points: what you can do As an organization. By failing to take advantage of the first „golden hour ‟. Crisis management planning Implementing a crisis management plan and gaining the trust and co-operation of your senior management and personnel is a big task. • consider your business profile. your organization must consider its vulnerability to the following criminal and politically motivated acts: • • • • • • acts of terrorism. and seek help to assess and reduce vulnerability. hostage-taking. kidnap. • ask yourself the difficult „what if ‟ questions and make sure your answers are satisfactory. connections and public profile. for instance you should: • make sure you receive quality-assessed information relevant to your business. product contamination. communicating the right message to the right people at the right time is critical to managing a major incident. such as international operations. commercial sabotage.

damage reputation and harm the ability of an organization to work effectively with local government officials and law enforcement. In order to reduce the threats posed to a business by terrorism. Only then will the management team be able to respond quickly and efficiently. rehearsed. CM plans require testing to ensure that they are comprehensive and flexible enough to meet all threats that may be posed to the business operation. These are high-risk issues and they generate considerable stress for those who have to manage them. tested and effectively implemented. Implementing and testing a CM plan is about raising the awareness of staff and giving them confidence in the organization‟s procedures and ability to carry them out successfully. each organization should prepare a CM plan and carefully select the members and deputies of the „crisis management team‟ (CM team). extortion. . kidnap for ransom. They also expose the complexities of decisions to be made by those forming the CM team. During the course of such incidents. Testing the crisis management plan In this section we discuss the very real benefits of testing a crisis management plan (CM plan) in a controlled environment where policies and plans may be challenged without risk. may be threatened. This training has consistently proved to be a most helpful means by which experience can be acquired prior to meeting the challenges of a real critical incident. It also exposes the members of the crisis management team to the complexities of their roles and the stress that this generates when managing high-risk incidents. but may not have experienced the challenges posed by critical incidents such as terrorism. realistic and secure method of testing the effectiveness of CM plans. Rehearsing and training exercises Training exercises are a cost effective. Testing is about probing the CM plan for shortcomings and. understood. or the continuity of the business itself. It is therefore essential that comprehensive crisis management strategies are established. customers. Without this necessary training. Planning for a crisis needs to be exercised until deemed reliable.• 108 CORPORATE RISK CONCERNS risk. The following are examples of typical exercises or simulations: • discussion-based preparation. by doing so. improving the plan if necessary. or malicious or accidental product contamination. your personnel will become suddenly overwhelmed and unable to cope with an emergency. • live rehearsals. Executives and managers are skilled in the management of their business processes. staff. • table-top simulation.

and active participation helps to reinforce good practice in their memories. ambulance service and other bodies. It is simply a discussion between expert security consultants and the CM team. Live rehearsals Live rehearsal is a method normally carried out by major companies and involves the police. This is part of their preparation. but can also be delivered to their deputies and perhaps some other key staff. The purpose is to highlight all aspects the CM team could expect to encounter and therefore have to manage. Table-top simulation Table-top simulation exercises are the most cost-effective method of testing CM plans. . aiming to ensure that all those involved are at least aware of what has been implemented.TERRORISM: REHEARSING CRISIS MANAGEMENT PLANS 109 • Discussion-based preparation This is probably considered the most straightforward yet least effective of the testing processes. and therefore the most recommended by industry leaders. It can. Communication would be conducted through live links with the affected site and surrounding area. A properly trained hostage negotiator would play the role of an anti-terrorist officer present at the company to liaise with police at New Scotland Yard. fire brigade. be delivered to the CM team only. However. live rehearsals are probably the most effective testing an organization can have. and is used mainly in training exercises for the emergency services. and peer group pressure simulates real stress. It would simulate subject areas that vary according to the client but would include threats such as kidnap. The consultants will design and talk through a CM plan and the communication systems they have prepared for the organization. It is really an „awarenessonly‟ exercise and does not physically or mentally test the individual ability of those on the CM team. terrorism and product contamination. It does not normally involve testing the effectiveness of communications within a business structure. The simulation would normally involve a „paper feed‟ exercise that would last in the region of several hours. They are working with their seniors and peers. armed forces. It is valuable but expensive exercise. shop or site that results in a large number of casualties. This simulation exercise often leads to the experience of mild stress levels amongst the participants as they deliberate upon the best courses of action. The type of scenario would involve simulated „live calls‟ to a company switchboard following the detonation of a bomb in an organization‟s office. if necessary. It is aimed at testing the CM plan and generating debate as to the best course of action to be taken in respect of each threat. The company CM team would be established and the police would provide a casualty police computer link to simulate police and hospital activity with regard to casualties among the public and staff.

further live problems can be incorporated into the exercise. It is therefore essential that your organization invests time and resources into a comprehensive and thoroughly tested crisis management plan. your business will demonstrate the ability to confront and deal with a major business crisis and allow you to mitigate adverse effects on your employees.• 110 CORPORATE RISK CONCERNS In addition. . as well as helping to avoid costly losses. surrounding communities and the environment. By being prepared and responding quickly and with confidence. such as: • • • • Are further attacks anticipated? What should you do with your office – keep it open or close it? How should staff be informed and in how much detail? How should you deal with the media? Conclusions All businesses have a „duty of care‟ to staff and to customers. The legal implications to the management team if someone is injured or killed as a result of a failure on the part of the management in the event of a critical incident can be enormous. supported by a fully trained crisis management team and deputies.

It‟s not really my area as our lawyers deal with that sort of thing.7 Conflicting priorities – best practice in conflict management Graham Massie.2. But what hasn‟t changed.‟ . chief executives and chairmen/women. tell me about your business – do you get involved in many disputes yourself?‟ „Oh no. rather than simply to lawyers – is what happens when I move into sales mode: „So. we don‟t really have disputes. And so has the quality of conversation – at least to the extent that I don‟t have to define mediation or explain who CEDR are as often as I used to. conflict – we have lots of that. Centre for Effective Dispute Resolution (CEDR) Preface The quality of canapés offered at law firm receptions has increased significantly in the last couple of years.‟ „Really? So do you have any conflict in your organization?‟ „Oh yes. particularly when I‟m talking to business people – to finance directors.

The cost of conflict In November 2005 a research project by CEDR and law firm CMS Cameron McKenna gathered data from lawyers and business people involved in over 300 separate business disputes. So the challenge for management is to realize the benefits of creative tension without straining relationships to breaking point. it pervades an organization‟s activities. the goal is to maximize the benefits whilst minimizing the downside and avoiding. business can have the challenge of conflict come from any direction – and. at worst damage that may threaten the very future of the organization. A universal condition Conflict is a fact of life even in the best-run organization. the catastrophic. a difficult colleague or most often a simple reality of business life. effects on personal reputation. missed opportunities. and no one is really designated to deal with it. dispute. . Furthermore. Conflicting views can lead to debate and refinement of solutions. exposure in the public domain. On the other hand. effects on company morale. disharmony. conflict can be productive. its effect can be significant but is usually unmeasured. failure to meet targets. why is it that business managers shy away from the word „dispute‟? It‟s certainly not because they don‟t have any – or because it doesn‟t have any impact on their business. difficulty or difference – but the results of mismanaged conflict are the same: at best unwelcome distraction from a heavy workload. damaged business relationships. just as with all other aspects of risk management. or at least surviving. or can act as an impetus for further information gathering. increased staff turnover. It goes under many names – disagreement. We identified nine possible adverse consequences of business disputes: • • • • • • • • • effects on company reputation. lost customers. leading to more informed decisions. Poorly managed conflict costs money. with a healthy disagreement often fuelling the cauldron of debate from which new ideas and innovation emerge. creates uncertainty and degrades decision quality. So what‟s going on here? When Sun Tzu‟s Art of War is required reading at all of the leading business schools. From an unhappy customer to a disgruntled director.• 112 CORPORATE RISK CONCERNS And 9 times out of 10 the non-verbal answer is even clearer – a thin smile and a resigned look as I see the other person recall an argument.

I‟m not sure I agree with the late business guru Peter Drucker.CONFLICTING PRIORITIES IN CONFLICT MANAGEMENT 113 • We surveyed the extent to which each may have been significant. The in-house lawyer may be accountable for the legal costs of disputes. at least one (but frequently more) of these consequences was described as being „significant‟ or „very significant‟ to the business. Whether it‟s the publicity about the harassment or discrimination case that harms both employer . possibly leading to missed opportunities and/or some key inputs to a decision being either suppressed or ignored. who coined the phrase that „You can‟t manage what you can‟t measure‟. Damaged relationships Because of the way that most of us behave in conflict situations. One of the universal symptoms of conflict (and. less than a fifth relates to legal fees whilst the vast proportion can be categorized into three broad categories: • damaged relationships. this revealed that. in 80 per cent of the disputes surveyed. courtesy of the media. And yet the costs of conflict are huge. you don‟t have to read too many news reports of corporate disputes to conclude that they really are „a plague on both houses‟. • tarnished reputations. disputes cause damaged business relationships. but even here financial management leaves a lot to be desired – the 2005 Fulbright & Jaworski Litigation Trends Survey reported that 43 per cent of corporate lawyers are unable to budget adequately for litigation costs. However. but today‟s corporate combat can be tracked from the comfort of your armchair. or to increased staff turnover. it‟s a pretty good indicator that you aren‟t even trying to manage it. generally. managers and business colleagues fail to communicate so well when there is tension or conflict in the relationship. of that amount. its effect on day-today business efficiency can be debilitating. which in turn can lead to breakdowns in previously fruitful customer or supplier relationships. And even where conflict does not result in a parting of the ways. Yet one of the problems with corporate conflict is that the majority of the costs fall through the cracks of management responsibility. with even the winner ‟s reputation often tarnished by what is revealed during the course of the battle. if you aren‟t trying to measure something. one of its most common causes) is a breakdown in communications – just as spouses who are having a row tend not to talk to each other. And this behaviour can lead to failures to communicate vital information. • lost productivity. A 2006 study by CEDR has revealed that conflict costs British business some £33 billion a year – and. but what I would say is that. Tarnished reputations Evidence of our historical love of conflict as a spectator sport can be found in the ruins of the Colosseum. Remarkably.

1). which means that 80 per cent of the cost of conflict comes out of line management budgets. As our research shows. with 46 per cent admitting that their stress levels increased. or the professional negligence claim that reveals shortcomings on both sides.7. Other forms of lost productivity are also commonplace in business conflict – CEDR‟s research shows that a typical £1 million value dispute will burn up over three years of line managers‟ time in trying to sort it out – that‟s time that takes them away from their real jobs. many (24 per cent) losing sleep over a dispute. but is often most visible in reductions in stock market value.1 Time spent on a typical £1 million-plus dispute This distraction cost is one of the key hidden costs of corporate conflict. And since engagement in conflict isn‟t a line item in most managers‟ budgets. conflict isn‟t all bad. exposure in the public domain is frequently damaging to both personal and corporate reputations – damage that is usually described in the language of the brand or public relations consultants. And in fact some of the healthiest companies have some of the most intense discussions: „…all the good-to-great companies had a penchant . creating a cost of conflict that far outweighs the legal fees involved (see Figure 2. this means that the cost comes through in the form of reduced time available for other priorities. Work days In-house legal team In-house legal team 172 The distraction ratio: 400% + 688 Other managers getting sucked in 258 Managers directly involved in the dispute 430 Figure 2. manager time is four times that of in-house counsel involved in a dispute.• 114 CORPORATE RISK CONCERNS and claimant equally. have you ever heard of an organization whose public reputation has been enhanced by reports of its involvement in a significant dispute? Lost productivity A 2003 survey by accountants BDO Stoy Hayward1 identified the personal impact of disputes on senior management. Is there any good news? Of course. and almost one in five even suffering from decreased motivation towards their own business. In fact.7.

These solutions won‟t make conflict go away. whilst just under a third (27 per cent) would rather shave their head for charity – and some (8 per cent) would rather live on „bush tucker ‟ bugs for a week. acting as neutral mediators assisting over 1. with negative opinions or adverse information discounted as unhelpful. This isn‟t that surprising when we consider the limited training most have had in this area – a recent CEDR survey of over 600 business people revealed that only 37 per cent regarded themselves as being adequately trained to cope with business conflict. whether internally or with outside stakeholders.CONFLICTING PRIORITIES IN CONFLICT MANAGEMENT 115 • for intense dialogue. However. Over a third of managers (35 per cent) would rather parachute-jump for the first time than address a performance problem with their work colleagues. Conversely. Furthermore – or. or feel uncomfortable in dealing with it. And perhaps the reason for this is that business people aren‟t very comfortable in dealing with conflict in their day-to-day roles. customers. more likely. doesn‟t mean that nothing can be done. they found a remarkably consistent pattern of stifled debate. when a separate research team3 studied a group of business failures arising from highly unsuccessful strategic decisions. Whilst helping clients get themselves out of conflict situations. We‟ve now synthesized the lessons of our dispute resolution experience and have developed a package of consultancy and training solutions to help organizations improve the way they manage conflict.‟ Jim Collins Good to Great research2 of top management teams. the six key elements of a strategy for making conflict management a core competency in an organization are: . And in that time we‟ve worked on many thousands of disputes. How to get there Typically. the typical cocktail party conversation cited would suggest that they‟re not doing much beyond resigning themselves to the inevitability of it all. but they will help organizations manage conflict more efficiently and effectively – cutting the cost of conflict. treating conflicts as opportunities for collaboration to achieve the best solution for the organization as a whole. what mistakes they made along the way and what they could have done better. has found that the more productive ones were able to manage conflicts without getting involved in personality conflict. CEDR has been in the business of effective dispute resolution for over 15 years. Phrases like “loud debate”. because of this lack of training – managers also revealed themselves to be significantly conflict averse. Developing a conflict management strategy So what is business doing about addressing these risks? Well. suppliers or business partners. “heated discussions” and “healthy conflict” peppered the articles and interview transcripts from all the companies.500 negotiating teams every year. the fact that many are doing nothing about this problem. we‟ve learned a lot about how they got there in the first place.

and in fact you‟d rather not be involved in the conflict at all. • Avoiding: not wanting to pursue either your own or the other side‟s needs. each depending on the extent to which they place emphasis on two key areas: their own needs/agenda (the outcome). and each causes difficulties in others. these characterizations are inappropriate – each style has its place in certain circumstances. Measuring conflict styles As with much development work. Secondly. creating options for conflict resolution. the key to implementing change is first to understand where you are now. • Compromising: this approach seeks the middle ground. or weak. in conflict management. Hence. Individuals and organizations can have different conflict styles. • Accommodating: the opposite of competing. Firstly.• 116 CORPORATE RISK CONCERNS • • • • • • developing conflict literacy. embedding a conflict management culture. Life experience causes all of us to acquire preferences and habits of how to respond to conflict and we tend to use these over and over again. diagnostic tools can be used to assist individuals to determine their own preferred conflict style. Different terms may be used by different authors. There is no universal „right answer ‟. thus making explicit what might previously have been unconscious habits and assumptions about the best way to handle conflict . • Collaborating: both assertive and co-operative. partially satisfying your own concerns and partially satisfying the other ‟s. measuring conflict styles. an organization needs to have a clear understanding of what it means by conflict. It‟s important also to remember that conflict isn‟t necessarily bad. leading most of us to think of some as good behaviours and others as bad. but broadly individual styles can be divided into five categories: • Competing: focusing on achieving your own concerns above all else. a lot of conflict arises – or escalates – as a consequence of how people behave in difficult situations. and the relationship with the other person. building conflict management skills. this approach tries to problemsolve to find a solution that fully meets the interests of both parties. sacrificing your own concerns for the benefit of the other person‟s. a lot of conflict occurs on an informal and sometimes covert level. developing team-working approaches. Each of these labels carries emotional baggage. However. This isn‟t just a question of open warfare – as the earlier cocktail party conversation reveals. Developing conflict literacy Some theoretical background and a common language about conflict are required to help organizations think effectively about the causes and consequences of conflict.

Developing team-working approaches Although enabling individuals to modify their conflict management styles will have some impact in mitigating team-level conflict. a collaborative style is generally accepted as being the most effective approach for dealing with task-based conflict. that is dealing with differing views as to the best way to achieve agreed objectives.CONFLICTING PRIORITIES IN CONFLICT MANAGEMENT 117 • situations. perhaps worst of all. Creating options for conflict resolution It is important that a conflict management system provides options for all types of problems for all people within the organization. additional work will most likely still be required at a team level to make sure that established team cultures are not overwhelming and that an appropriate collective strategy is adopted. and results can generally be aggregated to form an impression of the overall culture of a team or organization. the intervention of an impartial third party with neither decision-making authority nor the power to impose a resolution. . by understanding and recognizing the conflict styles of others. we are not locked permanently into that mode. These tools can also be used to establish a pre-action baseline. Additional communication and creative problem-solving skills training also add to the portfolio of conflict competencies. we can implement appropriate strategies to communicate with them. (Centre for Effective Dispute Resolution – CEDR) It also has the advantage of being quick and cost-effective when compared to alternative recourse mechanisms such as arbitration. A strategic management team may need high levels of disagreement to facilitate the critical evaluation of decisions. and a „one size fits all‟ strategy is unlikely to be workable beyond a very narrowly defined area of conflict. a comprehensive system will provide for a range of entry points and for a variety of options. One of the most important options involves providing an outlet for situations where direct discussions between key individuals are unable to resolve a problem. Mediation. Mediation is a flexible process conducted confidentially in which a neutral person actively assists parties in working towards a negotiated agreement of a dispute or difference. litigation or. Furthermore. Generally. and appropriate training can help individuals to modify their behaviour to suit particular circumstances. but an unmoderated competitive approach may lead to dissatisfaction and relationship conflict as well as suboptimal decision making. with the parties in ultimate control of the decision to settle and the terms of resolution. has proven to be a highly successful method of resolving even the most intractable deadlock. Building conflict management skills Whilst each person will have a default behaviour. therefore. for addressing conflict. both rights-based and interest-based. significant unresolved conflict. For example.

• 118 CORPORATE RISK CONCERNS

Key facts about mediation
• Over 70 per cent of cases settle at mediation, with a further 20 per cent settling within the following weeks, after parties have seen and explored the other side‟s position. • Of those companies that have used mediation, over 77 per cent said it was quicker, over 78 per cent said it was more effective and almost 80 per cent said it had reduced their anticipated legal costs. • Business cases mediated with CEDR in 2005 had an average dispute value of over £1.5 million, or a total figure of well over £1 billion. • 2005 saw the 11,000th case referred to CEDR.

Embedding a conflict management culture
As with any change management project in an organizational setting, implementation of a conflict management programme requires activity at a variety of levels. It‟s not enough simply to build protocols and provide training; leadership needs to come from the top such that open communication and effective conflict management become embedded in the culture of the organization.

Conclusion
Conflict is part of working life but it is how we deal with it that is important. Effective management of conflict can reduce the amount of time and money spent in trying to sort out a problem, reduce the damage it could cause to those involved and enable decision makers to make smarter choices earlier on. There aren‟t any silver bullets, but a lot can be done, and it‟s time that business woke up to the wastage that lack of proper conflict management causes.

Notes
1. BDO Stoy Hayward (2003) Commercial Disputes Survey, BDO Stoy Hayward, London. 2. J Collins (2001) Good to Great: Why Some Companies Make the Leap . . . and Others Don‟t, HarperBusiness, New York. 3. S Finkelstein (2003) Why Smart Executives Fail, Portfolio (Penguin Putnam), London.

2.8

Latent risks in commercial property damage and business interruption insurance
Ian Drewer, Strategic Risk Partnerships Ltd

Nowadays, very few corporate management teams would suggest that the purchase of insurance cover, however comprehensive, will of itself represent adequate protection for their business against potential adverse risk events. The discipline of „risk management‟, applied in a far more holistic sense, is now generally recognized as an inherent part of sound business management practice and, indeed, is to be found as an integral part of the curriculum at most leading business schools. Similarly, during the past couple of decades more structured corporate governance requirements and increased regulatory oversight have served, inter alia, to emphasize the importance of appropriate management process for identification and control of potentially risk-creating circumstances. The ability to exploit risk has always been an essential element of entrepreneurial success. Many jurisdictions now require all public companies to implement a formal process for identifying, recording, reporting

Strategic Risk Partnerships Limited
Professional Experience portfolio management Reliable Decision making Expert 24/7 Global Corporate governance Major claim Management Knowledge Client confidentiality

Bespoke

The SRP team has more than 100 years combined professional experience, including practical involvement in risk management and insurance activities, in the following sectors: business travel, cargo & transit risks, catering, chemicals, construction risks, cruises, ferries, hotels & leisure, intermodal transportation, commercial motor fleets, passenger railways, pharmaceuticals, property management, publications, safaris, shipping, telecommunications. The company offers insurance and risk management advisory and portfolio management services to industrial and commercial clients. We provide both comprehensive package solutions, tailored to the needs of the individual client, and task or project responses to meet specific situations. SRP will support in-house insurance or risk management resources or act for the client directly with brokers, insurers, legal advisors etc, of the client‟s choice in addressing that client‟s risk financing and/or risk management needs. Contact us
Strategic Risk Partnerships Limited 10th Floor, St Clare House 30-33 Minories London EC3N 1DD, United Kingdom Telephone: + 44 (0) 207 977 6770 Email: grouprisk@srplondon.com Internet: www.srplondon.com

Registered in England at the above address. Registration Number 5695133
Strategic Risk Partnerships Limited is an Appointed Representative of Swinglehurst Limited, a Lloyd‟s Broker, authorised and regulated by the Financial Services Authority

LATENT RISKS IN BUSINESS INTERRUPTION 121 •

and mitigating potential sources of adverse impact. This „corporate governance‟ obligation, often supported by statute, is to be undertaken by corporate management in the interests of the various stakeholders in the business. Informed development of appropriate techniques and procedures and, more particularly, their refinement to more specifically suit the needs of the particular business, will often reveal not only the extent of possible exposure but also the limitations of generic „protections‟.

Insurance as a factor in corporate risk management
Nevertheless, insurance of various kinds does remain a key factor in most corporate risk management philosophies. It is still generally regarded as an effective means of provision of financial support should external forces cause unexpected and fortuitous loss or damage to the affairs of the business, or have significant financial impacts.

Damage interruption and interference
Thus, however effective a loss prevention and risk control programme the business may implement, there will remain for any business employing physical assets an interest in the purchase of some element of „property damage‟ insurance. Where damage to those assets would be likely to result in some kind of interruption to, or interference with, the business (with consequent loss of revenue) the protection afforded by „business interruption‟ cover also becomes desirable. Therefore, property damage and business interruption insurance will generally appear high on the list of „normal‟ insurances in most business portfolios and will be seen as the most fundamental support requirement in respect of any finance secured either on physical assets owned or used by, or the cash flows produced in, the business. Furthermore, providers of business finance (lenders) continue to impose requirements for relatively „traditional‟ insurance coverage in respect of any asset offered as security in connection with business finance arrangements. It is probably also fair to say that most such financing arrangements will specify „all risks‟ property damage and business interruption insurance, covering „damage‟ to assets used in the business and „loss of revenue‟ following such an event. „All risks‟ insurance applies to losses arising from damage caused by any peril other than those actually identified in the policy as being excluded. The alternative, „specified perils‟ (or „fire and perils‟) form of cover is generally considered as less satisfactory, in that cover applies only for losses arising from the perils stated in the policy as being insured; all other causes of loss are deemed uninsured. However, any business should consider very carefully indeed the sequential connection between physical damage, interruption or interference with the business and possible loss of revenue. There are many businesses in which that link is actually quite tenuous, or the potential loss of revenue really quite small (whether in absolute terms or as a part of the whole).

• 122 CORPORATE RISK CONCERNS

A good example can be found in the intermodal transport sector, where entities own container units that they lease out to freight companies and the like. Damage to an individual container unit (or even several at one time) is unlikely to cause substantial loss of revenue. The units can usually be quickly replaced and the time and cost of repair is generally limited. Similarly, damage to the office premises used for administration of such a business might be inconvenient, but is unlikely to cause significant interruption to the receipt of rental income in respect of units on hire. Suitable support for the alternative provision of essential administration functions would be more valuable than a full business interruption insurance programme.

The ‘all risks’ illusion
Until relatively recently, as reflected in the thinking of financial institutions and similar bodies, most businesses could purchase an „all risks‟ property damage insurance policy (described above), applicable to any and/or all of its business activities. This would be possible whether those activities were concentrated on a single site, collected in one town or district, spread through a single country or scattered almost anywhere around the world. Such cover would be available from a choice of insurers, or syndicated combinations of insurers, in the London insurance market (and/or other major markets) and the purchaser could reasonably expect the coverage truly to apply to any cause of loss or damage not specifically excluded. It is all too easy to assume that worthwhile protection can be achieved today by the same means and with similar availability. One might reasonably feel that the provision of insurance must surely have become even more all-encompassing over the last couple of decades or so, as have so many other things in life‟s rich experience. That, unfortunately, is a serious mistake easily made. For some years the business of insurance, especially the manner in which providers operate, has undergone significant change, but not necessarily in the interests of the „insured‟.

Traps for insurance buyers
„Propert y damage and business interruption ‟ insurance offers various examples of the types of change (and thus the dangers) of which the commercial purchaser should properly be wary. Some result primarily from fiscal regulation of international business; the introduction and/or application and collection of taxes, not previously significant to the international transaction of insurance, offers an example. Insurers willing to provide international or multinational policies must be careful to comply with relevant fiscal controls. They may actually be required to collect and remit (to relevant national authorities) applicable insurance taxes. Other changes relate more specifically to non-fiscal regulatory developments, sometimes specific to insurance, sometimes on a wider front.

LATENT RISKS IN BUSINESS INTERRUPTION 123 •

Change in the insurance industry
Yet other changes affect the structure and operation of the insurance industry itself. Many commentators saw consolidation as both a saviour and a potential curse for insurance providers and their customers. These observations have been proved correct; some insurers operating today would certainly have slipped in significance, perhaps even ceased to trade, had they not gained weight by merger and acquisition. However, such consolidation also reduces numbers, which in turn tends to reduce both capacity and competition. With reduced competition come, all too often, reduced standards of service. Thus many purchasers have for some time found that there are relatively few options and, perhaps, little or no real competition for the provision of the most wanted form of business insurance protection, the fundamental property damage and business interruption coverage.

Reinsurance dependency
In addition, „direct insurers‟ (the carriers from whom the individual insured buys cover) need to protect themselves by „reinsuring‟ the business that they have underwritten. This mechanism enables a direct insurer to pass on to another tier of carriers, for a premium, a substantial part of the exposure that it has underwritten. Without this facility the direct insurers would rapidly reach their permissible limit of risk acceptance, or would be obliged to accept only much smaller amounts of exposure in any one piece of business. A relatively small number of major reinsurers provide key capacity throughout the „direct‟ insurance market. These reinsurers can exert considerable influence on the underwriting policy of the insurance companies to whom they provide this capacity (the „direct insurers‟). Since they each reinsure several „direct‟ insurers, this can significantly affect the extent to which the cover offered by any one such „direct‟ insurer might differ from that offered by another. In effect, therefore, the marketplace for any particular individual insured may actually be controlled by reinsurers with whom that insured entity may never make contact or discuss coverage, and with whom that insured entity has no contractual relationship. Furthermore, the insured entity concerned generally has no right of claim on the reinsurer ‟s funds, should the „direct‟ insurer fail to honour the original policy of insurance.

Tailored cover for industrial/commercial entities
Availability to the industrial/commercial entity of insurance cover tailored to suit its particular needs is obviously likely to be hampered by such factors. It is clearly desirable, if one is to buy insurance at all, to seek to include coverage for those potential (fortuitous) events identified as most dangerous to the health of the business concerned. Whilst probability and possible severity (of loss events) must be expected to influence pricing, it is surely unreasonable for the proper identification by the insured

Without a practised skillbase in these crucial roles. The limited availability of necessary skills in this sector is apparent in the comparative paucity of experience amongst underwriting staff. but also the coverage that the insurer intends to make available and the capabilities of the insurer itself. the absence of policy wording specialists and the frequency of appointment at senior level of executives with little. The words in the proffered policy may well seem clear enough. in addressing its requirements for property damage and business interruption insurance. is now a reaction that can readily be observed amongst the ranks of insurance carriers. the proper provision of appropriate cover to industry and commerce demands a very different profile. Therefore. the tendency to exclude. it is not surprising that training and capability elsewhere in the business may be found wanting. It will require careful explanation of the business to be insured and appropriate consideration of the insurer ‟s ability to comprehend. the consequences have undoubtedly also affected many insurers who are involved in provision of coverage for industry and commerce. high-volume (essentially personal-lines) business. or even exclusion.• 124 CORPORATE RISK CONCERNS of potentially severe (albeit remote) exposure to result more or less automatically in severe limitation. This may not be easy. together with evaluation of the personnel who are to be involved in the account. This situation has been and continues to be exacerbated by the serious „deskilling‟ that the insurance industry has suffered over the past several years. Initiated primarily by those insurers who have chosen to specialize in low-value. it behoves any business to analyse carefully not only the risk to which it is potentially exposed. Exclusion vs price Nevertheless. if any. and ostensibly echoed by the insurer at the time of purchase of the policy. The experience and abilities of the insurer ‟s team. Wording interpretation Regrettably. but the insurer ‟s view of their meaning can all too easily be significantly different from that of the insured. The purchaser of insurance may thus be obliged to accept a policy that lacks the very elements that would really provide worthwhile coverage for the business. can all too . Whereas personal-lines specialists might reasonably argue that low-cost administration is paramount and formulaic coverage is an acceptable concomitant. previous practical operational experience in the relevant insurance disciplines. will be of major significance. the meaning applicable to those words in the understanding of the insured. including not only the underwriting staff. rather than price. but also administration and claims personnel. by the insurance market of coverage for any such occurrence. Appropriate protection Appropriate protection for substantial industrial or commercial concerns almost inevitably means more complexity of coverage.

The relevant factors should be discussed carefully with the insurer at the outset.LATENT RISKS IN BUSINESS INTERRUPTION 125 • often be found to have changed – in the interpretation of the insurer – when it comes to the occurrence of a serious loss event. for which the regulations seem really to have been designed. the process adopted can tend to favour the insurer to the detriment of the insured. Coverage reduction To achieve rapid and untrammelled issue. However. Compliance „Contract certainty‟ is currently interpreted primarily as requiring early issue of „finalized‟ documentation. The document so issued may allow for subsequent endorsement to include any special provisions or additional protection (in many cases using pro forma endorsement wordings). with careful recording of the conclusions and decisions. a noticeable trend has developed amongst insurers to „standardize‟ (often „dumb down‟ ) the policy documents used. Careful analysis of the business profile is essential to the effective purchase of business interruption insurance. This may not be unreasonable in the case of high-volume. That is to say. The emphasis is on provision of a document within a timeframe. As with much regulation. Regulation and simplification Elimination of uncertainty in the determination of the cover actually afforded by any policy of insurance has attracted a great deal of regulatory attention in the UK (and elsewhere) in recent years. in the case of commercial insurance. since it substantially reduces the potential for „alternative‟ interpretation of the wording by the insurer in such circumstances (to reduce potential claim payments). free of outstanding requirements as to information. The insurance industry in England and Wales is subject to regulation by the Financial Services Authority (FSA) and great play has been made during the last couple of years of the FSA‟s requirement for „contract certainty‟ in general insurance. it does not mean that the two parties will have an identical understanding of the meaning of the contract of insurance and thus the manner of its application and the extent of protection afforded. the main thrust of such effort has been directed at those categories of insurance provided to private individuals („personallines‟ business) and those parts of the insurance industry that operate in that sector. supply or conduct of associated services and so on. coverage issues. This is likely to avoid considerable distress should a major loss event unfortunately occur. low-exposure personal-lines business. Not unnaturally. . „contract certainty‟ does not mean certainty of contract. As such. the resultant regulation has also affected the provision of insurance cover to industrial and commercial enterprises. The formula set out in the policy wording for calculation of any loss should be appropriate to the particular business. to ensure a clear understanding that the wording will be applied as the insured entity intends. this does not mean what it appears to say.

and. or at least greatly restrict. Another insurer announced that it intended to discontinue. significant problems for any reasonably substantial enterprise seeking to arrange industrial property damage and business interruption coverage. subsequent renewals may be effected without detection of the full extent of the imported changes. then subsequently offer the insured a version of the „deleted‟ cover in the form of separate policies at additional premium cost. aimed primarily at driving up premium income. 1906 (section 23). to ensure that it „knows what cover is provided‟. under English Law. such arbitrary changes to a commercial „property‟ insurance programme could seriously reduce the scope or extent (and thus value to the insured) of protection. the „new‟ wording will apply. which states that: A contract of marine insurance is a contract based upon the utmost good faith. It is tempting to view any such change as opportunism on the part of the insurers concerned. In some cases this may indeed be so. the dangerous consequences may be largely accidental. At least one major insurer has been known to delete various extensions of cover from long-standing corporate programmes (though mainly liability rather than property coverage). The true consequences may well only become apparent as and if the feared loss occurs. the availability and use of „tailored‟ property damage and business interruption insurance coverage for commercial insured entities. this can create. Commercial insurance policies are often lengthy documents and require skilled reading. will be severely impaired or even lost entirely. rather than solve. however. In the somewhat simplistic forms most generally used. There is a very real risk that wordings for „tailored‟ coverage. The principle of trust As the only form of contract where consideration is required of one party in return for no more than a qualified promise by the other. The implications are perhaps most likely to be critical for „business interruption‟ aspects of coverage. developed over time by such insured entities to provide for their own particular and individual insurance needs. the contract may be avoided by the other party. Whichever circumstance might apply. Once the revised document is issued and the premium paid. In many cases. when the cover is suddenly found lacking as compared with that which the insured expected and knows full well should have been available. insurance depends primarily on mutual trust. the approach is inherently flawed when utilized for most categories of commercial insurance. .• 126 CORPORATE RISK CONCERNS However. Disadvantage to the insured The reason(s) for implementation of such change make little real difference. The principle of „uberrimae fidei‟ (the utmost good faith) is fundamental to any insurance contract and is enshrined. in the Marine Insurance Act. „Contract certainty compliance‟ has been given as a prime „reason‟ for this practice. if the utmost good faith be not observed by either party.

Careful analysis. but also that the insurer is obliged to declare to the insured any material change in its own operation. development and satisfactory operation of an effective programme of property damage and business interruption insurance (or any significant industrial/ commercial insurance coverage) demands co-operation between insured and insurer(s). preparation and execution. As the words make clear. Design. but to any category of insurance cover. with a proper awareness of the potential pitfalls. can greatly improve the probability that the coverage will perform as intended by the insured party. . but successful outcome can properly be judged only by the insured.LATENT RISKS IN BUSINESS INTERRUPTION 127 • The Courts have determined that this principle applies not only to „marine‟ insurance. Unfortunately. the nature of an insurance contract offers little opportunity for effective sanction of the insurer. Equitable application of the principle requires not only that the insured must declare to the insurer any material information about the subject matter of the insurance. this most fundamental of principles applies in both directions.

You then see the apparent profits of business units decreased or even wiped out over the medium to long term because of claims against your organization. Such an approach can even be counterproductive. Unfortunately this does not automatically translate into more successful outcomes when claims are made.9 Managing litigation risk: lost in translation Sean McGahan. • to explain to you the competitive risk assessment psychosis and conspiratorial risk aversion policy mistakes you can make if you misunderstand the language and processes of law. McKinty & Wright Does this scenario sound familiar? You apply the tools and techniques of risk management and gain a deeper understanding of the costs of claims and litigation. What can be done about this? Since 98 per cent of personal injury claims in the UK succeed. especially the predictable exposure to personal injury claims. messages that are there to be communicated are being lost in translation. either because the organization does not properly understand what health and safety measures the law requires. The purpose of this chapter is threefold: • to show you how the language of risk management is different from the language of law. Put simply. .2. or because it fails to communicate its choices on risk effectively in court. a standard recommended response is to increase health and safety measures.

Therefore. the House of Lords overturned the decision of the Court of Appeal on the standard of care that a council should exercise towards people who choose to swim in a lake. Tort law sets down that. So the law requires a higher „standard of care‟ applied to lions than penguins. then a court will hold you liable to pay compensation for the damage caused. An employer ‟s duty to employees is an example. The greater the risk the greater the „standard of care‟ will be. in theory the law has a means for determining what a given organization‟s risk appetite should look like. In order to determine the „standard of care‟. A court should recognize that if the „magnitude of the risk‟ posed by an activity is tolerable. and this contributes to someone sustaining a loss. If the „standard of care‟ you exercise is lower than a court would expect. In setting this „standard of care‟. If you think about it. Unfortunately it does not quite work out like that. How much care you have to exercise is determined by an objective „standard of care‟. courts are expected to look at the „magnitude of the risk‟. while an attack by a penguin is likely to result in the victim being more embarrassed than anything else. Taking all of this together. The standard of care set by the courts in individual cases can vary greatly. you are deemed to owe a „duty of care‟ to others. called „tort‟. the „social value‟ of the activity should override concerns about the magnitude of the risk. This is because the overall process by which the issue of risk is considered by courts is in fact very different from a risk management process. For instance. Take a zoo. this is language on which you can place a meaning as it sounds pretty much like „cost–benefit analysis‟ and „defining your context‟ or „setting strategic objectives‟ in a risk management process. in certain circumstances. The language of law The law uses language similar to the language of risk management. in the leading case of Tomlinson vs Congleton. An attack by a lion would probably cause serious injury or death. If you have ever picked up a legal textbook. The standard of care required to guard against visitors being injured by animals will vary according to the threat posed by a given animal. but that language is interpreted in a different way. you will have encountered language on the issue of risk that sounds vaguely familiar. Understanding this difference is a key to unlocking controls that may reduce your residual risk.MANAGING LITIGATION RISK 129 • • to show how you can create a better capability to defend your organization ‟s decisions on risk and communicate more effectively in court. the law takes into consideration the „costs of preventative measures‟ and the „social value‟ of the activity being engaged in. Again. this idea of setting a „standard of care‟ on the basis of the „magnitude of the risk‟ looks like part of a risk management process: establishing the „probability of an occurrence and possible consequences‟. An example will let you understand this. Compensation for personal injury is the classic example. talked to lawyers or been in court. The . that sets out how much risk is acceptable and when you will be held liable if a risk materializes and causes damage to others. There is an entire body of law. if you use a sound methodology for setting a risk appetite for your organization the law should be capable of coming to roughly the same conclusions.

as something to be ranked. Elements of a risk management process are introduced that are not part of a coherent strategy. The biggest mistake is to adopt poor risk management policies. Courts are not there to rank risks for organization. You generally see the psychosis in organizations that do not have an overall risk management process in place. but generally as something that is above your risk appetite. courts do not use quantitative analysis. the legal process therefore has an inherent process bias in favour of setting a high „standard of care‟. as you would. without any overall evaluation. The result is that an organization gets flooded with documents identifying risks and suggesting things that could be done about them. They will generally err on the side of causation and find the organization liable. If you identify something as a risk in isolation from a risk profile. These documents give the impression to a court that the identified risk should have been guarded against. The law turns its back on quantitative analysis in deciding the „standard of care‟. you can easily adopt an approach to controlling the risk of claims and litigation that actually increases the effect of this bias in favour of setting a high standard of care.• 130 CORPORATE RISK CONCERNS courts make decisions on risks without using the methodologies generally recognized in risk management as key elements of high-level decision making. judges cannot be blamed for sometimes taking a fairly basic approach to risk that sits well with the fact-finding capabilities of a trial. If an organization has not ranked its own risks and set a risk appetite. Courts naturally tend to set a low risk tolerance. courts are not going to do it for them. Was there a risk? And was there anything that could have been done about it? Faced with an accident resulting in injury. Compulsive risk assessment psychosis This phrase was first coined by John Adams. All this means there is scope for differences in interpretation of the „standard of care‟ imposed by different courts. and can also rank risks by creating a risk profile. there is a natural tendency to take the view that some additional precaution should have been taken. in the absence of good evidence on risk being given to a court. the law interprets this not. Risk managers use a whole range of analytical tools to make decisions about risk tolerance. Although monetary values are placed on injuries in the form of an award of damages to a successful party. Mistakes to avoid If you do not recognize that courts have a basic approach to risk. these monetary values are not used to counterweight the monetary cost of precautions to prevent injury. Instead semantic tests such as „reasonableness‟ and „practicability‟ are utilized. These can take two forms. The result is that. Written judgments of courts are full of examples of variances in the „standard of care‟ they impose. There is also no audit of decisions to ensure a level of uniformity of decision making. Also. . or below the „standard of care‟. especially catastrophic injury. A court cannot use any of these methods and is wholly dependent upon the evidence presented to it during a trial. The result is that you are found liable. In the absence of contrary evidence on risk.

MANAGING LITIGATION RISK 131 •

Conspiratorial risk aversion policy
In this form, practices and procedures become increasingly risk averse. The intention behind this process is to reflect the perception the organization has of the „standard of care‟ expected in law. Often the perception is gained from the results of a few cases that went to trial or even stories in the media. If an organization becomes risk averse, this will simply encourage a court to reflect this risk aversion in its decision. The other problem with this approach is that it creates divergence between an organization‟s objectives and its risk management. Policies and procedures become risk averse and hinder operations. Individuals and operational units are hampered by procedures that do not fit the organization, and will therefore break the rules in order to achieve their objectives. Where those breaches occur, the policies and procedures become the basis for showing a breach of the „standard of care‟. You see this behind many of the most criticized rulings on risks by courts. If a school bans children from running during break time and a child is injured while running because staff disagree with the rule and do not enforce it, the school may be found liable because it failed to follow its own „standard of care‟. It is worth noting that in the leading case of Tomlinson vs Congleton, the House of Lords decided on a lower „standard of care‟ than the council itself proposed to exercise, and dismissed the claim.

So what should you do?
Plan ahead to take part in the trial process before incidents occur and claims are made. That is the essence of litigation risk management. It sounds straightforward but few organizations actually do it. The following are just some of the steps that can be taken. • Adopt a recognized risk management standard and apply that to your „riskscape‟, while still complying with the law. If there is clarity about what the objectives of an organization are and clear assessment, analysis, evaluation, reporting and treatment of risk based upon quantitative analysis, then a court lacks any inherent tools on which to base a rejection of the risk tolerance set. In terms of decision process, for a judge to do so would be like one doctor attempting to second-guess another doctor ‟s diagnosis based on an MRI scan by using a CT scan. The MRI scan is objectively the superior methodology. It would of course be open to the plaintiff to call evidence to attack the risk tolerance set, but if the process is robust there may be little to attack. • Do not allow your health and safety practices to diverge from the risk tolerance set for the organization. There are health and safety absolutes and other issues that involve balancing risk and opportunity. • Use your risk appetite as a means of determining which claims you will fight. If you don‟t, then there may be little logic to the selection of claims to accept and claims to reject. • Align objectives for defending claims with business goals, otherwise your claims handlers may adopt an approach to claims that creates risks to your objectives.

• 132 CORPORATE RISK CONCERNS

• Form a litigation team with clearly defined roles to handle claims, rather than having a silo mentality. • Translate your message on risk into language that the law can understand. If you do not, your message may be misunderstood by a court. The right language can be adopted without undermining the risk process, and makes the process court-friendly. You will then be able to speak to a court in language it can hear and understand. • Get a memory for the organization. Often a message on risk cannot be communicated as processes have not been put in place to recall what an organization‟s attitude to risk was at any given time in the past. • Create a voice for your organization. Communicating in court is not a straightforward process for organizations. The system by which evidence is introduced to judges in a trial grew up before large corporate organizations had evolved. Trials are designed to allow individual personalities a voice. Witnesses are called by lawyers to give evidence in a witness box. Lawyers cannot give evidence and so cannot be the voice of an organization at a trial. Without the voice of a witness in the first place they can do very little. In most litigation the action is brought by an individual, the plaintiff. That person sits in the witness box and can actually speak passionately to a judge. He or she can also recall evidence from memory, or simply make evidence up. An individual starts with an advantage over organizations as a result. Organizations need to be able to deliver a message about risk loud and clear in a courtroom, but most of them have little or no voice that can be channelled into a trial process. • Check that your organization has the ability to capture events as they occur in a manner that will not be counterproductive in court. Too often it is assumed that the processes of health and safety investigations, such as root-cause analysis, translate into effective evidence for court. Often they don‟t. • Upon resolution of a claim, record all lessons learned by applying a managed approach to litigation in a systematic way so that lessons are learned and the litigation capability of your organization can improve over time. • Debriefing should be held regularly to ensure that no unit or individual in an organization comes away from taking part in a claim process with the wrong lessons learned. If you have not thought about litigation risk management before, then think about it now. Winning in court requires effort. To quote Samuel Goldwyn: „The harder I work the luckier I get.‟

3

Risk Issues in Operational Management

This page intentionally left blank

3.1

Managing risk through management systems
Mike James, Lloyds Register Quality Assurance (LRQA)

The purpose of this chapter is to examine the organizational issues associated with managing risk by means of a management systems approach. It has been written from the perspective of an independent business assurance provider and is based upon our experience gained in conducting assessments on behalf of many organizations throughout the world. At the end of the chapter there is a brief description of an evaluation technique developed by the Lloyds Register Group to address these issues.

The management of major risks outside the management system
At present, in many organizations, the major risks – for example, failure to achieve a strategic objective or risk of legal action – tend in part to be managed outside the scope of the formal management system. This is despite the fact that these organizations acknowledge that they invest significant sums of money in the implementation and maintenance of these systems. Independent research conducted on behalf of LRQA amongst the top managers of major global organizations has confirmed this.

INCREASING CONFIDENCE IN YOUR FUTURE
Too much of today‟s risk management is an exercise of going through the motions of standards compliance, with little demonstrable impact on the business revenue, relationships or reputation. What‟s more, too many management systems fail to deliver the confidence management needs about how well it‟s meeting stakeholders‟ expectations; to know that its key business risks are under control and to let them feel secure that they can manage the future in today‟s uncertain world. With management systems playing a more critical role in business success than ever before, it‟s never been more important to demand more from your systems‟ assessor. This is why at LRQA our approach is different. LRQA‟s risk management support - Business Assurance - is designed to help you ensure that your systems are driving down critical risks and delivering real improvements in the eyes of your critical stakeholders. Business Assurance is our approach to management systems assessment. It focuses on developing effective and efficient management systems -giving your business the confidence it needs to thrive and grow. By understanding your business and your goals, we‟re able to

Lloyd‟s Register Quality Assurance is a member of the Lloyd‟s Register Group

com www.“Assurance: The quality or state of being safe. With Business Assurance.com . helping you turn risks into opportunities and weaknesses into strengths. A belief in one‟s powers.” work with you to accurately pinpoint the key areas that need to improve.lrqa. Contact us +44 24 7688 2373 enquiries@lrqa. you can feel confident about your future.

The lack of systematic management. scientists. This is very often the case when there is a change in the top management. Although a process of formalized risk weighting may take place. in order to act quickly and – as he or she sees it – avoid the organizational bureaucracy associated with the management system. For example. Addressing upside risks Let‟s turn our attention to how an organization addresses the business opportunities (upside risks) in its market place. how many organizations know the age of their top designers. and how many have built this into their management system? Or is this seen as an HR matter. Again. Within an organization. As other issues inevitably arise they will take priority and the risk will cease to be managed effectively. In this case. in the age of knowledge-base competition. in reality this can still be influenced by subjective bias. In this case the key question is: Are all the processes needed to manage the achievement of these goals within the scope of the management system? Our experience is that in many cases the answer to this question is no. Initially this approach will work as it has all the focus and attention of a top manager who has the power to implement process change. . and in others it is due to lack of understanding of the nature of the real risk(s). Very often managers confuse their greatest fear with the greatest risk. many people tend initially to think about downside risk. this very often comes down to a lack of integration between the management system and the business system.• 138 RISK ISSUES IN OPERATIONAL MANAGEMENT There are a number of reasons why this occurs. there are a number of very good reasons for this. There are many similar examples of this type of behaviour across the spectrum of business risks. However. Clearly risk needs to be viewed as some combination of likely occurrence and impact and not the event(s) an organization or prominent individual would most dread. without objective risk evaluation and reviews. Increasingly it is because modern organizational design with its vast array of alternative structures and business models is making risk far less visible to top managers. On many occasions this can prove to be one of the greatest risks facing an organization because limited resources have been focused on addressing the wrong imperatives. When considering risk. as greater weight tends to be placed upon this in the human mind. as the process falls outside of the boundaries of the formal management system it will cease to be reviewed and audited on a regular basis. engineers. In some cases it is because of a lack of understanding of the capability of the management system on behalf of the top management. These are very often embodied in the goals and objectives of an organization. given this initial analysis it is perhaps not surprising that the manager will set up a discrete set of processes to deal with the perceived risk. programmers and analysts? How many have identified succession planning as a major risk to their quality objectives. though these are very often not one and the same thing. also fails to address the risk of getting the risk assessment wrong in the first instance.

However. A further effect of organizational design and the move to knowledge-based competition has been a tendency to decentralize. They make it possible for managers to believe that it doesn‟t exist because it cannot be seen. outsourced functions and a far greater degree of collaboration among companies. pushing power closer to customers and markets. This includes empowering staff to take decisions and increasingly using softer methods of control such as mission. although production can be outsourced the responsibility for the way in which it is carried out cannot. when the management system is acting as part of the governance system in the areas of environment. there are now far more structural alternatives available and the new forms of organizational structure open up new strategic opportunities for organizations. in this instance. This has manifested itself in the creation of global supply chains. including among competitors. and poor corporate behaviour can result in the destruction of shareholder value. management systems operate on the premise that authority and responsibility are exercised within the boundaries of a relatively fixed entity. health and safety or social accountability. And an equivalent number believed that their businesses would be more effective with common management systems across the whole value chain. In the current business climate. vision and values. and that its strategy must determine its structure over the long run. they are designing new organizational structures in order to compete more effectively. Interestingly. The resulting effect has been a constant readjustment of company structures as CEOs seek to get a good fit between their organizations‟ strategies and structures. This is something we are encountering constantly within our clients. One way of describing a network is as the least organized form of activity that can be described as an organization. . Adopting management systems Our research shows that over 60 per cent of directors believe that risks would be significantly reduced if their partners and suppliers adopted their management systems. Companies have to find ways to apply management systems control to organizational networks. It is a well-understood principle of business management that there needs to be a logical relationship between an organization‟s strategy and structure. Organizational networks make it far more difficult to exercise control and make risk far less visible. Therefore. In addition. as companies take advantage of technology. fewer than 40 per cent said they encouraged this practice within their own organizations. in a global market with blurring organizational boundaries the modern organization now sees itself as a component in a series of networks of other organizations. The speed and regularity of these reorganizations means that there are very often significant time lags between new business structures and the systems and processes in place to control them. in particular the internet and the global labour market. This can be a major issue – for example.MANAGING RISK THROUGH MANAGEMENT SYSTEMS 139 • The impact of changing organizational structures In a wider context. Traditionally. significant emphasis is placed upon an organization as a social entity as well as an economic one.

It is vital for companies to understand the difference between key performance indicators (KPIs) and performance indicators. Managing conflicting risks centrally and locally is a major challenge. process management and performance measurement. In many cases. not what is important. LRQA. Success depends on the organization‟s ability to integrate aspects of its business management systems in a way that provides an indication of how likely the management system is to deliver the required performance in the future. This is not a simple numerical scoring system measuring past performance. This means that business risks have to be objectively evaluated and integrated into the management system. The results of the evaluation are based upon three interlinked management indicators that measure business risk alignment with the management system. measure what matters and provide an indication of future performance. however. What is measured sends out messages of what is important. this can place the elements of the management system that deal with governance and require top-down central control in conflict with the need to act with local autonomy. Finally the measurement of performance should be linked to business risk. so the key question is what to measure. There should be effective interaction between the management system and all relevant performance data. Managing risk successfully in the modern organization requires more than just an understanding of risk management techniques. The premise underpinning this is that successful organizational performance over the long run is enhanced through high levels of integration between business processes . The IntegratorTM system approach Lloyds Register Group has developed an advanced assessment technique called IntegratorTM to evaluate how well an organization manages its risks using a management systems approach. There is a tendency to measure what can be measured. suppliers and partners to comply with the management system. and also a tendency to create too many measures. it is possible to evaluate the strengths and weaknesses of an organization‟s ability to manage business risk in a systematic manner.• 140 RISK ISSUES IN OPERATIONAL MANAGEMENT Again our research has found that senior management engagement and a prestigious brand were overwhelmingly seen as more effective than penalties and incentives in getting employees. The increase in the use of formalized management system standards in recent years has had the effect of increasing the use of performance measures by organizations. and in many cases organizations have struggled to find the right balance. By considering these three elements together. The right measures drive the right behaviour. The development of the technique has been informed by our expertise in risk management and our role in assessing the management systems of many of the world‟s top organizations through the Group‟s subsidiary. the power to take key decisions centrally can be inadvertently lost through decentralization. KPIs should be few in number. Without the clearly defined responsibility and authority that exists within a management system. The latter has the effect of pouring concrete into a management system as decision making becomes paralyzed with information overload. This is a difficult thing to achieve in practice.

• There has been a move beyond simply following instructions to just the way things are done. and organizational learning. It is often said that unforeseen events are always unforeseen. which enhances planning. which leads to effective action in the long run. • Business risks are mitigated in a cost effective way. should not an organization really have known then what it knows now? . We have found in many cases that risks are correctly identified and systems and processes put in place to manage them. an organization confronts the reality of its risk management approach and prevents the all too common behaviour of trying to solve the same problem in the same way with the same resources. Yet in reality. The actual assessment technique. measures the maturity of the management system‟s culture within an organization and is based upon LRQA‟s proprietary version of the „plan. check. adequate resources are not made available and/or the techniques used have been proven to be ineffective in the past. these are resource allocation. not just committed to its implementation. So what constitutes a mature management systems culture? • Top management are engaged with the management system. However. • A small number of key metrics will show things are working and there will be a measurable reduction in risk. By rigorously applying the PRIMAL assessment technique. how many unforeseen events were that difficult to foresee? Putting that another way. do.MANAGING RISK THROUGH MANAGEMENT SYSTEMS 141 • and mature management systems that are built into the organizational culture. act‟ cycle. There are two additional elements used in the assessment. known as PRIMAL.

3. and will feel comfortable managing these losses and resolving the operational issues that they raise. HSBC Operational Risk Consultancy* A common issue for operational risk managers is deciding which of the myriad risks that beset the firm is the one upon which it should focus its attention.2 Using scenario analysis and stress testing to quantify and manage operational risk David Breden. if it occurred in certain adverse circumstances. When looking at such risks. . Typically the operational risk manager will be receiving advice of a large number of small losses that relate to basic human error or to low-level fraud. would result in a significant loss event that might even threaten the future of the business. It may be harder to focus attention on a threat that to date has not affected the firm but that. the manager will face the challenge of lack of interest as business units adopt a „can‟t happen here‟ mentality – basing their view on the *The views expressed in this chapter are the author ‟s personal views and do not necessarily represent the views of the HSBC Group.

an oil company will create a scenario based on a significant rise in oil prices and will consider how this will influence its overall strategy. however. Use of such techniques in connection with a broader range of risks will help risk managers prepare themselves better for the potentially extreme risks that threaten their businesses. We test aeroplanes in wind tunnels to check performance under extreme conditions and crash cars into walls to see how well they would protect occupants in a crash scenario. Such techniques are already widely used in many circumstances. we have another definition that stresses the creative element of scenario analysis: „A fairy tale or story‟. Michael Porter defines a scenario as „an internally consistent view of what the future might turn out to be – not a forecast.2 Going slightly further. a situation will be explored that affects a range of areas of the business to enable management to consider how a defined event will affect the totality of the business. It will be necessary to remember that it is precisely the sort of event that people do not expect and are not prepared for that will have the greatest impact on the firm‟s fortunes. In this way. it is often helpful to develop a specific scenario to illustrate the scale of the problem in a stressed situation. and reflects the fact that scenario analysis lets us prepare for several such options rather than staking our future on a random choice of a future that we consider most likely – or in many cases the future that will be most convenient for our interests. focuses on the management of uncertainty: „That part of strategic planning that relates to the tools and technologies for managing the uncertainties of the future‟. With scenario analysis. With this information. Gill Ringland. By analysing the potential threat. the manager will hopefully be able to suggest methods that can be employed to control or mitigate the risk and identify steps that could be taken if the threat materialized. and once again drawing on Gill Ringland‟s guide to the subject.3 This definition focuses upon the ability of business managers to build the scenarios that are of value to the business and that will test the firm‟s ability to respond positively to the variety of different scenarios that it wishes to explore. organizations can prepare a response in the same way as we prepare for loss of a key building or system by developing contingency and business continuity plans. There are numerous definitions of scenario analysis.SCENARIO ANALYSIS AND STRESS TESTING 143 • fact that it has not happened yet. A stress test will tend to vary one element of a specific environment to examine how a particular object responds to the stressed situation. In order to focus the attention of business managers on the potential risk that has been identified. and if possible highlight the potentially damaging effects of the risk.1 This definition highlights the fact that we cannot be sure which of the various futures we will actually be called upon to work in. but one possible future outcome‟. meanwhile. for instance. Defining stress tests and scenario analysis Both stress testing and scenario analysis have been used in industry for many years to enable management to consider possible courses of action to address uncertain or extreme market or other conditions. .

On the basis of this ranking. effect on national infrastructure and ability of staff to continue working remotely from office premises. The morphological approach This approach is broadly similar to the familiar risk self-assessment process. anticipated severity. A scenario is identified and different variable elements are ranked High. the individuals will need to define how the described scenario will cause issues for the firm across its operations. whilst it is moderate in Europe and low in America. Such approaches will generally require a computer model to work through the different impact scenarios. different elements are selected for analysis. An example of a cross impact approach is a Bayesian Net. we might conclude that the probability of an outbreak in Asia is high. In terms of business size. From the point of view of risk management. the elements will influence both the final outcome and each other. . The expert scenario To create an expert scenario. and define in very broad terms the cost of the event and the relative probability of alternative outcomes of the scenario. the scenario analysis process will proceed to follow these steps: • Having chosen a scenario. speed of contagion. The cross-impact approach Under this approach.• 144 RISK ISSUES IN OPERATIONAL MANAGEMENT Methodologies for developing scenarios4 There are three basic methodologies for developing different scenarios. Using an example of a human pandemic. you will select a series of key elements with a high degree of uncertainty on the business. • Having described these scenarios. the financial impact of such a pandemic on our business may be assessed as moderate in Asia but high in America and Europe. the firm will gather together a team of individuals who will have sufficient knowledge to be able to decide upon the sort of event that would have a material effect upon the firm but also the expertise to explore in depth the potential impact of the event on all areas of the firm‟s business. Once the methodology has been selected. For a bird ‟flu outbreak this could include the location of the outbreak as compared to business volumes in the area. On this basis the scenarios based on Europe or Asia might be prioritized over the American case. • Alternative behaviour patterns will then be described for the key elements as the planner seeks to factor in the way in which the business will react to each of the different scenarios depending on severity. Such a scenario will need to be sufficiently severe to stretch the firm whilst at the same time being manageable for the firm. These are dealt with below in order of increasing complexity. a scenario is developed that will produce a significant storyline for investigation. the business will then select a series of informative scenarios that it will choose to manage. Medium or Low.

• the volatility between the currency pair in which the payment is conducted (a volatile currency pair will expose the firm to increased loss if rates move against its position). the planner will be looking for information that will provide guidance on the potential frequency of the event or on the impact of that event if it should happen. external information related to loss events in other similar institutions. we are looking at a loss that has occurred as a result of the misdirection of a currency payment. but attractive as that might . In every case. planners will have recourse to a series of information sources. Such information can be gathered from loss events or near misses that the business itself has experienced. The information can also be used to develop potential loss scenarios. External loss events Another valuable source for the development of scenarios is the use of external loss data. it will be possible to create extreme scenarios to illustrate the potential tail of the exposure distribution even if any losses experienced to date have been small. They may also use this data to model exposures. By looking at the activity profile of the firm and varying the drivers indicated. Once the scenario is complete. • the willingness of the erroneous recipient of funds to return funds quickly. They will seek to understand the loss and put in place mechanisms to ensure that the event does not recur. If. management will develop their strategy to manage this scenario. This procedure will seek to examine whether a certain loss event could have given rise to a significantly increased loss in the event that the circumstances of the loss changes. for example. Internal loss events All operational risk managers will be familiar with the concept of collecting details on internal loss events. Here we seek to learn from the misfortunes of others. • the time taken to resolve the situation (as claims for lost interest will increase with time).SCENARIO ANALYSIS AND STRESS TESTING 145 • Planners will develop the scenario story in conjunction with key business units who will define critical factors and results and explore the relationship between the different elements of the scenarios and management responses. we will identify four main drivers of loss amount: • the size of the transaction (as more will be lost if the sum misdirected is large). the risk manager will need to analyse the event and identify the main factors that determine the size of the loss. Sources of information When developing stress tests and scenario analysis. To use the data. situations based on expert studies of the firm‟s operations or analysis of the internal control environment or the overall business environment.

meaning that different firms will experience different effects from identical loss events. By identifying a range of risks we are able to prepare our business to meet a series of different circumstances rather than simply selecting a specific situation to . This means that events cannot be automatically considered relevant to a peer organization. In the same way as organizations devise and test business recovery and continuity plans. made possible by non-application of a control structure.• 146 RISK ISSUES IN OPERATIONAL MANAGEMENT seem. a changing environment. Control or environmental factors Another source of information for potential unexpected loss events can be found in qualitative management reports prepared. for example. and material threats can be developed into a scenario to explore the potential loss and. activity in new areas or rapid growth are all areas where scenarios can be used to explore the evolving dangers facing the business. That said. processes. can be educational and can often encourage staff members to observe control requirements. Risk identification workshops or risk self-assessment exercises can be run to explore the potential impact and likelihood of such events. and hence on unexpected losses. The people in the organization who routinely interact with systems. If relevance can be established (and publicly available information is often sketchy). Advantages of scenario planning Scenario planning presents management with a series of benefits that can help increase organizational resilience and preparedness for unexpected events. however. by internal auditors that highlight areas where controls are overlooked or rarely carried out. differences in the control frameworks of different companies will determine levels of exposure to specific risks. Another source of information can be related to key risk or performance indicators that will highlight areas of increasing risk. Such areas are prime candidates for loss. As a general rule. products and markets will be readily able to identify situations where structures are weak or require constant vigilance if error or failure is to be avoided. we can consider the example of a systems failure in a highly automated firm that will be totally irrelevant to a firm using traditional manual methods. To illustrate this point. Equally. this source of information is not without its difficulties. scenarios revolving around an event. if cost effective. develop plans to address and rectify the weakness. Operational risk is highly context dependent. one of the main sources of information on potential risk exposures. it is helpful to examine major loss events that appear in the press or in external loss databases and consider whether they are relevant to our own situation. is management or staff knowledge. Management or staff knowledge Often. then the event can be used as a basis for creating a loss event scenario reflecting the impact of a similar event on our own organization. the creation of developed scenarios to explore extreme scenarios allows firms to prepare for storms on the horizon.

The result of the activity will be a greater consciousness of the firm‟s risk environment and a fuller understanding of the scale of possible loss in the event of an occurrence. if it is too severe the exercise will be deemed unrealistic and thus also be rendered valueless. Additionally. what is more. the challenge may be to seek a way of transferring risk away from the firm through insurance or by creating a hedge to minimize risk impact. scenario analysis serves an educational purpose by involving business unit management in thinking about the different threats that confront the organization. One of the most significant is to create a scenario that is sufficiently severe to challenge the firm whilst at the same time maintaining realism. So the challenge is that if the scenario is too bland we will conclude that we can easily manage the situation and will fail to address the potential threat. catching the firm unprepared. where preparation in advance can help us minimize the potential impact of the scenario. there are challenges to creating informative scenarios. however. Of course the experts can be wrong and. On other occasions. there should be a greater willingness to embrace and observe the control structures that have been put in place. preparation for known scenarios will reduce the potential for unexpected shocks to our business. The first response to such a scenario will probably be to try to reduce the likelihood of the event by introducing additional control structures. That said. Another alternative might be to put in place a recovery plan to decide how staff members will react to the situation and to what extent they are able to manage the scenario. as the scale of the potential problems will be understood. As we create scenarios. It is a basic fact that it is possible to create scenarios so severe that staff and management dismiss them as unrealistic or simply conclude that it is impossible to successfully manage them. Our target.SCENARIO ANALYSIS AND STRESS TESTING 147 • plan for. Once this knowledge is acquired. Shortcomings of scenario analysis However. and we will be unable to prepare ourselves for the „unknown unknowns‟. is to identify a range of stretching but manageable scenarios. it will become clear that some of the scenarios we identify would have a catastrophic impact if they actually happened. understanding the full potential impact of the events and then creating strategies to address and minimize both the impacts and the probability of the events occurring. . The performance of scenario analysis should also help us in the management of the firm‟s risk profile. In this way we can prepare the business and evaluate the cost effectiveness of different alternative risk limitation actions. Another issue is that scenarios are essentially subjective: the likelihood and potential impact of the risk will be based on the best estimates of business experts. they may fail to identify a specific scenario that then comes to pass. therefore. There is much that we do not know about the risks that may affect us in the future.

Risk managers are today using the technique to meet the uncertain threats posed by operational risk. and a worst-case scenario where our nightmares are realized. Conclusion A major factor in company management today is the avoidance of surprises. 4. and senior management is unlikely to relish the prospect of revealing a fall in levels of performance due to unexpected operational factors. but in doing so will probably wish to allow for uncertainty by describing both likelihood and impact in the form of a distribution between our estimate of a bestcase and worst-case scenario. 3. Economist Books. Management can then use this information to inform their decision-making process. John Wiley and Sons. In this section I am indebted to A Guidance to Business Modelling. It therefore becomes a matter of self-preservation to determine as far as possible what risks are most likely to impact significantly on the firm‟s trading performance. we can then run thousands of iterations of the same data to determine the range of potential impacts between a best-case scenario. G Ringland (2006) Scenario Planning: Managing for the future. where impacts cluster at the low end of estimates. 2. We will seek information about the likelihood of an event and the potential impact of that event. 2nd edition (2005). and then develop strategies and plans to address these issues. G Ringland (2006) Scenario Planning: Managing for the future. Notes 1. . Scenario analysis developed as a methodology for allowing firms to adopt strategic direction in the face of an uncertain future. Profit warnings are greeted with displeasure. We are after all exploring the regions of unexpected loss. New York. and as a result many of the assessments made will be based on the informed judgement of business experts. Free Press. By using Monte Carlo analysis or other statistical techniques.• 148 RISK ISSUES IN OPERATIONAL MANAGEMENT The use of scenario analysis in the quantification of operational risk The quantification of operational risk presents a challenge. because most successful companies will have little data on the high-impact losses caused by the development of extreme scenarios. By modelling the risk and assigning monetary values to loss we can select the risks that constitute the biggest threat and decide how much we are prepared to invest to address the risks. explore the extent of the potential problems. John Wiley and Sons. M Porter (1985) Competitive Advantage. with greatest concentration on our best estimate.

and the engineering infrastructure that supports them. the failure of trusted household names such as Enron and WorldCom.3 Critical engineering and risk management: avoiding complacency Paul Saville-King. and the landscape is vastly different. speedier service and the drive for lower costs mean significant technology and communications investments are necessary to stay ahead. One does not have to look too far for evidence that this is affecting the world of facilities management in the design and day-to-day operation of increasingly complex buildings. Norland Managed Services Limited Introduction The ever-increasing demands of customers. . Challenges of 24/7 accessibility.3. and the proliferation of international regulations such as Basel II and Sarbanes–Oxley. combined with the need to sustain competitive advantage in a global economy. have driven a pace of change that today‟s business has never experienced before. These changes are further centralizing the role of technology in corporate strategy and increasing a company‟s dependency on information and communication systems. Add the result of global terrorism.

One could assert that this is a failure of the „risk industry‟ to recognize the potential for the immediate and the catastrophic impact associated with infrastructure failure. Actual disruptions followed a similar trend with 41 per cent of IT disruptions and 25 per cent of communications disruptions. it appears widely unrecognized by risk managers and boardrooms just how much risk there is for business disruption caused by the engineering infrastructure. A study by the Chartered Management Institute (CMI)1 found that 70 per cent of respondents had concerns about IT systems failures and 64 per cent had concerns about communications failures. thinking that the engineering aspects of their operational risk profile are the most tangible and controllable risks they face. these may be easy short-term savings for hungry contractors eager for new business but they will expose the client to long-term risks associated with increased staff attrition and low levels of critical engineering competence. no power or cooling = no communications or IT = no business. This omission combines with the relatively high probabilities of such disruption happening in heavily technology-dependent businesses with traditional maintenance approaches. but this is understandable in the current „terro r-focused‟ geopolitical context. This is not the case. even in the face of the common conflicts between IT and facilities management departments. even in the face of competitive cost pressures. Only 6 per cent of respondents to a BCI survey2 selected loss of power as their biggest threat. Take Reuters. Banks are also adept at planning to meet the future challenges posed by increasing infrastructure complexity. Share prices suffer from engineering complacency and under-investment. IT for its core business activity (for example Amazon) then you may be at increased risk. It appears that boardrooms sit in relative comfort. At a recent 2006 business continuity seminar there was not one agenda item relating to operational risk in an engineering infrastructure sense. which according to media reports was offline for 10 hours and unable to provide the market data that is their core product following a power outage. Why is critical engineering and risk management (CERM) important? Simply put. Engineers‟ holidays and training are simple examples. and what you get is a new horizon for the management and audit of „operational risk‟. Combine the above challenges with the increased „risk awareness ‟ that now permeates boardrooms. The question then is: „What can I do to avoid catastrophic failure of my engineering infrastructure and the resulting impact to my business?‟ . Building owners and management should network with facilities staff and executives from this group to add a new perspective on engineering risk management and battle to convince core business leaders that these „cost centres‟ require continued levels of significant investment. As with business continuity planning (BCP). investment banks are leading the way in managing their critical engineering systems.• 150 RISK ISSUES IN OPERATIONAL MANAGEMENT However. and the hall of exhibitors had a notable absence of engineering service providers. and the traditional mechanical and electrical services tender process drives out costs by encouraging savings in the most intangible yet critical elements of service design. If your business is dependent on technology for communications. This is the second year that this has been the case.

revenue loss. especially those of an engineering disposition. In financial terms alone.4 That equates to over $100. In some respects the industry as a whole is still 15 years behind the risk management and banking sectors.5 Without doubt Sarbanes–Oxley has spread its tentacles into many areas of operational risk but it seems not yet to have made a material difference where this risk is of an immediate and dramatic systemic nature (through the engineering infrastructure). Unfortunately for some. visibility.1) of critical engineering and risk management cover the most important aspects of this approach. learning and improvement. .4 million per hour. productivity loss. The five fundamental pillars (see Figure 3. although some pioneering companies are attempting to change the industry. According to Gartner research. 2.3. especially in the softer elements that produce the most significant risks. the costs of downtime include: 1. downtime for a brokerage/trading institute can run at around $6. concentrating on the less tangible softer elements of managing risk takes people out of their comfort zone. A traditional mechanical and electrical maintenance services partner may not be equipped – or have the right culture and awareness – to deliver adequate risk protection. Industry estimates vary wildly about the actual costs of downtime and there are tangible and intangible elements of this to consider. damaged reputation. impaired financial performance. 4. compliance. namely: • • • • • focus. consistency. 3. The London Chamber of Commerce found that 90 per cent of businesses that lost data in a major disaster were forced to shut down after two years.000 per minute. A structured approach to mitigating engineering risk is recommended.CRITICAL ENGINEERING AND RISK MANAGEMENT 151 • Extensive data analysis3 has demonstrated that around 90 per cent of catastrophic business-critical impact related to human or process error and not to the design of the infrastructure at all.

3. These softer aspects pose measurement challenges. and this may be why historically many service providers and facility operators have hesitated to challenge ambiguity and define them more adequately. In reality this is often misaligned with the activities critical to keeping the customers‟ core business operational. it is far better to include measures and KPIs that reflect the inputs or levers that will influence the maximization of uptime.• 152 RISK ISSUES IN OPERATIONAL MANAGEMENT Effective CERM Consistency Compliance Right culture Figure 3. Traditional maintenance specifications often have measures around completed maintenance tasks or reactive tasks completed on time.1 CERM pillars The five pillars Focus Focus relates to the need to concentrate specifications. Examples include many of the softer elements of service provision such as specific CERM competencies. even with a system-plussystem design. Examples in this respect would include challenging the norms around traditional key performance indicators (KPIs). What does this achieve except to cause conflict between customers and supply partners even when the intent is correct? Surely.999 per cent availability) when this is recognized by industry experts6 as impossible. staff motivation and levels of proactive scenario training delivery. Learning Visibility Focus . systems and processes on activities completely aligned with reducing or eliminating risk from the critical engineering infrastructure. Many organizations include uptime specifications within service provider contracts (such as 99.

These principles seem simple but in practice are rare in most maintenance operations. across boundaries and at its ultimate between homogeneous customer groups. Compliance Compliance relates to the need to ensure that critical engineering activities and measurements. At its most basic level. This requires a time commitment that many incorrectly judge to be a poor investment. A software control permit not only forces clarity about „the what‟ and „the when‟ but it also forces consideration about contingency measures and fall-back positions should things not go according to plan. In one example an „old‟ revision of software – accidentally installed – on an uninterruptible power supply (UPS) protecting hundreds of trading positions caused an immediate and unplanned shutdown despite rigorous prior change management approvals. It is more about stakeholder assurance and. thereby reducing potential risk significantly. Around 90 per cent of existing maintenance systems can be modified without any major cost or disruption to the business. Some senior managers have lost their jobs through failure to control the software aspects of what would otherwise have been a straightforward maintenance or project activity. This one event cost hundreds of millions of dollars of lost revenue for an investment bank. Traditional audit processes focus on antiquated elements of .CRITICAL ENGINEERING AND RISK MANAGEMENT 153 • Additionally. this pillar relates to the need to have consistent core processes that have passed resilience tests and deliver effective risk management from an engineering perspective. At the more complex end of the spectrum. This should involve new ways of working and perhaps the introduction of technologies such as hand-held units or tried-and-tested non-intrusive maintenance techniques. Primarily. this review allows for a complete realignment of the planned preventative maintenance (PPM) system to focus activities on those elements of the path that are most effective for risk mitigation. Once completed. systemic interconnectivity and security/accessibility. when combined with adequate visibility. Consistency Consistency relates to the consistent application of „hard earned‟ local knowledge. consistency alludes to the need to ensure that tacit knowledge7 is transferred between team members. for example evolving traditional permits in use in facilities management and mechanical and electrical engineering to a system specifically designed for authorizing works relating to critical equipment and areas. provides managers and board members with peace of mind. Another essential control mechanism is the software change permit. and the critical processes that support them are effective. CERM best practice would recommend that the areas critical to the customer ‟s core business are identified in a joint working group (for example the data centre or trading floors) and as a result critical engineering paths are mapped holistically. This should be in terms of geographic location. tested systems and procedures. this provides a platform for measurement and benchmarking across geographic regions or even between client groups. It is more than auditing although this is an essential element.

Events happen despite the best systems in the world and. and sophisticated yet simple dependency modelling systems can facilitate effective traffic light analysis – via a web browser – of the status of all systems. Learning and improvement Learning and improvement demonstrate CERM as being a dynamically evolving concept. and serious thought and investment are essential to have adequate and effective levels of visibility. usually around financial processes. the „soft‟ elements of critical engineering such as a . processes. especially if the unfortunate should happen and difficult questions are asked by shareholders or board members. union strikes and potential fuel supply shortages). structure. This is probably the most important aspect of CERM. Again. shared values (culture). apart from a reliable CERM incident response team. This approach is not „critically aligned‟ and should be prioritized for change. These headings provide useful insight into the concept that these elements act in harmony (or not) and that one cannot focus only on the „hard‟ elements such as systems and processes.• 154 RISK ISSUES IN OPERATIONAL MANAGEMENT performance. Technology has an important role to play here. An example of this is the CERM risk register. „Soft‟ elements such as management style. CERM strategy or „culture‟ are just as likely to be complex root causes of system failure and far harder to eliminate. statutory maintenance compliance and performance against traditional service level agreements (SLAs). but also includes a success register for risks that have been systematically eliminated. The sharing and leverage of local knowledge also fall under this category. Examples include the implementation of a critical incident reporting system. This is more difficult than it seems. system capacities and competencies no matter how large or globally dispersed a company is. This is made possible through the accurate reporting of critical engineering exceptions and potential threats that would otherwise need to be „mined‟ out of the daily furore. which may or may not contain essential information that could prevent a future business impact. staff. Compliance must also pick up important „noise‟. Structure this to reflect the McKinsey 7S model with headings of systems. which records not only detail of actual business impact but records – and more importantly encourages – the reporting of near-miss data. and a technological solution for knowledge management will not solve the problem. strategy. your service provider or expert should ensure that effective lessons-learned exercises are carried out. This demonstrates a progressive and unrelenting „war on risk‟. Visibility Visibility concerns the ability of the management team to focus on delivering or supporting the core business through having peace of mind about engineering risk. Most near-miss recording systems fail to differentiate those events that result in a business process change or improvement. which not only records current and future risks relating to the engineering infrastructure (such as design issues. skills. skills and (management) style. despite this being a key ingredient for generating enthusiasm and buy-in from the engineering team.

• correct launch and communication of the need for a more robust approach to critical engineering and risk management. customers. management and peer workers. without the right culture and behaviours in the first place. and at worst deliberately disregarded. • celebration of successes. Culture and behaviours It is clear that you can have the best systems. • formal knowledge-sharing programmes.2 Risk evaluation matrix . both formal and informal.CRITICAL ENGINEERING AND RISK MANAGEMENT 155 • risk-aware culture. • appraisal alignment incorporating risk mitigating/highlighting behaviours. MANY/ROBUST UPHILL STRUGGLE MANAGED RISK POSITION SYSTEMS UNACCEPTABLE RISK POSITION DOWNHILL RIDE WEAK/FEW BEHAVIOURS UNA . no matter how small they seem at first. CERM competencies and varied communications mediums are far more effective in this regard.LIGNED ALIGNED Figure 3. not just experience and qualification. these processes will be poorly applied at best. technology and processes in the world but. • formal training on systems and processes. • 360 appraisal feedback from suppliers.3. There are several „levers‟ that can be applied to driving the right behaviours and culture required for critical environments as follows: • stringent recruitment and selection in the first place based on required behaviours. • reward and recognition. • constant communication of progress and the establishment of clear metrics.

October. 2.3. Review formally and audit on a regular basis. LCCI. 5. and when implementing a new CERM model – depending on the starting point – it can take up to two years to change to the desired state. Notes 1. Uptime Institute. 3. London (440 respondents). Systems alone can be implemented by a proficient operator in as little as three months. London. 2. which when followed will reduce your exposure to engineering infrastructure risks: 1. Tacit knowledge is that which enters into the production of behaviours but which is not ordinarily accessible to the consciousness. it is important to select a service provider that recognizes the redundancy of traditional maintenance and is willing to work closely with you to implement a completely new model. A live online database of Norland Managed Services customers – CERMView™. London Chamber of Commerce and Industry. Choose a CERM-aware partner. Meta Group. Five steps to peace of mind The following are five recommended steps. This takes time.2 provides a framework for you to assess your risk position in relation to behaviours/culture versus systems/processes. The model shown in Figure 3. CMI (2005) Business Continuity Management. The right approach to CERM is not a collection of isolated systems and processes but a cohesive collation of many elements in a new model. 6. CMI. Be clear what you want to achieve and set SMART targets.• 156 RISK ISSUES IN OPERATIONAL MANAGEMENT A new model Although the elements above are intended to provoke thought and evaluation of your current approach. Realign your maintenance model (five pillars). What should be clear to you is that it is not enough to rely on systems and processes – it is the culture that counts. Drive hard on the „soft stuff ‟. Disaster Recovery: Business tips for survival. 3. 5. Fibre Channel Industry Association. . 13–18 March 2005. Business Continuity Institute (BCI) in conjunction with IMP Events and sponsored by Hitachi Data Systems. Meta Group (2000) IT Performance Engineering and Measurement Strategies: Quantifying performance and loss. 4. 4. 7. based on the above.

3. .4 The role of strategic purchasing and supply management in risk management Emma Brooks. Some of the most valuable assets the purchasing team can bring to an organization is due diligence of vendor rating and regular detailed monitoring of supplier performance to identify. A wider spend remit is being influenced and internal barriers are being broken. HR and legal services. This has manifested itself through enhanced relationship-management skills in purchasing teams both internally and externally. Chartered Institute of Purchasing & Supply (CIPS) Value generators and value protectors Procurement‟s profile in organizations is on the rise. monitor and manage enterprise-wide risks whilst encouraging innovation and continuous improvement. although procurement has made some progress in influencing spend areas such as marketing. This resource is yet to be fully exploited and.

call today on 01780 756777or visit our website www. seminars & conferences Access to over 400 leading publications . we’ll give you the confidence to keep moving forward. …can ta ke you places you’ve never dreamed of..MCIPS Best practice publications & handbooks Continuing Professional Development Scheme Information & guidance service Career management service & job opportunities Discounts on training courses. .vision. Internationally-recognised status & qualifications . helping you stay at the forefront of the latest procurement thinking.000 members. infinite benefits CIPS has grades of membership suitable for everyone – whether or not you’re in a full-time purchasing role.. CIPS – one organisation.. .org and apply online..To discover how CIPS membership can help you and your staff make the best purchasing and supply decisions...at the moment you need it most.in n umbers will ensure yo u’ll always find the supp or t. 44. right people for your company. strength. taking your career to new heights....cips. and the resources to help them grow..

international terrorism and civil contingencies requirements have propelled corporate risk management and security into the headlines. A CIPS-commissioned report compiled by Dr Helen Peck from the Resilience Centre at Cranfield University found that: High-profile events such as corporate governance scandals. The role of purchasing and supply management (P&SM) professionals has been transformed and. there has been a shift from a transactional. summarizes the role of procurement as that of „value generator and value protector ‟. Director of the Supply Chain Management Research Group at Manchester Business School. So why are they still struggling to get involved and noticed? It is paramount for procurement professionals to ensure they have the ear of the board in order to play a key role in risk management strategies and prove their worth. The role of procurement is that of risk management and building robust supply chains. As we operate in a global environment. research shows that procurement professionals still have some way to go if they are to catch up in the risk management stakes. . that can weather disruptions with minimal impact. However. must be tied back into shareholder value and customer perceptions. McKinsey‟s also report in their recent „Understanding supply chain risk‟ global survey. To become more strategically focused.STRATEGIC PURCHASING AND SUPPLY MANAGEMENT 159 • the skills and value that procurement can add to the purchasing process have yet to be maximized on a company-wide scale. backend administrative function to a fully embedded. while their presence is deep rooted in manufacturing and retail. Procurement professionals are taking on a more consultative role and are working alongside business units to deliver shared goals. although they appear to have had relatively little impact on awareness of risk management in purchasing and supply. All initiatives. cross-departmental. Once you have established what the important issues are. Professor Paul Cousins. that almost two-thirds of respondents said that the risks to their supply chain had increased over the past five years. Successful risk management programmes assess the risk in terms of likelihood and impact as well as what it means to the organization. in many industries. Why is this important to my organization? How will it impact value? Until this connection is made it is difficult to obtain senior management buy-in or even to be taken seriously at all. as procurement teams still struggle to make an impact in the service industry. this pattern is likely to continue and risk management will become a major focus for P&SM professionals. including risk management programmes. and procurement professionals are the custodians of this process. both upstream and downstream. P&SM professionals have begun to investigate what is important to the organization and the end customer in order to identify what delivers both customer and shareholder value. you then begin to understand the risks and vulnerable points and can start building a resilience plan. There are vast sectorial differences too. value-adding function.

• 160 RISK ISSUES IN OPERATIONAL MANAGEMENT The business risk environment Modern organizations operate in a very commercially pressured global environment. so finding a supplier to switch too may be impossible. and risks must be taken in order to remain efficient and competitive. low-costcountry sourcing and lean supply have exposed us to new risks but have also given us the experience to mitigate and avoid their impacts. We need to be able to activate contingency plans at short notice. The right tools for the job Procurement professionals have a wealth of tools and skills that are appropriate for risk management. providing 101 reasons for not doing something. This is . BA more than anyone discovered these risks when a breakdown of relationships with Gate Gourmet resulted in their planes being grounded for several days in 2005. Like finance and auditors. A more modern approach is to find solutions and provide a robust framework for business to operate in. Competition is strong. The packaging industry is one example where there are only a few large consolidated businesses. procurement professionals have had a reputation for being risk averse. the appropriate style of relationship to manage a supplier would usually be partnership. If you are able to price a risk or disaster in terms of the cost of the loss. As procurement professionals. Industries have also become consolidated and if one major player is affected the knock-on effects can be catastrophic. Wherever possible. Organizations must become agile and risk aware. Whenever an organization is significantly vulnerable to the consequences of failure of supply. from close working relationships within both buying and supplying organizations to monitoring and performance measurement techniques. We often see risks as having a negative impact on our organization. you are then able to cost or calculate a „saving‟ on avoiding that loss. Trends such as reducing the supply base and using sole sourcing have forged closer working relationships in order to collectively monitor and manage risks in the supply chain. There is often no „slack‟ to withstand a major movement in an organization ‟s operations. especially when nonstandard products are used. Therefore the slightest disruption to any element of their supply chain can have devastating results. the purchasing organization should adopt a partnering approach to the important and vulnerable supplier relationships as a way of mitigating the risks of supply chain vulnerability. with risk often come opportunities and innovation and not always threats. Organizations have become very lean and mostly operate on a just-in-time basis. Consolidation may make it almost impossible to switch to alternative suppliers who have the same capacity. and this is one way of demonstrating the value we can add to an enterprise-wide risk management programme. allowing scope for risk takers. BA probably did not view their catering supplier as a particularly high risk at the time. and closely monitoring the process step by step. we are experienced in calculating savings. Generally there is no slack in these manufacturers‟ capacity either. Procurement practices such as outsourcing. however.

The role of the P&SM professional is to pre-empt these risks and put processes in place to highlight. Partnering and outsourcing have led to inproved relationships and more prudent performance measurement tools. She found that in nearly three cases out of four. customer perception and value are considered throughout the procurement process as well as shareholder value. People. There have been several reported incidents where bank account details have been sold from customer call centres. mitigate and avoid them where necessary. over 81 per cent of manufacturing businesses. and marked differences appear between the sectors. data backup and business continuity plans. relationships and performance. customer requirements emerged as the overall front-runner. Critical issues such as these should be written into the supplier contract and the relevant key performance indicators logged and regularly monitored. For some industries. or opportunities successfully managed to fruition. Just over 60 per cent also indicated that availability of company products/services was also routinely included. where customer-facing personnel deal with highly personal and data-protected information. A starting place is thorough pre-screening of suppliers prior to contract negotiation. comprehensive risk assessments can be profiled and problems foreseen and avoided. restricted access to reporting and the storage of customer data are just some examples of issues that should be considered. not to mention the reputation impact on customer security assurance. as well as system support. As ever. When respondents were asked to identify the single most important factor influencing awareness of purchasing and supply risk within their own organizations. costing one particular bank over £230. Successfully managed risk taking is also likely to attract attention. It is good practice to carry out site visits and screening of the supplier ‟s internal processes. innovation or sales through the successful mitigation of risks will also raise the profile of the procurement team. Showcasing examples of increased profit. Through carefully monitoring supplier contracts. Lead time to customer featured in routing monitoring in 95 per cent of public sector organizations. nearly 65 per cent of the transport. Example: risk management for temporary staff The recruitment and management of temporary labour is often a very strategic-spend category for organizations. respondents stated that lead time to customer is included in routine monitoring. In a call centre environment. . retail and distribution sector and under 64 per cent of financial/business services. the devil is in the detail. As value generators and protectors.STRATEGIC PURCHASING AND SUPPLY MANAGEMENT 161 • indeed a powerful tool for obtaining proper attention from the board and shareholders. integrity and appearance can have a major impact on the performance and image of your organization. criteria such as monitoring staff calls and e-mail. Dr Peck‟s research also looked at downstream indicators that impact on customer satisfaction to establish the level of involvement that procurement teams had in measuring and monitoring these indices. the risks of getting it wrong are high. the use of USB data sticks and CDs in hard drives. their quality of work and overall attitude.000.

risks are generally reduced and often avoided. These aspects of the purchase-to-pay process are of equal importance as they have the potential to damage a strong working relationship between buyer and supplier and therefore affect security of supply. Fixed-price contracts. are more commonplace. For financial services companies. it was changes in business strategy that drove change. This value-adding. Where this level of detail and potential risk exists. Suppliers should be encouraged to self-audit and report back with regular management information. Risk management in the supply chain is more about resilience. Analysis of how companies assessed and managed risk revealed a complex picture with distinct differences between sectors. it is advisable to regularly audit both the supplier ‟s and buying organization‟s processes. allowing scope for innovation and process improvement from both parties. risk is on the increase and is part and parcel of our business lives. A lack of time and resources is a common problem. The aged debt for temporary staff agencies is a problem that has been around for some time. collaborative relationships and closely monitored key performance indicators are common across most sectors. Relationships must be forged to ensure that both parties have a shared and mutually agreed value proposition. The risk management tools. however. The role of the procurement professional is to ensure that both internal and external contacts are on red alert to monitor the identified weakness in the supply chain and act quickly to remedy them. For example. Often it cannot be avoided. and ensure it is given the time and attention it requires. Summary The Cranfield study concluded that when it comes to best-practice risk management in purchasing and supply.• 162 RISK ISSUES IN OPERATIONAL MANAGEMENT Once the supplier has been awarded the contract. such as getting the right person on site in a timely manner and reconciling accounts. It is not only the confidentiality and data protection issues that must be considered. therefore procurement professionals need to raise the awareness and understanding of supply chain risk management tools and techniques in order to obtain recognition at a senior management level. end-to-end risk consideration is where procurement professionals really make a difference. while recent disruptions to supply were a major influence in manufacturing. By meeting on a regular basis and implementing a process of continuous improvement of joint objectives. too large and it will see you as a nuisance and be less likely to employ joint initiatives. Selecting the right supplier to engage with is critical: too small and its internal resources may not stand the pace. issues that are perceived as more simple. one size is unlikely to fit all. so a method for managing and minimizing its effects is the only way forward. it was corporate responsibility risks that had the greatest impact in retail and the public sector. a collaborative relationship should be formed. . and the buyer should carry out spot checks and regular scheduled audits. are often overlooked.

just 41 per cent of the FTSE 250 are fully prepared for forced relocation.5 Carrot and stick: why BS 25999 is set to change the way the UK does business Keith Tilley. . According to From Adversity to Availability. SunGard Availability Services‟ authoritative investigation into the current state of the Information Availability and business continuity market. SunGard Availability Services (UK) Limited The risk landscape has changed dramatically over the past 10 years and the majority of organizations are ill prepared to meet these threats. which looks set to make BCM a prerequisite for doing business in the UK in the years to come.3. that figure is even worse. the first national standard in BCM. And with adoption of business continuity management (BCM) being particularly poor among SMEs. This state of affairs could be set to change with the advent of BS 25999.

.

to „exercise reasonable care in the performance of their work‟ and act in the best interest of their stakeholders. A staggering 658 pages of comments were subsequently submitted. and even the very survival. an all-encompassing strategy that spans BCM. containment and recovery and by identifying. nor will it protect your organisation against system downtime. as the Institute of Directors notes. failure to exercise proper care is not just a failure of moral responsibility but also incurs the risk of personal liability. disaster recovery and solutions for always-on environments: all the factors instrumental in keeping people (employees and customers) and information connected at all times. One of the common misconceptions exploded by the From Adversity to Availability report is that insurance is an adequate substitute for good BCM. The reasons behind this apparent lack of interest are partly historic – in its infancy. it only provides compensation. The new standard is intended to be a framework that organizations of all types can follow to achieve a common standard. Until now.000 times. It is no exaggeration to say it has been eagerly awaited. SunGard is a passionate proponent of „Information Availability‟ (IA). not how they should do it. But. Insurance will not enable your organisation to keep operating through a disaster. business interruption and loss. BCM set to move up the corporate agenda Since BS 25999 was proposed it has been the subject of intense debate. it was downloaded an unprecedented 5. creating the possibility of criminal and civil actions against the individual concerned. While directors have long had a statutory obligation. the majority of board directors have been somewhat apathetic about Information Availability despite its fundamental importance to the fortunes.CARROT AND STICK: BS 25999 AS AGENT OF CHANGE 165 • Misconceptions lead to complacency As the industry pioneer. It sets out what organizations need to do. It is SunGard‟s position that Information Availability is such a crucial aspect of good corporate governance that failure to take it into consideration could be considered dereliction of duty. When the draft document was posted on the British Standards Institution‟s website as part of the public consultation. removing and addressing areas of operational risk. disaster recovery was traditionally limited to recovering technology and regarded as „the IT department‟s problem‟ – but also because misconceptions have led to complacency. Insurance will help you recover your infrastructure and your premises but provides no recompense for the loss of the most critical asset: your information. As our report points out. of their businesses. it is only with the advent of BS 25999 that there is an objective benchmark against which they can be judged. The overriding purpose of IA may be simply stated as being to avoid downtime and keep the business running – by planning and prevention. It is deliberately not prescriptive because it has to be relevant to . in the report‟s words: Insurance provides no protection.

However. It could give companies a competitive edge when pitching for new business. . As the leading provider of Information Availability solutions since 1978. take-up of the standard is widespread. no matter what. BS 25999 is likely to be a catalyst in gaining senior management buy-in and raising the profile of business continuity within an organization. private and voluntary sectors. The comprehensive range of SunGard‟s Information Availability solutions means that whatever a company‟s size. Unlike its predecessor. when implemented wholeheartedly and not just as a box-ticking exercise. typically. Compliance with the standard reduces the cost of evaluating suppliers. for the first time.• 166 RISK ISSUES IN OPERATIONAL MANAGEMENT all. A poll of companies around the world by the Economist Intelligence Unit found that 47 per cent of risk managers questioned claimed that more than 24 hours‟ downtime could seriously jeopardize the survival of the entire business. while if. Business continuity managers have long argued that BCM should be regarded as an investment not an expense. and the new British standard gives this argument more weight. system to system. BS 25999 has been designed as a universal benchmark rather than being specific to any single industry sector. a recommended testing schedule has been enshrined in official BCM guidelines. sector or budget. commercial pressures mean that BS 25999 is likely to achieve much greater take-up. SunGard is well placed to advise organizations on the service – or. as expected. depending on the tolerance for downtime. the Standard insists that the scope of business processes covered is pre-defined at senior management level and that a director signs off the plans. This fact alone means that BS 25999. Although in practice this may well be delegated. What‟s the answer? SunGard offers a range of services designed to keep its customers in business. which many in the public sector argued was too heavily geared to the financial services industry. In addition. accreditation by these suppliers or thirdparty service providers is a simple way of ensuring that all the parties involved have adequate contingency plans in place. it only need pay for the level of protection it needs. from small business to multinationals and across the public. derisks the supply chain network and allows organizations to differentiate themselves by demonstrating they provide a quality and reliable service. This varies from company to company. PAS 56. will improve an organization‟s survivability in the event of disaster. That means for any organization that outsources services or relies on a supply chain in any way. firms that lack the requisite badge may be at a disadvantage. the combination of services – that will best meet their specific IA needs. It does not contain a groundbreaking new approach – just tried and tested processes and best practice.

This requires a major cultural shift. a holistic Information Availability strategy combines professional services. hugely resilient data centres. giving them immediate access to hardware and state-of-the-art automatic call distribution systems – and we get them back up and running as fast as possible. Information Availability is much more than that – it is about keeping the business running. Gazing at the crystal ball In its early days. customers and reputation to keep organizations in business. thereby safeguarding profits. no matter what. SunGard provides an array of products and services designed to help get risks under control. This means they benefit from best-of-breed technology with round-the-clock monitoring and support from our highly skilled IT professionals. But old habits die hard. our mobile recovery services come to them.CARROT AND STICK: BS 25999 AS AGENT OF CHANGE 167 • • Professional services: From helping organizations achieve BS 25999. disaster recovery was traditionally perceived as being about recovering systems and data – the IT department‟s responsibility. recovery services and managed IT solutions to provide comprehensive support for an organization‟s people. operations. specialist BCM software and expert. And if they can‟t get to us. • Information Availability solutions: In today‟s age of data dependence. relocate and restart. vendor-independent consultancy advice on issues such as security and performance optimization. the ability to do this more effectively than the competition so that all information and communication systems continuously perform to their optimum will increasingly sort the winners from the losers. always ready and always on‟. infrastructure and data so that it is „always prepared. • Managed IT solutions: SunGard hosts customer systems in one of its secure. Moreover. . but leaves customers in full command of the applications that drive their operations. Customers bring their backup data and people to our facilities. One of the biggest challenges facing the BCM professional today is to embed an Information Availability culture within the organization so that it is factored into each and every business decision. • Recovery services: SunGard‟s disaster recovery facilities enable organizations to react quickly. We predict that the ability to anticipate and plan for all the events an organization might encounter will increasingly become part of the daily business agenda.

Like all in the legal profession. was badly hit by the flooding. with over 2.000 calls a day. As part of the BC plan. Sheffield was hit by severe flooding following some of the wettest weather on record in the UK. Telephony recovery is often overlooked by businesses when developing their BCM response but Irwin Mitchell and SunGard placed strong emphasis on ensuring the resilience of the firm‟s call centre. but it was now essential for Irwin Mitchell and SunGard to ensure that normal services could be resumed the following morning. It is also the leading personal injury and medical negligence litigation practice in the country and was recently voted National Law Firm of the Year. Irwin Mitchell‟s Sheffield operation. The ground floors of both buildings were completely engulfed. come fire. called SunGard to invoke its services and action its recovery plan. While SunGard started to put the firm‟s recovery plan into action. power outage or any other business disruption.300 employees in the UK and Spain. It has worked with SunGard Availability Services for several years to ensure that any disruption to its IT or telephony functions is minimized and that all data is kept securely. Irwin Mitchell would eventually relocate around 50 of its contact centre staff to its local SunGard Recovery Centre. the flooding hit the building after the call centre had closed for the evening. which takes up to 7.• 168 RISK ISSUES IN OPERATIONAL MANAGEMENT Case study. based in Elland. Irwin Mitchell has always taken a very proactive approach to business continuity (BC) planning. Fortunately. By 6 pm. By 1 am on Tuesday . the BC team worked through the night. SunGard provides the firm with high-availability services for data hosting as well as both on-site and remote disaster recovery services. SunGard kept 30 of the IP phones used in Irwin Mitchell‟s call centre at the recovery centre in Elland. depending on the systems in question and the nature of the incident from which it is trying to recover. Gary Thomas. activating localized plans to create a makeshift call centre in the boardroom on a higher floor of the building. its insurance department must call a client within one hour of receiving an instruction. Irwin Mitchell‟s business continuity team alerted SunGard at around 5 pm that day. For instance. Irwin Mitchell: staying afloat during the floods Irwin Mitchell is the UK‟s fourth-largest legal firm. flood. with the remainder of the team staying in the makeshift facility. Invocation! In June 2007. West Yorkshire. located in two buildings in the city centre. Head of IT Operations. Irwin Mitchell has stringent service level agreements (SLAs) in place with all of its clients. Such SLAs must be met. On Monday 25 June.

The firm had established a free 0800 telephone number for use as a staff information line in emergencies. a good IT infrastructure based on Voice over IP technologies and a rapid response by SunGard ensured Irwin Mitchell continued to function . Logistical problems Irwin Mitchell ultimately used only one of the recovery suites earmarked for it at Elland. as some staff continued to use the boardroom as a makeshift call centre.‟ A successful recovery Effective planning. everyone knew exactly what they needed to do. Fortunately our staff were flexible. Tuesday 26 June. The smooth. This extended duration was necessary as there were ongoing issues with power while the utility companies patched up the city. pulled together and were happy to do what was required in the face of adversity. so employees would have exactly the same information on screen.‟ Keeping staff up to date Another important part of Irwin Mitchell ‟s recovery plan was to keep staff updated on developments and on what they should be doing. Fifty staff were transferred from Sheffield to Elland and continued to work there for over two weeks.CARROT AND STICK: BS 25999 AS AGENT OF CHANGE 169 • morning. SunGard mirrored Irwin Mitchell‟s call centre PC systems. One of the major tests for the BC team during the invocation was the logistical challenge of transporting staff to and from Elland when all of the local transport networks were severely disrupted due to the flooding. This number is a key component of Irwin Mitchell‟s crisis management strategy and is printed on staff ID cards and explained during inductions. What is usually around a 40-minute journey from Sheffield to Elland was taking over two hours. As Gary Thomas says: „To all intents and purposes. SunGard had two recovery suites ready with 100 PCs and 30 IP phones. each of which was identical to those in its own offices. fast recovery ensured that the call centre was able to meet its SLAs despite the flooding. the recovery centre became another Irwin Mitchell building. Call centre staff were told to travel to work as normal for transfer to the SunGard recovery site in Elland by bus. Thomas notes: „We actually ended up booking hotel rooms for our call centre staff in Elland as it was simply impossible to transport them on a daily basis. On the morning following the invocation. SunGard shipped in a further 70 IP phones from its mobile recovery centre in Leicester and by 4 am. Irwin Mitchell had access to 100 call centre positions.

On the day after the floods. . As Thomas says. Thomas remarks. which caused over £2 million worth of damage to the firm‟s buildings. it was a remarkable feat to be fully operational again for the start of business at 8 am the following morning. Irwin Mitchell was able to maintain its normal level of service despite the severe floods. SunGard delivered a very smooth. Having a clearly defined BC plan in place helped save the business. The damage we would have sustained otherwise is incalculable‟. this dropped only marginally to 96 per cent. Irwin Mitchell staff at Elland were able to receive client calls and forward them to all corners of the Irwin Mitchell enterprise. „From an operational and technical point of view.‟ Moving forward Irwin Mitchell viewed the success of its recovery from the floods in Sheffield as vindication of its investment in and focus on business continuity management.• 170 RISK ISSUES IN OPERATIONAL MANAGEMENT almost as normal. „Business continuity is often something that organizations begrudge paying for as it can be hard to see any immediate return on investment. professional service: we were in constant contact with its technical team at Elland and they provided us with the expertise and reassurances that we needed in what was quite a stressful time. Considering that we did not invoke until the Monday evening. However. an impressive performance given the circumstances. Irwin Mitchell prides itself on the fact that it answers 98 per cent of its calls within 15 seconds. our board has always recognized its value and this one invocation gave us that return. Our clients would not have noticed any drop in the level of service and the feedback from our staff has been overwhelmingly positive. the recovery worked beautifully.

Supply chain assurance – assessing and controlling supply-chain risks to promote business advantage – has never been more critical. How ironic then. Lloyds Register Quality Assurance (LRQA) Cost cutting is no longer the main driver of supply-chain globalization. Just quoting three of the industry journal Supply Chain Digest‟s „11 greatest supply chain disasters‟ should illustrate the point. . and 96 per cent expect their supply chains to globalize still further in future. according to the UK‟s Chartered Institute of Purchasing & Supply (CIPS). In 2007.2 billion inventory write-off and Cisco‟s stock price was slashed in half. that supply chain management should so often prove to be a source of commercial risk itself.6 Risks in the supply chain and how to manage them Tim Kitchin and David Lawson. CIPS members concluded that globalization‟s real benefits are to improve business efficiency and reduce commercial risks. consider Cisco‟s 2001 inventory disaster: lack of demand and weak inventory visibility in a slowing market led to a $2. • Most recently. The trend appears unstoppable. Four in five of these same procurement professionals already manage an international supply chain.3.

the examples above may sound either like clear-cut systems failures or like examples of poor business planning. Product tampering is now highly politicized. quality plummeted. Isotoner decided to shut its successful Philippines-based glove and slipper manufacturing plant to chase even lower costs elsewhere. bringing tea. the famous „slow boats‟ were busy plying their trade from China to London. In the 1800s. and knowing how far to intervene in local labour practices.• 172 RISK ISSUES IN OPERATIONAL MANAGEMENT • A little further back. while Toyota focused on a management systems approach. revenue was cut by 50 per cent. in monitoring remote behaviours. more concerned with hi-jacking of design IP and manufacturing secrets than with actual products. Their interaction must be managed through a comprehensive assurance programme. At first sight. Both are extremely subtle. mutiny. but they are all examples of where „soft systems‟ of business planning or market insight failed to translate into the „hard systems‟ that control supply chain behaviour. process design and performance management as distinct activity clusters. Supply chain management is not easy. globalization itself is nothing new. and they still exist today. consider Aris Isotoner ‟s sourcing calamity in 1994: then a division of Sara Lee. combining monitoring difficulties with product design constraints and high dependence upon a single sourcing location. Costs rose. Take Gap or Nike‟s supply-chain difficulties. the changing nature of supply chain management responses. • Finally. evoking concerns over national security and the risk of global bioterrorism. and the changing nature of performance monitoring – and offers some high-level principles on how to connect them. developed its „lean‟ production systems and became the world‟s biggest and most successful auto manufacturer. The lesson to take from all these examples is that any cost-cutting programme or business-efficiency planning for your supply chain must run hand in hand with a broad risk-based management system – grounded in a thorough assessment of both the hard and soft risks affecting the supply chain. The changing nature of risk Of course. silks and spices. An integrated approach to risk management sees risk identification. Piracy is now an upstream activity. consider GM‟s 1980s robot mania: CEO Robert Smith spent $40 billion on robots that mostly didn‟t work. The role of this assurance is to manage the interactions of these three elements on an ongoing basis. This chapter looks at these three clusters at a high level – the changing nature of risks. and the company was soon sold to Totes Inc. piracy and product tampering – were almost wholly operational. The risks then – smuggling. Mutiny too remains . And even Mattel‟s 2007 difficulties in controlling the use of lead paint in its Chinese toy manufacturing operations are far from straightforward. in reading changing consumer sentiment. This conflict between hard and soft systems is even more pronounced in recent headline-grabbing stories. albeit for higher stakes. Getting it right means developing an assurance approach that cuts across a variety of functions and locations. combining difficulties in valuing reputation assets. for example.

For example. Supply chains have extended relentlessly. And it is the same backdrop that caused BP to withdraw pre-emptively from the Global Climate Coalition and to help kick-start the Extractive Industries Transparency Initiative to clamp down on corruption in the extractive sector. of course. is still prevalent through the quasi-legal mechanism of grey imports or the plainly illegal manufacture and distribution of counterfeit product – an issue that extends way beyond fake Gucci watches and dodgy perfumes. It is this same backdrop that forced Starbucks to introduce its CAFE standard.MANAGING RISKS IN THE SUPPLY CHAIN 173 • a threat through disloyal employees. to adherence to national laws. to voluntary industry standards. this general shift in social responsiveness has been accompanied by an increased burden of compliance. Although much remains the same. And smuggling. multi-country and largely voluntary) pose real operational challenges for risk managers in knowing how far and how fast to respond. While traditional certification approaches are very well able to cope with the internal and legalistic modes of compliance. With a greater compliance burden come not just costs but also new risks associated with breaching the implied contracts. witness the recent attempt by a rogue Coke employee to sell trade secrets to PepsiCo. but under the surface de facto responsibilities have shifted. in both . This creates the social backdrop against which the diamond industry was forced to introduce a global system of supply-chain warranties: the Kimberley process. consumer activism and the corporate social responsibility movement continue to increase the depth and breadth of accountability. On the surface. these new regimes (industry-wide. The potential scale and cost of such breaches becomes all the greater as the boundaries of responsibility start to blur between government and corporate stakeholders. Compliance covers a wide spectrum from compliance with an internal company-wide standard. Corporations must account for the behaviour of a wider and wider network of providers across a wider and wider portfolio of responsibilities. or to regional or global trade agreements. Information transparency. The burden of compliance Secondly. the UK Medicines and Healthcare Products Regulatory Agency announced in January 2007 that it was investigating twice as many cases of fake drugs as five years ago. it is also true that much has changed The first shift has been the creeping burden of responsibility placed upon firms. legal boundaries remain more or less as they were. with more and more precision. The changing nature of supply chain management In the face of this twin burden – to be more responsible and to be stricter in honouring that responsibility – the most critical obstacle to a rapid response has been the fragmentation of the supply chain. as society at large is less and less willing to „take things on trust‟.

what is new is the extent of multi-directional trade across the world‟s companies and economies. And as they have done so. renegotiation and remediation. It makes risk harder to identify.• 174 RISK ISSUES IN OPERATIONAL MANAGEMENT number of parties involved and their sheer geographical reach. has enabled organizations to unbundle as never before. The result is that while companies may have more and more visibility of potential problems. and manages a budget of some $40bn – regardless of any patriotic backlash. But in the . this change means that compliance is increasingly an exercise in aligning interests and building the case for change. While political protectionism and the urge to „buy local‟ will never go away. In this context it is no surprise that US corporate icon IBM relocated to China its global head of procurement – a role that leads a global team of 5. has significant implications for supply chain assurance. as a natural response to the scarcity of domestic skills and the availability of lower-cost labour elsewhere. Taken together. not enforcing it. fewer and fewer corporates now rely upon national identity as a cornerstone of their success. Together these changes have driven the emergence of the truly global enterprise in which capabilities are distributed across the globe. functions are located where the skills exist to fulfil them. and seeking to add as much value as possible to raise their margins – many developing their own value-added brands. The need to appeal to a global middle class precludes this approach. For risk managers. It is now extremely rare for a retailer or manufacturer to own its production capabilities. today‟s supply chain assurance can no longer be an exercise in ruthless corporate control but must become a process of continual supplier monitoring. this growth in complexity runs directly counter to the need to respond flexibly and rapidly to changing market conditions and stakeholder sentiment. but increasingly e-commerce and e-logistics systems giving customers end-to-end visibility of realtime movements. Even corporate megabrands like McDonald‟s now strive to be less American and more local in their activities. Even at „tier 1‟ supplier level. Several factors have contributed to this fragmentation: • One is the growth of ICT – not merely the advent of just-in-time stock reordering systems and radio-frequency identification (RFID) technologies. The changing nature of performance monitoring This final relationship shift. From an operational standpoint. Increasingly. • The rise of outsourcing. harder to reallocate and harder to respond to. leading to a step change in supplychain management. these supply chains have become more empowered.000. from coercion to collaboration. • There has been a reduction in corporate nationalism. While globalization may not be new. not just in ICT but in entire business processes. they have less and less control across their own supply base. suppliers will be serving multiple customers to different specifications. • Offshoring has increased. rather than being replicated in each location.

LRQA advises its clients to focus on broad general principles: • • • • completeness. To ensure that supply-chain management systems support genuine assurance. taking into account their potential frequency and impact. Completeness The first principle of supply-chain assurance is „completeness‟ . Collaboration The second principle of supply chain assurance is „collaboration‟. and apply your audit and improvements across the whole supply chain. the case for censuring and even ceasing trading with underperforming partners will continue to increase. . Don‟t dilute the review across the supply chain by trying to cover all needs and requirements. Principles of supply chain assurance: the four Cs In dealing with the complexity it is all too easy to get lost and actually increase complexity and the burden of compliance. Only then can appropriate mitigation be determined and controls identified for those of greatest priority. not just one supplier in the chain. Suppliers and subsuppliers must be involved in this process and understand and accept they have a part to play in risk management in a network of related suppliers. start by taking one cluster of risks. customers and external critics. And even within that standard. Do not try to cover every risk. communication. any effort to introduce a management system for the supply chain must begin with a high-level assessment to identify and prioritize the risks – at all levels of the chain. Bridging this control gap is the role of supply chain assurance.MANAGING RISKS IN THE SUPPLY CHAIN 175 • eyes of regulators. be careful to focus only on the material issues. governed by one compliance standard. Ideally. These should then be evaluated. collaboration. Cross-cutting The third principle is to focus on risks that cross silos and geographical boundaries and to design systems that are „cross-cutting‟. It is important that it is the supply chain that is being covered. cross-cutting. but equally do not isolate and address risks at the site or functional level. Given the spread of hard and soft risks.

By better understanding all the individual elements (and their potential risks) of the total supply chain network. any assurance response must explicitly factor in issues of „communication‟ from the outset. but because of a failure to communicate and respond to a threat. Principles. globalized supply chains will remain a key driver of competitiveness. Many of the greatest supply chain disasters occur not because of a breach of protocol. compliance requirements and incident escalation procedures must be communicated through the network to be effective. . Tomorrow‟s flexible. Lose control of communication and you put your shareholders‟ future in the hands of the media. companies can acquire the confidence they need to invest in the future.• 176 RISK ISSUES IN OPERATIONAL MANAGEMENT Communication Finally. but they conceal dramatic risks.

companies should be looking at a number of different areas outside their quality assurance systems. Regulatory risk While the purpose of Regulation (EC) 178/2002 is to protect the consumer it also creates more onerous requirements for food companies with clear requirements: . During this period the UK has seen an upward trend in the number of recalls of food and drink products. While it is clear that exposure to a product recall is increasing.7 Product recall: assessing risk in the food industry Ed Mitchell. including a number of wellpublicized losses. it is not so clear to what extent companies are addressing their regulatory requirements and assessing their exposure to loss. XL Insurance Company Limited It is nearly three years since the implementation of the new European regulation governing food safety and product recalls – Regulation (EC) 178/2002 was implemented in the UK on 1 January 2005.3. Best practice quality assurance systems are critical in preventing product contaminations and subsequent recalls but when assessing the risk to their brand.

Companies face increased product recall exposures Changes in EU product recall legislation have created a riskier environment for food and drink companies with significantly tighter requirements and obligations to follow.The XL INSURANCE companies have the strength to provide not only comprehensive product recall insurance solutions but also 24/7 access to a dedicated crisis management team.Product Extortion Experience our strength www. 2007. Ratings accurate as of 7th June. A+ by Standard & Poor‟s. Food and drink manufacturers are increasingly under the spotlight from regulators. Best. OUR PRODUCT RECALL SOLUTIONS: . the media and consumers so it is critical that companies are on top of their legal obligations as regards the safety of their products and their responsibilities in the event of a recall. its reputation will be on the line.M.com The strength to take the crisis out of a product recall. In today‟s world a company can live or die by its brand and if it handles a recall badly.by Fitch.xlinsurance. advertisement feature . AA.Malicious Contamination . XL Insurance is the global brand used by member insurers of the XL Capital Ltd group of companies.Accidental Contamination . Key exposures are financial loss caused by a recall and. potentially more costly. The XL Insurance companies have one or more of the following ratings: A+ by A. XL Insurance offers a two-tier solution: 1) Risk Transfer: insurance coverage 2) Loss Prevention and Mitigation: a dedicated network of Risk and Crisis Management Consultants. The focus is on crisis management with an inclusive loss prevention service and a 24/7 crisis response hotline for policyholders. Aa3 by Moody‟s. «XL Insurance» is a registered trademark of XL Capital Ltd. damage to the company‟s reputation.

Being able to trace your product is a regulatory requirement and its effectiveness will be critical in recalling products.‟ (Regulation (EC) 178/2002 – Article 19. produced. Under the legislation. For any one company. most importantly. these terms can create potential pitfalls for a food company.1) The basic principle of not placing an unsafe product on the market may sound simple enough but in practice this is not straightforward. a recall may be a rare event and without mock recalls a company won‟t actually know to what extent it is in fact prepared for the worst should it happen. Making the right decision is critical but if a company gets it wrong it not only faces a potentially expensive recall campaign but it could also severely damage its brand. differ in their view of the product‟s safety. the responsibility to recall and to inform the authorities lies firmly with the food company. However. manufactured or distributed is not in compliance with the food safety requirements. it shall immediately initiate procedures to withdraw the food in question from the market. This is a difficult and complicated area for food manufacturers. processed. Defined as such. companies need to be sure that their recall plan is not only up to date but. Critical in this process is having an appropriate traceability and recall plan in place. An „unsafe‟ product is defined under the regulation as one that is either „injuriou s to health‟ or „unfit for human consumption‟. At that stage it may be too late for the company to take action. Therefore. For example. for example by taking a zero tolerance approach to the substance in question. upon further investigation. If consumers and the media are questioning the company‟s „inaction‟. The traceability plan must adhere to the „one step up. its reputation may have been compromised. if the authorities become involved and. it may oblige the company to instigate a recall of the product. one step down‟ principle so that the company can immediately know not only where the product (or its ingredients) came from and the person from whom it came but the next person to whom it has gone. . Food companies not only need to ensure that their products are in compliance with applicable legislation but also to be fully aware of their regulatory requirements and obligations should a problem arise. in evaluating a potential product-safety situation a food company may conclude after testing that the levels of a certain potentially harmful substance in its product are sufficiently low not to create any adverse heath issues and therefore decide not to recall. regularly tested.PRODUCT RECALL: RISK IN THE FOOD INDUSTRY 179 • Regulation „If a food business operator considers or has reason to believe that a food which it has imported.

Central to this is a company‟s HACCP (hazard analysis critical control points) plan incorporating a product testing regime. Likelihood of a loss It goes without saying that for a food manufacturer the best way to prevent a contamination happening is to ensure that it has the right food safety systems in place. the less likely it is that a contamination will occur. Preventing a recall from happening. testing is only useful if you are looking for the right contaminants. be . however. Product testing Traceability plans Recall/crisis plans End products Ingredients and components Batch control Plant sanitation Etc. Ensuring that safe products leave the factory gates is. Having a rigorous microbiological testing regime for pathogens will not help if your product is found to contain pieces of metal and you have no metal detection systems in place. of course. it is critical to ensure that the company‟s HACCP plan is regularly reviewed to ensure that it is in line with current food safety requirements. a product contamination insurer will generally look at two key variables: the likelihood of a loss happening and the severity potential should a loss occur. The more robust the HACCP and testing procedures. Likewise. critical but companies should also be looking at those areas that can impact the likelihood of having to recall or. Your brand in someone else‟s hands Control over quality Auditing and testing Contractual control Contract manufacturers Suppliers: local or imported Integrity/quality of supplies Supply chain management Regulatory approval of suppliers‟ products Contractual control Figure 3. indeed.7. isn‟t just about a company‟s food safety programme.• 180 RISK ISSUES IN OPERATIONAL MANAGEMENT First party Exports Strict safety requirements Retailers initiating recalls Costs incurred by retailers passed back to manufacturer Maintaining shelf space Retailers (wholesalers foodservice) Third party Regulatory requirements in export locations Cost of co-ordinating overseas recalls Third-party manufacturers Costs incurred in recalling due to your contaminated ingredient Jeopardise contract Contractual requirement to buy recall insurance Manufacturer Quality control – HACCP etc.1 Exposure map for manufacturers Assessing the loss exposure In assessing a food risk. Therefore.

customers. One of the most significant exposures to a loss potential is the supply chain. but measuring this risk can be a challenge. In today‟s global market outsourcing manufacturing or importing raw materials may make good economic sense but it comes with risk: ultimately companies are putting their brands in someone else‟s hands. doing the same exercise for a recall exposure is not as straightforward. Loss severity Most risk managers for a food and drink company will consider a serious recall to be a potentially catastrophic risk. supply chain management is a critical area for companies to focus on. use of seasonal staff and site security through to production processes and supply chain management. In addition to the accidental contamination exposure. on the basis of testing cycles.PRODUCT RECALL: RISK IN THE FOOD INDUSTRY 181 • responsible for the recall. consumers and the media. Another problem is that modelling a recall loss is very difficult given that there are numerous variables that can influence the size and ultimate cost of a recall. Food companies tend to rely on certificates of analysis that accompany supplied goods but the question any company should be asking is to what extent is a certificate of analysis adequate protection against a contamination? Ultimately. A relatively inexpensive recall can lead to a far greater impact on a company‟s reputation and sales if media and consumer issues are either not handled well or perceived by the public to be handled badly. . create a loss scenario. Naturally this can also impact on the severity of a loss as well. The other relative unknown in a recall situation is the response from regulators. Given the global attention on outsourced manufacturing from countries such as China. In assessing this risk companies should be looking to minimize the tampering exposure in areas from recruitment. as well as the crisis planning in place to contain a loss should it occur. in both the food and non-food sector. insurers will look at the way in which production and testing is combined. all of which can affect the consequential loss of sales. but companies can go a long way to improving their exposure by enforcing rigorous testing programmes for supplied ingredients and products as well as carrying out appropriate due diligence and auditing of suppliers. through to the bio-terrorism risk which is more of a focus today than ever before. for example animal rights campaigners. However. training. in assessing property exposures a company can establish PMLs (possible maximum loss) and MFLs (maximum foreseeable loss) and buy insurance limits accordingly. One way to assess a recall loss exposure is to look at batches. companies should also be assessing their exposure to malicious contaminations and extortion demands. and some companies do not actually go through the process of working through a full recall disaster scenario. lots or daily production and. In assessing the severity potential of a food risk. however. The tampering risk will range from disgruntled employees and outside interest groups. For instance. Companies with fully automated production lines and products contained in tamper evident packaging will be less exposed than companies with more human intervention on the production line. This is a very useful way to estimate loss potential but history has shown that it is often irregular and unexpected situations that cause the largest losses. it is impossible to remove the supply chain risk.

. Likewise. companies could also look to assess the potential impact of a contamination of multiple products by a contaminated ingredient. • Relying on suppliers‟ information. For example. as a minimum.• 182 RISK ISSUES IN OPERATIONAL MANAGEMENT Common mistakes in a recall situation • Not having an up-to-date product recall procedure. economics and the production structure come into play again. the business interruption loss will be limited to the amount of time it takes a company to restart production after a recall – not unlike any other business interruption loss. You cannot test every product and companies will structure their production in accordance with the nature of the business. should a supply load of an ingredient be contaminated. some companies may find themselves more or less exposed when assessing that exposure. is a robust crisis management plan incorporating both a recall and business continuity plan. a company can also suffer consequential business interruption. For example. In a recall situation the last thing a company wants is to be left without the ability to get products quickly back on the supermarket shelves. tests each lot and only releases products once test results are known will be in a strong position to prevent a severe loss happening (assuming the contamination is picked up in testing). Mitigating the loss In addition to the costs associated with a recall. a company that segments production only into daily production amounts. A sound business continuity plan for a food company will have in place contingency plans should a contamination occur. however. On the other hand. Critical in avoiding loss of consumer confidence however. the size of the recall will depend on the amount of identifiable products affected. • Operating in „silos‟ and not seeing the impact across the company. To that extent. releases products to the market and only receives test results on those products a week later will be more exposed to suffering a severe loss because. it will have to recall the whole week‟s worth of production. however. In a contamination situation. • Shying away from the media once a recall situation has developed. how many days worth of production and how many product lines can that ingredient ultimately affect. and what measures can be put in place to reduce that exposure? Naturally. with the supply chain risk increasing. a company that segments production into small coded lots. The worst-case scenario in a recall is loss of consumer confidence and long-term brand damage. • Sticking your head in the sand and not being aware of issues and new regulations. for example the forward planning of backup suppliers or the maintenance of spare production capacity in plants. Often.

Figure 3. it can even enhance reputation and sales. it is the damage to a company‟s reputation that can result in the most significant costs. Effective crisis management can be critical in differentiating between the two outcomes. like public relations specialists. If you think about that you‟ll do things differently. journalists are working to increasingly tight deadlines to satisfy their audience‟s expectations of instant information and analysis.7. emergency testing laboratories. As Warren Buffett famously said. with a view to limiting the fallout from negative reports on a product. If done well.PRODUCT RECALL: RISK IN THE FOOD INDUSTRY 183 • Security Laboratory PR Legal issues Crisis management team Regulators Other consultants Food & drink manufacturer Figure 3. reassuring the public in response to media reports. business customers and external specialist consultants. The food and drink sector has experienced a number of well-publicized challenges in recent years and some companies have been caught on the back foot at a time when they needed to act fast with a proactive message.2 illustrates the use of networking in crisis management. If managed badly. the communication with food regulators. As part of this. In these days of 24-hour TV news and the internet. . well beyond those of actual recall. „It takes 20 years to build a reputation and five minutes to ruin it.‟ Quick responses to customers are essential to convey continuing confidence in the brand and the company. At the same time. the media response to a product recall needs to be handled fast and effectively. legal advisers and security consultants has to be coordinated and maintained.2 Crisis management network Securing the brand In a brand-conscious marketplace. a major recall can destroy a company‟s reputation.7.

Product contamination insurance Coverage is provided for recall expenses. While many food and drink companies have a recall plan in place. In some cases insurers will also contribute part of the premium towards pre-incident crisis management preparation. business continuity and. ultimately. media training. but the key is to be fully prepared because consumers and the stock market will respond favourably to a wellhandled crisis as it reflects positively on the management team. Being prepared for a crisis in advance is vital and can be the difference between disaster and recovery once a contamination is discovered and may ultimately contribute to the survival of the business. are relatively rare. It is a thorough risk management system that will address everything from traceability and recall planning. supplier management and quality assurance issues through to product security planning. especially due to the increased legal requirements outlined above. . it also gives access to crisis management consultants in a number of specialist fields. An effective crisis management plan is more than just media management. This allows the policyholder to work with specialists who can advise on implementing the best practice system and who can also assist in responding to a crisis. Luckily large recalls although increasing in frequency. extending through to the policyholder ‟s loss of profit and rehabilitation costs. food and drink companies should have solid systems in place to protect their brand and reputation in a serious recall situation. they often lack the breadth of a comprehensive crisis management plan leaving them exposed to losses outside of their control in a product contamination situation.• 184 RISK ISSUES IN OPERATIONAL MANAGEMENT Conclusion With a wide range of exposures.

two-thirds of UK small businesses do not have a business continuity plan in place. without a doubt the single largest challenge to the business continuity industry today is to ensure that these SMEs.3. which so underpin the UK economy. have access to and embrace professional business continuity. its current members (typically employed within larger organizations with long-established plans and policies) and to the business continuity providers who have traditionally focused on opportunities in those larger organizations.8 A shared business continuity challenge: protecting SMES and the supply chain Mike Osborne. Given that SMEs account for more than 99 per cent of the total number of UK firms. This challenge applies equally to the Business Continuity Institute (BCI) as a professional body. ICM Computer Group According to the Chartered Management Institute‟s Business Continuity Survey 2007. This last point is significant because a review of the „lower end‟ business continuity market indicates that SME services are often provided by non-business .

and high availability services. business continuity planning and managed rehearsals . while the personal. This flagship facility increases our number of inner and outer London positions to 5. Our latest. as demonstrated when our low cost business continuity solution. Disaster Cover Direct. We continue to raise standards and pioneer best practice. data vaulting. was named Most Innovative Product of the Year at the CIR Business Continuity Awards 2007.no one does more to ensure your business availability.icm-computer. Professional services include technical recovery planning.000 and our national positions to 7.500. BUSINESS AVAILABILITY To find out more call us on 08701 22 22 00 email info@icm-computer. which already incorporates NDR. and largest.co. state of the art Business Continuity centre in Farnborough demonstrates our commitment to building Business Continuity centres exactly where our customers need them.uk or visit www.ICM‟s acquisition by Phoenix IT Group. data replication. tailored level of service we pride ourselves on helped us to be voted Business Continuity Service Provider of the Year.co. means we are now the UK‟s fastest growing provider of Business Availability. Our outstanding IT recovery services include rapid ship-to-site with regional stockholdings and 10 mobile units.uk .

the onus is firmly with business continuity providers to ensure that all organizations. irrespective of size. yet unprotected businesses. selling to SMEs can be costly and time consuming. The relevance and importance of Disaster Cover Direct was recognized by the business continuity industry. and reducing supply lead times and stock holdings to reduce costs. (See case study at the end of this chapter. In this respect.A SHARED BUSINESS CONTINUITY CHALLENGE 187 • continuity specialists. Business continuity providers therefore have to initiate solutions that are appropriate to the SME market in order to satisfy the supply chains of existing. a packaged business continuity service for SMEs. and have access to simple and affordable business continuity services. many organizations are trimming down the number of suppliers they use. Where these are the barriers. when it was named the Most Innovative Product at the 2007 CIR Business Continuity Awards. business continuity providers have an obligation to existing customers and the overall market to propagate business continuity to those organizations who have not yet implemented any business continuity arrangements. The supply chain is the single largest business continuity risk to mature organizations with business continuity arrangements in place. In terms of professional business continuity providers. to help increase the UK‟s economic resilience and protect larger customers at points of vulnerability through their supply-chain relationships with well-meaning. Disaster Cover Direct With these issues in mind. resources and the belief that it involves high input for small returns. are complex and costly and fall beyond the reach of a large proportion of UK businesses. time. to the benefit of the entire UK economy. which can serve to increase risks if the chosen suppliers do not have adequate protection. with high input for small returns. which have responded to early adopters and the needs of larger organizations.) The perceived barriers to SMEs adopting business continuity are often cost. Yet it is widely acknowledged that traditional business continuity services. receive education and assistance. such as meeting-space providers and local IT companies. . With supply chains increasingly becoming more complex and interlinked. ICM developed Disaster Cover Direct. There is also the fear that business continuity is a huge burden that requires formal structures and high maintenance. larger customers. and generally involves procedures that are not necessarily in line with the „entrepreneurial spirit‟ of small companies. who offer business continuity as a „tick-in-the-box‟ add-on without necessarily providing the education and professional skills exchange offered by the professional business continuity providers.

one vital thing some SMEs may need before all of this is convincing! With the advent of BS 25999 many more SMEs will be pushed towards implementing business continuity. Getting to that starting point is the most difficult challenge. Plans should be verified and audited where possible. With regard to suppliers and outsourced activities. and specifies the process for achieving certification that is appropriate to the size and complexity of an organization. the Chartered Management Institute. However. They just need to dedicate enough. It stresses the need for organizations to establish their own robust business continuity arrangements. the specification of BS 25999 states that: „The organization shall assure itself that its key suppliers and outsource partners have effective BCM arrangements in place‟.• 188 RISK ISSUES IN OPERATIONAL MANAGEMENT The implications of BS 25999 for the supply chain Put simply. the Continuity Forum and the Cabinet Office recommend that: Business Continuity Management should be used more extensively throughout supply networks in the UK. such as resilient IT storage solutions. that can complicate the understanding of what it is to have business continuity in place. they need a business continuity plan. If your suppliers are not being required to make commitments relating to continuity of supply based upon accepted good practice. There is a surfeit of seemingly related solutions offering distinct but limited business continuity aspects. but also to be sure that such arrangements exist up and down the supply chain in their key suppliers and distributors. they do not need to dedicate as much time and resources to business continuity as larger organizations. how can such a declaration be made with any credibility? One of the ways in which a larger organization can mitigate this is by utilizing BS 25999 as a measure by which to gain confidence that their suppliers‟ plans are of an adequate professional standard. While this automatically calls for a focused approach. Your company may be required to declare that you have effective risk-based controls in order for it to be declared to be a going concern. if you want your company to be able to continue operations through adverse conditions. It is also essential to check whether suppliers have rehearsed their plans. SMEs do not require the level of cover and expensive professional consultancy that larger organizations do. in particular with essential suppliers and outsourced providers. often without knowing where to start. The standard has been designed to be just as applicable to small and medium-sized organizations as to large corporations. In the same way. In order to achieve this. . Furthermore. It therefore needs to be factored into your own business continuity planning. Once a company has made the decision to address business continuity. the ability of your suppliers to continue to operate to pre-defined service levels through periods of disruption will be vital to your organization‟s continuity. it is halfway there. Helping the supply chain We know that SMEs need business continuity.

alternative arrangements. published in March 2007. just 5 per cent assess their suppliers‟ or partners‟ plans against BS 25999/PAS 56. risk treatment and risk monitoring. contractual implications. there are benefits to both sides in understanding what will follow: • • • • likely delays. availability of compatible products or services. A Michigan State University (MSU) study commissioned by AT&T identifies four major factors of a good supply-chain business continuity plan: • awareness that the supply chain is susceptible to potentially crippling disruption. The use of BCM down the supply chain remains limited as indicated in Figure 3. risk assessment. Almost half (48 per cent) accept a statement from the supplier/partner in question. Should a continuity event impact on either party. The questionnaire asked respondents if their organization required its suppliers or outsource partners to have business continuity plans. . high-risk marketplace subject to disruption. Around a third (34 per cent) take the more active step of examining the supplier/partner ‟s BCP. If these are recognized and understood then the contingency arrangement can be implemented without additional delay or contractual concerns. which calls for a shareable. post-event audit of supplychain disruption throughout the organization and the supply chain. • knowledge management. The Chartered Management Institute ‟s findings from its Business Continuity Management Review. shortfalls. At present. • remediation plans for recovery from a disruption. In addition.A SHARED BUSINESS CONTINUITY CHALLENGE 189 • Research by the BCI suggests that only 27 per cent of organizations actually involve themselves in helping their suppliers to develop a business continuity management plan and get involved in rehearsals of the plan. while 17 per cent are involved in the development of the BCP. specialist suppliers. Issues that create vulnerabilities may include: • • • • • high-volume supplies (single source). It would be wise for an organization to understand where its vulnerable points are with respect to its supply chain. Too many companies are vulnerable to a failure in their supply chain. geographical locations and transit routes of supplies. show that the majority of respondents (61 per cent) report that their organizations outsource some of their facilities or services.8.1 below. • prevention through risk identification. the survey asked how those who require outsource partners or suppliers to have business continuity plans (BCPs) verify their effectiveness.

At the moment. Organizations also require the support of industry bodies to help them ensure their suppliers are not a point of weakness that could negate their own careful planning.8. Disaster Cover Direct offers a safe way for companies to provide basic cover to satisfy individual customer requirements. Not only is it an issue of paramount importance. . Disaster Cover Direct provides a perfect introduction to business continuity planning with the support of an industry-leading service provider and the technical and professional expertise that brings. in achieving appropriate and adequate arrangements to meet the recognized business continuity standards. and we hope to see other top providers pick up the gauntlet and address this marketplace with supportive solutions and initiatives in the future. where possible. therefore providing an excellent starting point for their future business continuity development. perceived or otherwise. but addressing it is of benefit to us all.1 Percentage of outsourcers requiring suppliers to have business continuity plans Don't know Business-critical suppliers only Outsource partners All suppliers Intends to 35 23 7 None 6 Business continuity professionals need to be aware of the barriers.• 190 RISK ISSUES IN OPERATIONAL MANAGEMENT 70 60 50 40 30 22 20 12 10 0 Figure 3. At the same time. that SMEs face in adopting business continuity and to take steps to assist them. ICM‟s Disaster Cover Direct solution offers a unique combination of service provision and professional help to SMEs. free affiliate membership of the BCI and induction training from an independent MBCI consultant will help SMEs gain a better understanding of what is involved in the good practice of business continuity.

it has become increasingly apparent that in the event of any serious IT failure due to unforeseen circumstances. However. had worked for several large manufacturing companies that had always used ICM for business continuity and maintenance contracts. manufacturing very high levels of office. It provides enough seats for our core staff to work and more than ample servers and equipment to comfortably run our systems. This is not something that Connection wants to risk. Since 2003. This sounded perfect. We also feel that we now have a very positive advantage over our competitors and will ensure that this is fully highlighted when tendering for large orders. In addition. requiring information on how Connection could guarantee that its systems would not impact on their product delivery dates. Connection‟s sales department was seeing more and more tender documents from larger organizations. We have now signed up with ICM for Disaster Cover Direct. meeting and breakout furniture. including soft seating and office desking and chairs. As the company is growing at such a rate year on year.A SHARED BUSINESS CONTINUITY CHALLENGE 191 • Case study Connection Seating was established in 1995 as a small manufacturer of office chairs. I‟ m sure that there will be more opportunities for Connection and ICM to work together in the future. John Cupitt says: Initially I spoke to ICM regarding costs on the standard business continuity package. Disaster Cover Direct provides excellent value for money and allows smaller companies such as ourselves to take on services that are normally associated only with large organizations. Now known as Connection. The proven track record and great service made ICM the first choice. Disaster Cover Direct has been designed to enable larger organizations to push it down through their supply chains. so it was decided that ICM should be contacted to check if there were any packages suitable for a company of Connection‟s size. which was a low-cost. John Cupitt. the company‟s growth and customer satisfaction could be seriously affected. pre-packaged version of the standard business continuity offering. Unfortunately this exceeded our spend limitations. Connection‟s IT and Systems Manager. As the company grows and develops. Connection has continued to increase turnover by around 20 per cent per annum. the company has grown into a £10 million business. with the BCI Benchmarking tool embedded within the package to ensure standards expected by larger organizations are met. . our account manager then told me of a new package aimed specifically at businesses of our size. and employing over 50 staff.

via the free BCI affiliate membership. as their understanding of the issues deepens through exposure to ICM and vendor independent resources. They can develop their business continuity plans at a pace suitable to their business operations and. .• 192 RISK ISSUES IN OPERATIONAL MANAGEMENT Disaster Cover Direct makes business continuity practices accessible and means that SMEs can take appropriate steps to protect themselves. without recourse to complex analysis and resources.

4 Intellectual Property Risks .

This page intentionally left blank .

investors are placing greater emphasis on IP due diligence during the investment process. Gill Jennings & Every LLP Introduction The recent increase in public awareness of intellectual property (IP) has not necessarily led to a greater understanding of its generation. IP is a key asset used to support their efforts to secure private equity funding from investors over the course of a series of funding rounds. let alone have a strategy for dealing with them. use or relevance to modern business. Although the term „risk management‟ is generally understood. Unresolved IP issues may affect the planned „exit strategy‟. IP issues may undermine the ability to attract and retain investment.4. very few companies understand the risks associated with IP. For many technology-led companies.1 Intellectual property or poverty? An IP risk guide for business Peter Finnie and Arnie Clarke. frequently leading to renegotiation of the initial valuation of the company or influencing the decision to . Investors are also quick to exploit weaknesses in an IP portfolio. As a consequence.

avoided. What is the value of a patent in such circumstances? Also. How do you know what you are buying is valid and enforceable? How much is it worth? It follows that companies must carefully assess the costs and benefits associated with acquiring IP on a case-by-case basis and regularly review previous decisions to ensure they remain valid. What risk? So what are the hidden risks associated with IP? Broadly speaking. and how much they cost. or perhaps necessary. how they are created. This chapter highlights the IP-related risks frequently faced by businesses. An alternative strategy would be to keep the invention secret – but is that achievable? Sometimes it is useful. confidential information (know how). IP enforcement. Companies need to be aware of these different IP rights. what protection they offer. A company that can demonstrate why IP is relevant to its business and show that it has taken effective measures to develop an appropriate position is more likely to gain the confidence of investors. mitigated and resolved. It may take several years to obtain the grant of a patent. sometimes rather cynically referred to as the „right to litigate‟. IP monitoring. to acquire IP or rights under IP from other parties. IP acquisition Creating an effective IP portfolio is a complex matter that also represents a serious investment in terms of time and money. These IP rights include patents. IP-related risks fall into four distinct areas: • • • • IP acquisition. registered trademarks.• 196 INTELLECTUAL PROPERTY RISKS invest at all. This is especially the case for patents. by which time the technology has moved on. . These risks are largely hidden and require a systematic approach to reveal and actively manage them in a responsible and cost-effective manner. registered designs and copyright. IP exploitation How can IP be exploited to commercial advantage? The fundamental right is the right to „exclude‟ others. as does the time taken to acquire them. We also look at how these risks can be revealed. The more sophisticated company understands how IP fits within its business plan and builds a better understanding of the IP-related risks it faces. a formal patent application requires a full written disclosure of the invention. A product or service may be protected by various forms of IP rights covering several different aspects of the product or service. The lifetimes of the different IP rights vary considerably. making the protection offered redundant. and this will eventually be disclosed to the public when the application is published. IP exploitation.

What about mediation or arbitration as an alternative? What is your attitude to litigation? Is it part of your strategy for maintaining market position? Do you have the funds for litigation? If not. An alternative strategy is to license the IP to others in return for a royalty. What are the likely costs if you win? What if you lose? . A watch can be placed for new patent publications in a particular technology area or perhaps for publications in the name of a key competitor. You can obtain the details of all the cases owned by one or more competitors. To what extent should you consult the patent and trademark databases regularly? Importantly. how will this source of information add value in terms of managing risks? IP enforcement Litigation is typically expensive and patent litigation is particularly so. Professional patent database searchers can conduct searches to assess the novelty of a particular invention before a patent application is filed. check the status of a particular case and view details of the documents held by a patent office (the „file wrapper ‟). will IP litigation insurance be of any assistance? In any litigation it is necessary to carry out a cost – benefit analysis before commencing proceedings. It is possible to search for and download copies of published patent applications and granted patents. However. with a view to selling it to a third party. Sometimes IP is acquired. Similarly. IP monitoring There is a wealth of publicly available information about IP online. But what terms do you offer? How do you negotiate the royalties? What happens if the licensee doesn‟t perform sufficiently well to justify the licence? There are many complexities to licensing IP. it is not always necessary to litigate in order to achieve the desired result. which can be an effective way of policing an IP portfolio or of providing prime leads for an IP licensing strategy. The results of searches can also be used to reveal activities of others that might infringe your own patents. How do you ensure such IP is valued at the right price? What steps can you take to maximize the valuation on sale? Companies need to consider carefully from the outset how best to exploit their IP from both a domestic and international perspective. professional searchers can be used to identify patents that might be infringed prior to launching a new product – known as a freedom to operate search. A successful licensing strategy will provide an income stream. Publicly available information on registered trademarks can be used similarly. Litigation is generally very expensive and beyond the financial reach of most companies. This approach assumes that you have sufficient funds and resolution to litigate. typically through dedicated R&D efforts.INTELLECTUAL PROPERTY OR POVERTY? 197 • One strategy is to use IP to maintain exclusivity in the market for a product or process. where the IP acts as a deterrent to keep competitors from undermining the commercial position.

The absence of an explicit IP strategy is a criticism that can be made of companies ranging from start-ups to major companies. How is the IP going to be exploited to add value? If appropriate. These can be used to support internal procedures and provide written materials in a format that can be very useful when responding to requests for information from board members and investors. On what basis does one decide to file a new patent or trademark application and what factors dictate the filing strategy – where. • Put in place a system for watching for the publication of patent applications and granted patents by key competitors as a means to identify IP infringement risks . will it pay for itself? A clear policy of IP enforcement is important due to the high costs involved in some IP disputes. It is all too easy to overlook the protection of innovation in the rush to get new products to the market. Consider introducing an employee reward scheme as an incentive to innovate. how does the planned exit strategy affect this and vice versa? • Establish clearly defined procedures for formally identifying innovation at an early stage so it can be reviewed at an appropriate level. A recent study reported that fewer than half of the major European businesses surveyed had a documented IP strategy. Is there any value in IP if you are not prepared to enforce your rights? A structured approach The key to good management of IP risk starts with the company‟s business plan. report and assist in process.• 198 INTELLECTUAL PROPERTY RISKS What is the likely award in damages? How much management time will it take up? In short. including the exit strategy. where appropriate. when and how to file? • Develop an IP awareness programme for key staff. inventor acknowledgements. • Develop a formal patent. IP strategy should be formed in the context of the commercial aims of the company as a whole. • Produce support documentation. This should contain an explicit IP strategy that deals with all of the issues and problems discussed above. and an internal register of company IP updated accordingly. such as invention proposal documents. a decision reached on whether to seek registered protection. The aim is to ensure that companies get the most out of their R&D efforts and to provide a framework to manage IP risks in a responsible and cost-effective manner. design and registered trademark filing strategy. standard agreements and assignments. Many companies give little attention to the need to remain properly focused on IP matters (rather than simply the acquisition of IP for the sake of it) and the support IP can lend to the business plan. The following are some of the issues to be considered and steps that should be taken when developing an IP strategy: • Establish a clear understanding of how IP can support the company. patent status reports and bibliographic summaries.

though importantly. Consider the reality of potential commercial risks. Maintaining a state of blissful ignorance is not a policy to be admired! Consider general third-party IP issues. out-license it or sell it. • The IP was not related to the current business plan and therefore of no apparent value (despite assertions to the contrary to support the valuation of the company) but still represented a significant ongoing cost. The contracts of employment of key staff should be reviewed to ensure the terms cover the key IP issues that may arise. Actively police your IP portfolio.INTELLECTUAL PROPERTY OR POVERTY? 199 • • • • • • and opportunities. had been missed. the opportunity to protect a particular innovation. • The company had no coherent internal policy for identifying and protecting innovation at an early stage. As a result. • No international novelty searches were conducted on new patent applications within the first year and so the investors had no evidence to support the assertion made by the company that strong patent protection was available for the technology – a key factor in the pre-money valuation. including contracts with suppliers and joint developers. If you do not maintain exclusivity by enforcing your IP. for example the ongoing duty of confidentiality. including trade sales and initial public offerings (IPOs). Simply because a commercial product technically infringes a third party‟s IP does not necessarily mean that party will assert its rights. This frequently depends on the company culture of the third party and its financial standing. The costs of acquiring IP and considering third-party issues can be significant. said to be key to the success of the business plan. The following are just a few real-life examples of IP issues that had a significant impact on the investment process: • The importance of the IP to the future success of the company was oversold leading to a significant devaluation of the company when it became clear the IP was not as strong as first asserted. It should be reviewed regularly to ensure it is consistent with the business plan. agree and monitor an IP budget for the company. IP due diligence We have had experience of acting for both investors and companies during numerous due diligence exercises. brands. Lastly. • The unsophisticated patent filing strategy effectively delayed the grant of any US patents. you are squandering an often costly investment. . What impact will this have on cash flow? The IP strategy should be made explicit by committing it to paper. Set up an IP committee that frequently reviews IP matters. to the detriment of the ability to attract US-led investment. copyright and know how. IP is merely a tool that can be used to prevent your competitors exploiting your technology.

Where branding is important it is not sufficient simply to obtain a UK-registered trademark and assume you can do the same elsewhere. Conclusions The hidden risks of IP can have an enormous commercial impact for both investors and companies alike. largely because they did not have a systematic approach to the development and implementation of an explicit IP strategy. and no trademark clearance searches had been conducted. • The company was not free to use its trademarks in the United States (often a key market) so a new name was required. the planned trade sale to a major company in the longer term was a wholly unrealistic exit strategy. . In this case. and in particular developing an explicit IP strategy that deals with these risks in a cost-effective and responsible manner.• 200 INTELLECTUAL PROPERTY RISKS • The patent applications were not written with the business plan in mind so the patent claim structure was inadequate to support the planned exploitation of the technology. This held up the investment process for several weeks and seriously undermined the value of the company. • No ongoing watch of published patent applications or patents by competitors had been put in place to give an early warning of potential risks. even when it was clear there were several US patents that could adversely affect the company‟s plans to exploit its own technology. This arose from a failure to check at an early stage whether the trademark could be registered and used in the United States. even in the UK. This approach to risk did not inspire much confidence in the responsible directors. It is worth noting that all of the above should have been foreseen by the companies involved but were overlooked. • No trademark applications had been filed. Getting the trademark side of things wrong can be very costly. • Plans to exploit the IP were incompatible with existing agreements with third parties involved in joint research and development on some key aspects of the technology. Joint ownership of inventions can limit the ability to exploit the IP to the fullest extent possible. • No detailed assessment of third-party rights had been undertaken. Taking a risk management approach to IP. will repay itself in the longer term. A simple infringement search of patents held by competitors mentioned in the business plan revealed several infringement risks.

2 Securing key business decisions with strong IP rights Eric Achour and Jean-Louis Somnier. was now being used by one of your competitors and. after the joint development effort. to make matters worse. .4. while spending a huge R&D budget. or even made impossible. how would you react if your expansion to emerging countries was slowed down. because your brand or your product/service was already being used in these new markets by existing competitors or individuals who anticipated your interest in realizing growth? How would you react if you discovered that the technology you developed for a new range of products. that competitor was marketing this new technology by promoting its product line as a leading „time-to-market position‟? How would you react when you had joined forces with a business partner and. you discovered that your return on investment was not as high as expected because your „intellectual share‟ was not that clearly defined in your contract? Those questions are not theoretical: they are taken from amongst thousands of „real life‟ situations where companies were seriously harmed in their business and development efforts because they failed in adopting the right protection and defence of their intellectual property (IP). Novagraaf As a business leader.

With more than 350 dedicated professionals across Europe and a global network of partners and associates. however large or complex. m ain o ffice s in Am ste r d am . management and administrative services for trademarks. n o v a g r a a f. Novagraaf assists you in leveraging the full potential of all your IP rights. audited.T h e N ov ag r a a f g ro u p Le adi N g iNTe L Le c TuaL prop e rTy c o N s u LT a N T s The Novagraaf group is one of Europe‟s leading service providers in the field of intellectual property. Ge n e va. exploited and managed as part of an overall strategy. industrial designs. With endless opportunities for capitalizing on intellectual property. At Novagraaf we believe that intellectual property is the key corporate asset: an asset that should be properly protected. we can manage any IP rights portfolio. With our consultancy. Lo n d o n an d Par is w w w. c o m . internet domain names and copyrights. Novagraaf is the name to remember. patents. Br u sse ls.

IP also covers the operational activities/processes that were needed to produce the products or to deliver the service. copyright. Other fields are the geographic indications of source.‟ Intellectual property rights (IPRs) are grants of monopoly given to the owners of those rights (inventor. materials. images. author. films. such as industrial property. both in the „traditional‟ physical world and in the expanding „online‟ world. designs and models. symbols. etc) in specific countries or territories. and property of those rights is covered by international and local legal regulations. company. artistic works but also documents. a short introduction on IP and what IP rights entail is followed by an illustration of how businesses can be harmed by making the wrong IP decisions (or no IP decisions at all) and the consequences for business growth and increased business risk. some functionality features that rely on specific technology components. One can easily understand that IP is „omni-present‟ in everyday business life. copyrights. One may also forget that if freedom of competition is the rule in the market. All too often those failures occur because IP matters have not been a part of the decision-making process and are only considered when it is too late to take action. and designs used in commerce. a logo. the rules are fundamentally changed with IP rights protection.‟ Intellectual property (IP) encompasses many fields. some packaging features. A second focus will be on which IP decisions should be taken to mitigate the IP risks Intellectual property: a short overview As defined by the World Intellectual Property Organization (WIPO). We have identified six major „business decisions‟ clusters where we are convinced that intellectual property practice and rights are critical factors of success in today‟s competition. In this chapter.SECURING KEY DECISIONS WITH STRONG IP RIGHTS 203 • On top of that. musical works. IPRs exist mainly in the form of patents. names. those failures occur in every kind of business sector regardless of the company size. for a specific time frame and for certain domains of applications. a shape/design. characters/colours/fonts. literary and artistic works. This monopoly applies to territories. The complete set of attributes of any product or service can be protected by IP rights (a brand. „When business meets IP‟ In today‟s business arena innovation and business development are crucial to any company. which includes not only literary and artistic works such as novels. which includes mainly inventions (patents). advertising and software WIPO adds: „Intellectual property surrounds us in nearly everything we do. development stage and geographic location. „Intellectual property refers to creations of the mind: inventions. time frames and domains of application. manual. poems and plays. . etc). trademarks and industrial designs. pieces of software. trademarks.

transferring the ownership of all or part of a company. stepping ahead of competition with new features that will be incorporated in new products. to ensure that your field of investigation is free to operate. Conducting research and development activities The core purpose of R&D is to find new innovative technology (in a very broad sense. We will review for each cluster the potential business risks arising from an IP standpoint that may prevent performance improvement and hence value creation. expanding your business in new areas. by writing in scientific publications. • Conduct „prior art‟ search systematically. Hence. Tip : Use the procedures of International Patent Grant to „bu y time ‟ on your competitors („PCT route‟) and get your protections extended both on geographical areas and timing. recruiting retaining and motivating people. as early as possible. services or industrial processes. . business risks from the IP standpoint arise in two main areas. ensuring that you have taken all necessary measures to prove at a later stage that you own the inventions (reporting on labs measures or experiences). Tip : „ Watch ‟ the technical domains in which your competitors are active (continuously screen the patents‟ publications on dedicated websites) and beware of „misleading‟ patents. Tip: Never disclose an invention publicly. Here are a few examples of actions that will mitigate the risks in this area of business leveraging the IP possibilities: • Set up a „secrecy policy‟. launching new products and services. Then IP-related activities and business decisions to be taken to mitigate the risks are identified. you would lose all your rights if the publicized invention is copied afterwards by a third-party.• 204 INTELLECTUAL PROPERTY RISKS • • • • • • conducting research and development activities. increasing presence on the internet. alone or with partners. The first is the potential publicity or disclosure of the R&D (missing the „first mover advantage‟). in all the technical domains). In those specific cases. second is a lack of freedom to operate and exploit the outcome of the R&D because of existing competitors‟ IP rights (patents). protect those inventions that are „promising‟ from a business point of view with patent rights. business risks increase dramatically when a decision or move forward is suddenly restricted or made impossible because situations were not assessed in advance from the proper IP angle. this will give you the right to patent your invention. From an IP point of view. taking chances on future developments is recommended whether you will exploit them on your own or with a partner (a sound patent strategy can help companies to protect their R&D and offer tremendous opportunity gains). • In your innovation process.

individuals. Tip: Take sufficient time for negotiations and. etc). if necessary. partially or completely. Business risks in the area of IP could arise in two main areas. JV.SECURING KEY DECISIONS WITH STRONG IP RIGHTS 205 • Launching new products and services Introducing new products and services in existing and new markets or opening branches in new territories are day-to-day activities for almost any company. existing IP rights – registered trademarks of third parties (competitors. They are key performance drivers. The selling process always includes a thorough valuation of all the assets of the company and the potential or projected earnings. designs and models. Some examples of actions that must be taken to mitigate those risks are: • In the development stage. Tip: Ensure that you keep track of all your IP rights all around the world in a proper IP management information system that is constantly updated. patents. Second. consortium relationships – clearly define the responsibilities or rights for each partner on IP matters that will ultimately limit profit making. Mitigating risks when launching new activities can be achieved by: • Ensuring that you set the right IP clauses in the contracts up front with your partners (exploitation of the trademarks. Tip: First protect your national market. then focus on the „biggest‟ potential markets plus countries with clear risks of counterfeiting or imitation (apply the 80/20 rule). Tip: Ensure through a proper search that your trademark is „meaningful‟ in the countries you target. there may be counterfeiting or imitation of the products or services once launched. • Pre-empting „IP territories‟ up front for future developments. Transferring the ownership of all or part of a company The business news reports daily on companies being sold to financial groups or to group holdings. etc) – could make it difficult or impossible to launch new products and services. IP . Difficulties will arise in working with business partners unless contracts – on licensing. target countries or regions for short-term and mid-term development (including „diversification‟ options). building new plants abroad. • Perform „active watching‟ of your portfolio of trademarks to ensure that no attempts are made to profit from your success. sign a „confidentiality agreement‟ before the final sign-off. distributing your products and services through new distribution channels. alone or with partners Opening new branches in new countries. the patent. Expanding your business in new areas. Third-party IP rights may inhibit or prevent the launch of the new activity. protect up front all attributes (trademarks. alone or with partners (licensing) – all these business decisions can put your IP rights at risk. First. etc) that are critical to the business for the next three to five years.

nowadays. • non-compliance with legal requirements on your website presence. Tip: Benefit from the expertise of IP firms that have developed state-of-art web scanning tools. copyrights.• 206 INTELLECTUAL PROPERTY RISKS rights are considered more and more as critical assets in these processes and play a major part in the total valuation of the company (owned portfolio of trademarks and patents. Increasing presence on the internet There is no need to question the importance of internet presence for a company. To mitigate the risks due to your presence on the internet: • Perform „active watching‟ of your trademarks‟ usage on the internet. The major IP risk to face in this case could be a loss of value in the transaction with a „neglected‟ portfolio of IP rights that cannot be properly valued („legal weakness‟ of the IP rights. Tip: A thorough legal and financial audit of the IP rights (from a seller or buyer standpoint) must be conducted during the due diligence phase. Furthermore. etc). some major companies state publicly that „IP rights‟ are included in their deals. unauthorized dealers). leveraging the IP possibilities is: • Ensure that you have a well-managed IP rights portfolio (right protection at the right place. etc). One possible action to mitigate the risks in launching business activities. properly updated and documented). • misuse of trademarks or domain names to „abuse‟ consumers and redirect navigation flows. privacy policy. licensing agreements. . Tip: Check legal terms visible on your website (terms of use. Tip: Maintain a clean domain names portfolio. • imitation of websites features or lay-out. but it also opens a borderless world for accelerating non-valid business transactions. Some IP risks that have to be faced could be stated this way: • counterfeiting or imitation of the products or services sold on the internet (online. inadaptability to the business development perspective. etc). the rules for conducting business on the internet from a legal point of view are constantly being updated. • Ensure that you keep control of your „access keys‟ to the internet (domain names). the only relevant question is „How… ?‟ How do you exist on the internet? How do you live there as a company? The internet is without any doubt a fantastic accelerator for business information and exchanges. with a clear strategy to simultaneously reserve domain names and trademarks (when appropriate). • Ensure that you comply with the legal requirements for your website. Hence.

SECURING KEY DECISIONS

WITH STRONG

IP RIGHTS 207 •

Recruiting, retaining and motivating people
By definition, IP is „driven‟ by an intellectual activity; that is to say, it is performed by people „employed‟ by a company. From an IP rights point of view, risks exist in the following dimensions: • individual members of the company or partners claiming „rights‟ on the ownership of a creation or invention; • disclosure and „leakages‟ of secrecy; • demotivation of creativity or development if no clear incentives are related to IP production. From an HR perspective, examples of actions how to mitigate the risks are: • Ensure that your HR contracts with all employment situations are valid from an IP rights standpoint (employee, traineeship, PhD, sub-contractors etc). Tip : Pay attention to: (a) confidentiality or non competition agreements; (b) clause(s) on inventions ownership or rights and rewards of employees (specific to each country).

Conclusion: IP is an „insurance‟ that mitigates business risks
All the examples mentioned are based on our extensive experience and IP practice serving a very wide range of clients, in different business sectors and operating in different parts of the world. These „real life‟ examples illustrate that IP is at the core of the competitiveness of companies. And, instead of being perceived as a cost by too many business leaders, it is modern thinking and a way of doing business in the current economical environment where IP is considered to be not only an „insurance‟ that mitigates business risks but also a key development tool for increasing the value of your company. The recent news of some major firms fighting over key IP rights demonstrates that, considering the stakes, IP must be well-managed at boardroom level in every company.

Protecting Innovation . . .

Advancing Business Potential . . .

West Central Lincoln

Runcorn Road LN6 3QP

t: +44 (0)1522 801111 f: +44 (0)1522 870505

e: enquiries@loven.co.uk w: www.loven.co.uk

4.3

Risk-free branding
Keith Loven, LOVEN Patents & Trademarks

Handled right, a brand can become a significant asset of a business. But if you ignore a few simple guidelines on choosing and using brands and trademarks, you could leave your business exposed to the risk of expensive and damaging legal action. At best, your business could waste money on something that can never become an asset. This article aims to set out those simple guidelines, and the reasons for them.

What is a brand?
It is clear from the examples I see in my day-to-day practice that many businesses have not really thought through what a brand is for; so let‟s start with the basics. A brand or trademark is a simple tool to help you sell customers your product or service rather than those of other businesses. Many people think that the function of a brand is to tell customers what they are buying. This is wrong. The product description tells you what you are buying; a brand indicates where it comes from. An example is Heinz® Baked Beans. The product description is baked beans. Baked beans are produced by a wide range of manufacturers, but some consumers will choose the Heinz product, rather than just generic baked beans, because the brand will indicate to them a quality and reliability with which they are happy. The Heinz brand acts as a sort of guarantee, along with, of course, the packaging design – itself an aspect of branding. While many strong brands are words, there will often be design elements (logos) associated with them. Packaging design can be an important aspect of branding,

• 210 INTELLECTUAL PROPERTY RISKS

but really anything that fulfils the basic function of indicating origin can be a brand – think, for example, of musical jingles, product design, colour schemes, even smells.

What makes a good brand?
A good brand will fulfil the function mentioned above of helping you sell customers your products or services. A brand is more likely to do a good job if: • It is not too close to another company‟s brand for the same or similar products or services. If customers are likely to confuse your product with someone else‟s, they might buy the other company‟s instead; and, of course, if the other company has a well-known brand, getting too close to it is likely to attract the attention of their lawyers. • It is not too close to an ordinary description of the products or services. You cannot stop other companies using everyday descriptions of their own products or services, so if you choose, for example, SUPERBEANS as your brand for baked beans, other companies could quite legitimately claim that their beans are also super beans. Whose super beans do the customers buy? • It is applicable to any product, rather than only to your original product. What happens when you want to bring out other types of food apart from baked beans? If you have already established a reputation in the original brand, why spend money building up another new brand when you could cash in on the goodwill by applying the existing brand instead. But this will only work if the brand is not product specific. • It is memorable. The best brands tend to be short and snappy so that they are easily remembered.

Who owns the brand?
It is surprising how often brands are chosen without any thought about other companies‟ rights. If your chosen brand looks like another ‟s brand for the same or similar goods or services, sounds like another brand, or even just gives the same impression to the consumer as the existing brand, then you may have no right to use it. If the earlier brand is registered as a trademark, the mere use of your chosen brand could leave you liable to be sued for damages, an injunction preventing you continuing to use the brand, and costs. This could be very damaging to your business. I have had clients suggest in such circumstances that the owner of the trademark is unlikely to notice their use, and that this was therefore a reason for continuing. In terms of business risk, this is very dangerous. Apart from the possibility that any day you could be hearing from the trademark owner ‟s solicitors, if you ever come to sell the business, due diligence investigations are likely to reveal the risk and this will have a significant adverse impact on the value of the business. Therefore, it is important to seek professional advice at an early stage so that proper clearance investigations can be carried out before you adopt a new trademark. It is no good leaving this stage until the day before you launch your new product;

RISK-FREE BRANDING 211 •

by that stage you will have paid out for your printing and advertising, all of which might need to be scrapped if your chosen brand conflicts with an existing registered trademark. You need to be seeking advice from a trademark attorney even before you make your choice of brand, since he or she could give you guidance on the selection of brands, and then perhaps help you whittle down your shortlist to include only those brands that are going to be good protectable trademarks.

Protecting a brand
Assuming you have chosen a good brand that is free for you to use, you need to register it as your trademark. While it is possible to accrue common law rights in a brand through extensive use, enforcing those rights can be complicated and expensive because of the evidence required to succeed. There is also the risk that your rights can be eroded by others adopting and registering similar trademarks subsequently. Registration of a trademark clearly establishes ownership and makes it much more straightforward to pursue others who encroach on it. It is not necessary to establish a reputation, or to show that the infringer was deliberately seeking to associate his business with yours. Use of the same or a similar trademark on the same or similar goods or services will be an infringement. Equally, should you come to sell the business, or part of it, ownership of the registered trademark will add to the value of the business.

Maintaining the value of a brand
Trademark registrations need to be renewed every 10 years, so it is important to make proper provision for renewal. Your trademark attorney will be able to look after this for you, but it is also important to make sure that your use of the trademark does not detract from its value, and that any changes that affect the registration are officially recorded as soon as possible. Since the function of a trademark is to help your customers buy your products or services rather than someone else‟s, it is important that the trademark is not allowed to evolve into the name of the product. There have been many examples where this has happened, resulting in rights to the trademark being lost. This is why the owners of the Hoover® brand would be upset to see references to a Dyson® hoover, for example. If hoover were to become a generic term for a vacuum cleaner, then the word would stop doing its job as a trademark. You must make sure that the trademark is always used alongside the product description, effectively as an adjective. It is also important to make sure that what you have registered reflects what you are actually using. If you change your brand, you might need to consider applying for a new registration. If you don‟t, your registered trademark could become vulnerable to attack. It is also important to make sure that your registration reflects what you are actually selling. If you move the use of the trademark into new product areas, you will again need to review whether an additional registration is required.

• 212 INTELLECTUAL PROPERTY RISKS

Further, it is important to keep an eye on what other companies are using as trademarks. If a competitor starts using or seeks to register a trademark too similar to your own registered trademark, some of the value of your registration might be eroded. It is important to warn off other companies from such use as early as possible to maintain the value of your own trademark. You might need to arrange for a watching service to be initiated so that you can be notified of attempts by others to register similar trademarks. This will need to be done for all the territories in which you sell your products or services.

In summary
1. 2. 3. 4. Choose a brand that does not try to describe the goods or services directly. Check to make sure that no one else has rights in the brand. Register the brand as your trademark. Look after your brand as you would any other valuable property.

The two case studies that follow highlight some of the main points made in this chapter.

Case Study 1: The importance of acting soon enough
A local heating and refrigeration services company with nationwide contracts had been operating under its brand, an acronym of the original company name, for 11 years when, unknown to it, a national company registered the same name for a range of services overlapping its own. It remained in blissful ignorance of this for several more years until the national company noticed the local company‟s website and threatened action for infringement. At this stage the company consulted us. Now, the national company had registered under the 1938 Act, and the transitional provisions of the UK Trade Marks Act 1994 provided that businesses that had been using a trademark before it was registered under the old Act by another company could continue that use without being penalized for infringement. However, our client had to prove its entitlement here, and that meant a lot of work in digging through their records to establish when it started use and exactly what services it had used the brand on. Example invoices had to be provided, with advertisements/directory entries. Eventually, the national company‟s lawyers were satisfied, and a co-existence agreement was drawn up between the companies, the effect of which was that the national company would tolerate the local company‟s use, but only to the extent that it had been used before the trademark registration had been obtained.

While the old law did recognize rights based on use. and some services were not first offered until after the national company had registered its trademark. On investigating. He had purchased a business and was assured that the main brand name used by the company was protected because the limited company name included that brand. and that in doing so you look strategically. the local company had lost the right to use its own name in respect of the additional services. The lesson here is that one needs to seek proper professional advice from a trademark attorney before any transaction involving trademarks or brands. For these services. He would have to develop his own brand along with the replacement product. it could have guaranteed its right to continue using its own trademark without interference. Regrettably. Nor does registration of a domain . and that he would have to rename the company and stop using the brand. we found that the US company was indeed the registered proprietor of the trademark. and since it now wanted to pass the dealership to another UK company. it was understandable that it should want to prevent our client‟s business from continuing to use the brand. his solicitors had not questioned this either. We had to advise the client that his position was weak. the local company had extended its range of services over the years. Case Study 2: The importance of doing your homework A client consulted us after receiving a threatening letter concerning possible trademark infringement. The registration of a limited company name at Companies House does not guarantee that the business has the right to use the brand. the „goodwill‟ that he thought he had purchased with the business had evaporated. under the 1994 Act. instead of waiting. Unfortunately. and hindered or even prevented the national company from registering the trademark. it had to remain strictly confined to the scope of its use before the national company registered. like many businesses. then it might have grounds to object to that company registering the trademark – but success will all depend on the quality of evidence. this is no longer the case (although if a company can show that it has strong common law rights to prevent another company from „passing off ‟ its goods or services as its own. If the local company had registered its trademark in the early days. The threatening letter came from lawyers acting for the US company supplying the business‟s main product.RISK-FREE BRANDING 213 • Of course. The lesson to be learned from this is that it is vital to secure your company‟s trademarks by registration as soon as possible. and collecting evidence can be very costly).

• 214 INTELLECTUAL PROPERTY RISKS name. The term 'goodwill' can be meaningless if someone else owns the brand. the proprietor has the right to stop others using the same or a similar trademark in relation to the same or related goods or services. If a trademark is registered. .

focus on client service. that is to ensure that our clients. .Bird Goën & Co A truly European Intellectual Property Law Firm BIRD GOËN & Co offers the full package of intellectual property services comprising patents. are trained in. In performing these functions. long-term perspective and high professional standards. when they wish it. the implications of their decisions as far as IP is concerned and hence to allow them to preclude crises. . cost-effective passive and active IP strategies and minimising the negative impact and/or cost of litigation.to conduct the day-to-day overall practice and administration of Intellectual Property (IP) work. with a truly pan-European range of IP services through a centralised office. BIRD GOËN & Co can provide IP owners and users. trademarks. by the way it approaches its function as an IP law firm.to protect our clients intellectual property by developing innovative.to train. . and made fully aware of. continuous development of both legal and technical in-house knowledge. designs and copyrights. as well as support and advice for contract and licensing activities. all of us at BIRD GOËN & Co endeavour to share the values of a sound work ethic. .

The legal risk can be reduced by doing searches for relevant disclosures (ie sales. and adapting the patent application and its claims accordingly. etc) or prior art. such as Europe.4 IP risk estimation and management: the example of patents and patent portfolios William E Bird. as the different examiners at the various patent offices will apply different prior art and hence a more balanced view is obtained. there is a legal risk of invalidity at all times.4. A patent is a property right but the validity of a patent may be challenged at any time. Japan. a patent has been called a probability right – a property right with only a certain probability of being valid. publications. whose validity is in question until the patent is examined and then granted or „issued‟. This starts with the patent application. For this reason. Hence. the United States. . The legal risk can also be reduced by obtaining grant of the patent in different jurisdictions. verbal presentations. Bird Goën & Co In this chapter we will discuss risk management of patents as one important example of intellectual property rights (IP).

4. . Market and timing risks are more complex as they relate to how an invention is received by third parties in the market place. If necessary an attempt can be made to insure against this residual invalidity risk. inventive step and industrial applicability. This risk factor can be applied to all patents in a portfolio and. These cases had only generated patenting costs.IP RISK ESTIMATION AND MANAGEMENT 217 • Even after grant. Such a stochastic process leading to ruin can be modelled mathematically. Technical risks are clearly in the domain of the applicant of the patent. An idea as to value of patented technologies can be obtained from the licensing efforts of universities. This can be reduced greatly if the patent is challenged unsuccessfully in a serious opposition procedure or before a court. however. for example stochastic processes that vary in intensity randomly. The range of revenues is over a span of four or five orders of magnitude! Some results obtained from these statistics are interesting: • Of the 270 cases (involving 400 issued patents) reported in Figure 4. there is still a risk of invalidity. if the financial value of the portfolio is known.1 below taken over a period of 25 years showing the cumulative revenue for each patent. 160 provided no revenue at all. A valid patent must satisfy the requirements of novelty. An idea of the rate at which invalidation attempts reach this ruining intensity can be estimated from the opposition procedures at the EPO. That is to say.4. for instance by applying actuarial ruin theory. If a patent is revoked (declared invalid) then it is „ruined‟. In a third of the cases the patent is revoked. Hence the rate of effective oppositions is about 2 per cent of all granted patents. The legal requirement of novelty is that the claimed subject matter has never been disclosed in any form to the public without a confidentiality restriction in any language anywhere in the world. What is noticeable about the value of patents based on accumulated licence revenues is the skewed or asymmetrical nature of these revenues – and hence in the value of the patents. Opposition is raised against about 5–6 per cent of all granted European patents. These may be categorized into technical risks (that an invention cannot be implemented successfully or economically for technical reasons). Attempts to invalidate the patent can be assumed to follow a model. the remaining risk can be estimated. If such a challenge does not happen. Predicting the future is notoriously difficult and so is predicting the value of a patent. An example of a US patent portfolio from a well-known US university is given in Figure 4. Hence all patents are about possible future technologies. the financial risk of invalidation can be estimated.1. for which considerable information is available publicly. market risks (that there is no market for the invention) and timing risks (that an invention is made available at the wrong time for the market). The commercial risks Besides the legal risk there are also commercial risks. Only if the intensity exceeds a certain level will the patent be destroyed. about 60 per cent of the patenting effort resulted in negative return on investment.

000 $20. 3–5 February. Note that this does not mean that patents are not a valuable item.• 218 INTELLECTUAL PROPERTY RISKS Cumulative revenue $40. • Only a few of the patents brought in significant figures. The so-called Moody ratings are given in Table 4.4.000. In fact. only about 10 per cent brought in more than they cost to patent – never mind the development costs. These figures have been confirmed in principle in other studies. If one looks at the rate of default according to the Moody ratings over a relevant period of time (eg 20 years). Arizona. The whole patenting exercise is dependent for its success on just a very few development projects – a hallmark of a risky business! One rule of thumb is that only one patent in a hundred has a value greater than $5 million. That is to say.1 Invention case number Source: Investigation of High-Value UCLA Patents AUTM 2005 Regional Meeting. „very poor quality‟.000 for the costs of patenting. All these are rated as „below investment grade‟: „very speculative‟.000. • A rather shocking fact from these statistics is that significant success occurs with a number of patents that is outside three times the standard deviation from the mean – that means success is an unusual result and statistically unlikely! • There are a very few big hitters. Figure 4. 2 per cent brought in over 90 per cent of the total cumulative revenue. say above $500. what it means is that they .4. at least this number defaulted.000 $0 0 50 100 150 200 250 Invention case number • • • 300 Figure 4. UCLA Office of Intellectual Property. bonds and shares. One way of portraying the difficulty is to compare patents with other well-known traded items that form a basis for investment like stocks. „substantial risk‟. this kind of statistic is very difficult to manage.1.000 $30.000 $10.4.1 shows that 160 out of 400 granted patents (40 per cent) provided no revenue: in other words.000. • Assuming about $50. in fact about 2 per cent. the results displayed in Figure 4.000. Ken Polasko.2 indicate that a default rate of at least 40 per cent would be in class B or possibly in one of the C classes.4.000.

although revenue is earned early for most of the patents that are successful.4. „Junk bonds‟ Below investment grade. „Junk bonds‟ Below investment grade. and some only started earning after 15 years. this window can occur at any time during the 20-year life of a patent. That is to say.IP RISK ESTIMATION AND MANAGEMENT 219 • Table 4.2 Cumulative default rates by rating categories. there is a „window of opportunity‟. 1970–2001 are not items that can be traded in a normal way. This is one reason why a market in buying and selling patents has grown only slowly. From experience. If this is missed – either by being too late or too early – then the patent value is lower or non-existent. „Junk bonds‟ 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Year 5 Year 10 Year 15 Year 20 Aaa Aa Aaa Baa Ba B Caa-C Figure 4. for example in less than 12 years from filing. Another statistic that can be generated from the reported material is that. „Junk bonds‟ Below investment grade. A technology must be the right one at the right time. This makes it . some are still earning 19 years after filing. „Junk bonds‟ Below investment grade.1 Moody ratings Moody‟s rating Definition Highest rating available Very high quality High quality Minimum investment grade Low grade Very speculative Substantial risk Very poor quality Imminent default or in default Notes Investment grade bonds Investment grade bonds Investment grade bonds Aaa Aa A Baa Ba B Caa Ca C Below investment grade.4.

2006 Rank 1 2 3 4 5 6 7 8 9 10 Company Philips Samsung Siemens Matsushita BASF LG Electronics Robert Bosch Sony Nokia General Electric Company Applications filed 4. Here the value is given in thousands of euros.425 2. This suggests that a typical value will be about €55–65.4.1 above. see the UC Berkeley–Novartis agreement discussed in the box below.3.2 Top filers of patent applications at the European Patent Office.• 220 INTELLECTUAL PROPERTY RISKS hard to decide when to abandon a project – maybe it will be successful next year! This uncertainty makes patents a very difficult type of business to manage. investment and return.2 gives the top filers of patent applications at the European Patent Office (EPO) in 2006. For a novel and ingenious alternative to the use of the patent portfolio concept.4.000 per patent – very consistent with actual average value that can be derived from Figure 4. It is difficult to decide if a patented technology will be successful and when it is going to be successful.093 1. the variation in average value is less. A well-publicized statistic from IP Bewertungs AG is shown in Figure 4.4. .214 1. Table 4. Filing over 4.400 patent applications per year means over 20 per working day.459 1. This is patent portfolio management on a grand scale. It is a risky gambling problem rather than a linear relationship between work input.088 882 768 Source: European Patent Office With a larger number of patents in a portfolio. Such a skewed distribution would appear to require very special management techniques if a patenting policy is to be financially successful. The patent portfolio One approach to this type of risk is to rely on numbers – the patent portfolio concept.4. Table 4.319 1. If one patent in a hundred is worth more than $5 million – then let‟s have a lot of them.529 1.355 2. This requires not only the necessary research and development personnel but also an organization able to capture these inventions and convert them into patent applications.

Novartis. The company also had the right to review all of the research. entered into a five-year contract with UC Berkeley‟s Plant and Microbial Biology Department in 1998 for $25. whether funded by Novartis or by a government or public source. The university owned the IP but Novartis had the first right to negotiate.4. It could cherry pick the ones it wanted. one has to . The contract clearly makes use of the known statistics on patent value from academia (see Figure 4. IP Bewertungs AG. through its subsidiary Novartis Agricultural Discovery Institute.000. Here there is a David and Goliath situation.1).IP RISK ESTIMATION AND MANAGEMENT 221 • 25 Median Expected value 20 Probability (%) 15 10 5 © IPB 65–70 85–90 120–125 130–135 135–140 70–75 75–80 80–85 95–100 140–145 100–105 105–110 115–120 110–115 125–130 145–150 55–60 60–65 50–55 90–95 0–50 150– 0 Figure 4.4.3 Patent value (in €‟000) Source: Monetary-Patent-Valuation: The certified IPB-Model. The contract was with the entire faculty. Novartis had an option to negotiate a licence for up to one-third of any of these discoveries annually. The small and medium-sized company The accruing of a large-scale patent portfolio is obviously very difficult for small companies and for individuals. This allowed it at least the theoretical possibility to forego the cost of building up a patent portfolio with only a few big hitters and instead to cherry pick the best.000. Novartis obtained through the contract the right to review a large number of projects but was allowed to select just a few of these to negotiate a licence.

The distribution of Figure 4. Extensive legal and technical evaluations can be expensive. or whether you copied or invented the technology yourself independently. for example patent portfolios or patent families. such as those proposed by IP Bewertungs AG and others. The skewed nature of the value distribution (see Figure 4. should also allow a return on investment to be obtained with a reduced transaction cost in comparison to licensing the patents or implementing the technology oneself. whether you knew of the patent. result in better data for the assessment of patent value. A patent is an exclusive. makes no difference. However. The spectre of third-party patent infringement A risk for any company implementing a technology – whether patented or not – is the possible infringement of third-party patent rights. The classic approach to guard against patent infringement is a freedom-to-operate analysis (FTO).1) makes the use of analytical tools such as the Black–Scholes formula (which relies on a normal distribution of both increases and decreases in value) inappropriate. absolute and negative property right. An example of such a methodology is the use of value indicators. legal and market analysis. A patent provides the negative right of excluding others from technology defined by the claims. It is an absolute right. it is necessary to consider patents . The individual patent remains a tough risk to assess – not only for the owner but for any third party as well. Once this trend has become well established there will be more market data available on how patents behave as a traded commodity. Other valuation schemes have been proposed that rely on a less costly retrieval of information.• 222 INTELLECTUAL PROPERTY RISKS hope that the few patents one has will prove able to stop giants in their tracks.3 is then often approximated by a normal distribution log that fits well to real options analysis as there are no negative values. greater security can be obtained if a patent portfolio or patent family is considered. The patent auction.000 if done in detail) and only suitable for high-value patents such as those for pharmaceuticals. An alternative is real options analysis.4. This will in itself provide one escape route to reduce financial risk. Once the exact commercially relevant design for a technology to be implemented is known. This technique is considered to be expensive (eg about €100. it is not an acceptance to implement a technology. a search can be made in patent databases to identify dominating patents. if successful in the long term. as this method relies on a certain statistical relationship between the value indicators and patent value. in due course.4. As patents are national rights. the method is recommended for larger numbers of patents. In using real options analysis. The risk of making a mistake can be reduced by detailed technical. This should. The future: patent auctions In the last few years it has become more common to auction off patent portfolios.

With each cut the number of documents left to analyse is reduced but the effort per document increases with each cut as the relevance of the documents increases. . for instance. A safety net for attack by competitors can be provided by a large patent portfolio. Presently. If a competitor attacks for patent infringement. The danger of this type of court case is magnified many times in the United States by the US court system. choosing the right keywords is best left to a person with experience in searching and in the relevant technology. an option that has often been courted is that of patent infringement litigation insurance. someone else‟s patent. As different patent drafters may use different words for the same thing. offered for sale. No EU member state has any legislation on patent litigation insurance that might. Both of these probably have no products that they sell. A study of this topic has been made by the European Commission and a final report was issued in January 2003: A Study for the European Commission on Possible Insurance Schemes Against Patent Litigation Risks. make it compulsory. A patent troll or an individual inventor may obtain the services of an attorney who works on a contingency basis. Such a situation can lead to a cross-licensing defence. To deal with this risk. and any that exist are likely to be expensive. one may have a patent that the competitor infringes. The strategies for carrying out FTO analysis usually involve a series of cuts. Patent insurance pays a company for all or a part of losses incurred if the company infringes. sold. Generally. Either one defends against the patent infringement court case (eg by showing that there is no infringement or the patent is invalid) or one tries to come to the most economical settlement. broad search terms will be included to try to catch all relevant patents and patent applications. or is accused of infringing. For small companies with too few patents for a cross-licensing strategy the outlook is grim. there is always the possibility of missing something. Do not be surprised if you get several thousand hits to analyse.IP RISK ESTIMATION AND MANAGEMENT 223 • of each country where a patented technology will be made. As one is trying to prove a negative. If any documents are still left after the last cut. Such a search is often not easy to carry out. hence there is nothing that could infringe a patent of the defendant. Such defences are used often by large corporations with big patent portfolios. Are the patents valid? Does the intended product or method fall under the claims? Can a licence be obtained or is it possible to design around? FTO analysis can be expensive and time consuming. offers to provide such insurance are limited. The interested reader is referred to this extensive report for further details. This will result in a certain amount of noise – hits that are not at all relevant. as keyword searching depends for its success on the choice of keywords. used. This reduces the costs of the plaintiff – an option normally not available to the defendant who is left to bear the heavy costs of legal defence. The cross-licensing defence usually does not work against individual inventors or against patent trolls (those who trawl through patent registers for exploitable opportunities). One may well be in „bet-your-company‟ litigation! Sometimes a major mistake is made with FTO – see the inset on the Polaroid versus Kodak litigation. these will have to be considered in detail. stocked or imported.

Unfortunately for Kodak. it filed for bankruptcy. Ironically. digital photography dealt Polaroid a fatal blow.5 million. the patent infringement court disagreed and in 1985 decided that Kodak had violated Polaroid‟s patents for instant photography. . Polaroid built and dominated a worldwide market for instant photography. The final damage award to Polaroid was $924. It considered that it had FTO as this design did not infringe Polaroid‟s patents or otherwise these were invalid. The decision ended a nine-year legal struggle between the two photography giants.• 224 INTELLECTUAL PROPERTY RISKS For 30 years. Kodak wanted to get into this market and produced its own design. in 2001.

and we help start-ups to identify and protect a name or logo with the potential to become a famous brand of the future. Our patent par tners a r e e x p e r ienced European patent attorneys and represent clients directly before the . We act directly at the Office for Harmonization of the Internal Market (OHIM) obtaining and defending Community trade marks and designs. We protect famous brands worldwide. We provide expert advice based on a wealth of experience in the field. European Patent Office.Can you be confident your ideas are secure? T HE comprehensive professional services of Beck Greener will ensure effective protection for your new project. We protect inventions from simple mechanical toys to complex new drug formulations requiring global protection.

London WC1V 6HR. G PAT E C K R E E N E R E s t a b l i s h e d 7 ENT B 1 8 6 A RK & T RA DE RNE Y S M AT TO Beck Greener.com . 12-13 Fulwood Place. Fulwood House.com Website: www. Tel: + 44(0)20 7693 5600 Fax: + 44(0)20 7693 5601 Email: mail@beckgreener.beckgreener.If you require expert professional services in the field of intellectual property. For patent matters contact Jacqueline Needle. contact one of our partners: For trademark matters contact Ian Bartlett.

In a nightmare scenario. we will look at patent litigation as an example of IP litigation generally. Beck Greener Intellectual property (IP) litigation can be expensive.5 Intellectual property litigation Jacqueline Needle. Inventions and ideas disclosed without protection are effectively donated to all comers. In this chapter. . and the steps it can take to avoid becoming embroiled in litigation. and those who neglect IP by their ignorance increase the likelihood that they will be sued for infringing the rights of others.4. We will consider how a business can effectively use IP. and will consider the cost of patent litigation in order to determine whether the cost genuinely provides a reason to avoid protecting innovation. particularly in the United Kingdom. This could be an expensive mistake. Any organization that introduces new products or new business methods. a business finds officials on its doorstep empowered to confiscate goods or documents. could find itself on the receiving end of an action for IP infringement. Businesses are said to avoid the expense by ignoring IP and turning their backs on protection for their new products or concepts. or changes the way it promotes itself or its name or brands.

.000 €200.000* €65. with the exception of Germany.000 European patents are currently in force and 50 patent actions are started a year.000.000 €165. at least half are settled before trial.000 Appeal costs €45. The figures for other countries are set out in Table 4. Only 50 per cent of patent actions in France proceed to trial and judgement so that a similar calculation gives a first judgement ratio of 1:10. the costs given for those two countries should be doubled. which is onesixth of those started. in France 250.5.1. In the United Kingdom.2.000* €120.5. The same study looked at the number of European patents in force in various countries and at the number of patent infringement actions started per annum to determine a litigation ratio indicating the incidence of patent litigation. in practice.5. As the table shows. Table 4. Therefore. Of the countries in Table 4.000 Percentage of costs recovered Low Low 100% 100% 50% * Countries where the validity of a patent is not considered in an infringement action.000* €25. For example.000 €550. Even where an action is started. A study for the Commission determined the average amount spent by each party in a patent infringement action in a number of EU countries. so the litigation ratio is 1:5. neither Germany nor Finland considers the validity of a patent in an infringement action and the parties invariably incur the additional costs of a separate nullity action.000.1. in most countries very few patents are the subject of litigation. only about 20 actions a year go to trial. The results are set out in Table 4.INTELLECTUAL PROPERTY LITIGATION 227 • The cost of patent litigation The European Commission is so certain that litigation costs adversely affect the take-up of patent rights that it has proposed that anyone applying for a European patent should be required to have compulsory patent litigation insurance.000 €430.000* €120.5.1 The average spend by a party in a patent infringement action Country France Germany Finland Sweden UK First instance costs €80.

5. The study referred to above on behalf of the European Commission found that actions in the Patents County Court generally cost about a third of the cost of actions in the Patent Court. in the Patents County Court a patent attorney may act alone. which can take several days.5. and the Patents County Court was set up to provide affordable patent litigation.• 228 INTELLECTUAL PROPERTY RISKS Table 4.000 20. we are now in an era where patent infringement actions. patent infringement actions in the United Kingdom had to involve three types of professionals. During disclosure each party has to locate and make available internal documents relevant to the issues. The proceedings are concluded by a trial before a specialist patent judge. namely patent attorneys.000 82.000 1:750 1:5. generally in the form of written statements by independent experts. It offers the parties a greater choice of professionals and.000 UK litigation procedures Table 4.000 1:10. UK patent infringement proceedings involve both disclosure and evidence. This reduces the number of professionals needed in a case.000 250.000 1:8. Both parties are required to set out their entire case in written form. for example. . can be undertaken for a much more reasonable cost.000 1:12.1 reveals that patent litigation in the United Kingdom is generally expensive. Hopefully. and evidence is rare. The case then goes to trial before a panel of judges at a hearing that typically lasts up to three hours.000 1:5. is prepared and filed.2 The incidence of patent litigation Country European patents in force 250. and higher than in other European countries. The UK procedure can be compared with that in Germany. This led to considerable expense. In the past. This difference in cost arises out of differences in process. solicitors and barristers. for example. Then evidence.000 1:2. whilst never cheap. More recently. up to and including the House of Lords. have been given rights allowing them to litigate in the mainstream English courts. referred to as patent attorney litigators. where there is an emphasis on written submissions. appropriately qualified patent attorneys. There is no disclosure.000 Litigation ratio Ratio to 1st judgement France Germany Finland Sweden UK 1:5.000 300. There have also been changes in practice in these courts that have streamlined procedure and have required the issues to be simplified. The disclosure and evidential stages may take months and can be very expensive.000 1:600 1:2.

distribution and similar. did have to commence an action against Black & Decker when they began to copy his work bench. Even where there is no patent notice. in the United States and in Japan. As so few patents are litigated to trial. it seems bizarre to forgo protection for a valuable innovation to avoid that cost. and substantial costs can be incurred in getting the project to market. However. Not many businesses coming across a new product will decide to copy or emulate it without taking some notice of the warning. This acts as a „keep off the grass‟ sign and can be very effective. were made and sold only by Xerox for the full term of its basic patent. Once a patent application has been filed the innovation can be appropriately marked „patent applied for ‟. have competitors and seek commercial advantages over those competitors. A small company coming into conflict with the . For example. monopoly for nearly two decades. Ron Hickman. The newspaper may be in the bin within 24 hours. Photocopy machines.INTELLECTUAL PROPERTY LITIGATION 229 • Is the cost of enforcement a reason to avoid protection? We have seen that patent infringement actions in the UK can be costly. whilst the patent could provide a platform for profitable trading for 20 years. the patent application will delay competitive copies. which until then had taken place in Mr Hickman‟s garage. For the price of one full-page advertisement in the Daily Telegraph it would be possible to cover the fees arising over a five-year period to obtain grant of a patent for a new invention in a selection of four or five European countries. Effective use of IP All businesses. and extremely valuable. will be relatively modest in such a context. but the potential rewards are high. However. at best it will prevent them. filed before any disclosure of the invention is made. a company with restricted production facilities may find it beneficial to turn an infringer into a licensee with full responsibility for the production. it soon became apparent that it would be much more lucrative for Black & Decker to take over the production. Xerox therefore had a de facto. regardless of their size. packaging. for example. many reputable businesses will search for patent applications before deciding whether to proceed with a similar product. It does cost money to pay professional patent attorneys to register trademarks and to draft and file patent applications. There may be scope for licensing or other deals. Even if there is a competitive product on the market. and of that 1 per cent under 20 per cent are subject to trial. no competitor tried to sell competitive machines and there was no need for legal action. Thus. The costs of a patent application. Innovations generally involve many work-hours in their conception and development. At worst. a patent application will involve the competitor in expense in determining the existence and relevance of any patent protection. advertising. for example in testing. fewer than 1 per cent of UK patents are involved in litigation. who invented the „Workmate‟. a patentee does not have to sue for patent infringement.

and then avoid. • seek professional assistance when required. or rights can be lost. A patent can only help if it is valid. Measures can be taken to restrict the availability of confidential information within a company. perhaps because they see it as just the consummation of days or weeks of everyday work. If it is decided that patent protection is not warranted then public disclosure can be made. an ex-employee of Coca-Cola in the United States who offered part of the recipe to PepsiCo was jailed. It is essential that any new idea of potential worth is kept totally confidential to the company during the early stages of the design or development. Effective use of IP could be vitally important to a small company. many inventors will wrongly define the final result of their labours as obvious. A knowledgeable owner or executive can identify. Employees should be made aware that such confidential information must not be divulged.• 230 INTELLECTUAL PROPERTY RISKS rights of others does not have the commercial „muscle‟ that large corporations can use to force a settlement. • have routines in place to safeguard rights. . a positive decision should be made as to whether patent protection is likely to be required. such as James Dyson. and a valid patent can only be obtained if the patent application is filed before there has been any public disclosure of the invention. Safeguard rights Any proprietary information of commercial value should be identified and kept confidential. Adequate knowledge Conflicts can arise. At some time. During any project the executive can also decide whether any of the ideas are so commercially valuable that protection should be sought. IP rights might be the only weapons a small company can deploy in the event of a conflict. A company using IP effectively will: • have a person in authority who has adequate knowledge of IP issues. and departing employees should be reminded that their duty of confidentiality will continue even after they have left. have had ideas or inventions that have been patented. Recently. it must also be non-obvious compared with what is already known. if appropriate action is not taken during the timescale of a project. The majority of those made rich with the assistance of IP. but it should be realized that putting the idea in the public domain also dedicates it to the public as the right to obtain patent protection in most countries has thereby been given up. especially if a project is thought to be of potential value to the company. However. Not only must an invention be new to be patentable. The recipe for CocaCola is still known to only a handful of people and the courts have demonstrated a willingness to protect such secrets. any risk of conflict by undertaking searches to establish the rights of others. Seek professional assistance It is important to get the patenting decision correct.

. it would be wise to take professional advice. Before adopting new names. Avoiding litigation Generally. will take further resources to get into the market. Alternative forms of protection. Keep records of all company work leading to ideas and innovations. or negotiate with the competitor before committing to the project. Even if the patent attorney advises that an invention is not generally patentable. brands or innovations. documents or other materials of competitors. • Where there is an identified risk of conflict. may also be available and might be commercially useful. • Where your competitor is found to have rights.INTELLECTUAL PROPERTY LITIGATION 231 • A patentable invention also has to be of industrially applicable subject matter and not in the list of entities that are explicitly excluded from patent protection. For example. ask a patent attorney for „freedom to use‟ advice. it is only necessary to follow a few simple rules to avoid being the defendant in an unwanted legal action for IP infringement: • • • • Do not copy the products. such as a Community Registered Design. make appropriate searches to establish if competitors have any relevant rights. The inexperienced are often heard to exclaim wrongly „you can‟t patent that‟. The keeping of notebooks is recommended for engineers. move to another project. other protection options may arise. the significant differences between European and US patent laws mean that products that cannot be patented in Europe can often be patented in the United States. and is forecast to have a future. In such circumstances there is a very high chance that the invention will be patentable. If the invention has taken time and money to develop.

This page intentionally left blank .

5 The Role of IT in Providing Risk Solutions .

straightforward business continuity package aimed specifically at small businesses.uk . you can be sure that your suppliers will not let you down. and as part of our commitment to propagate business continuity to those organisations who do not yet have a BC plan in place. in turn. in one fell swoop. the risks to larger organisations remain the same. Any supplier without an adequate.co.From complex and interlinked supply chains to those trimmed down for reduced costs. a low cost. ICM has developed Disaster Cover Direct. affordable business continuity solution which. provides larger organisations with the peace of mind that there is no weak link in their supply chain. With the BCI Good Practice Benchmarking tool for measurable BS25999 compliance included within the package. How easily could your supply chain collapse? BUSINESS AVAILABILITY incorporating To find out more call us on 08701 22 22 00 email info@icm-computer. Disaster Cover Direct offers SMEs a simple.co.icm-computer. In response to this. tested business continuity plan poses a serious risk and could undo the steps you have taken to protect your business.uk or visit www.

while business continuity (BC) and disaster recovery (DR) ensured that it could continue to operate when systems were rendered unavailable. and get them back up and running as soon as possible.1 How IT can mitigate continuity risks Alistair King. More recently. IT was there to serve the information needs of the organization. It will explore the causes of IT downtime and discuss how IT solutions have evolved to include an element of business continuity that is intrinsically embedded into their make up. designed to protect data and allow for quick and easy recovery. ICM Computer Group Introduction Traditionally. forward-thinking organizations have aligned their IT and BC strategies so that business availability can be maximized. have improved the recovery time and point objectives for data in the case of an „incident‟ (as defined by the IT Infrastructure Library). . IT and business continuity strategies were developed and executed in isolation from each other.5. More resilient IT infrastructures. it looks at how business continuity strategies can take best advantage of IT solutions to deliver quicker and more complete recovery of IT systems. Finally. This chapter reviews how IT and business continuity should be thought of as a unified strategy to achieve improved business availability.

or key components of applications. Recovery point and recovery time objectives defined These two measures provide the key information from which business continuity analysts work when setting out a recovery plan. There are a number of points to keep in mind here. The business continuity plan will aim to achieve . The recovery point objective (RPO) describes a point in time to which data must be restored in order to be acceptable to the owner or owners of the processes supported by that data.• 236 ROLE OF IT IN PROVIDING RISK SOLUTIONS Various IT solutions are considered in the context of their recovery time objectives and recovery point objectives. many factors should be taken into consideration as well as just the time it takes to restore the data from the backup: • Factors such as any possible time lapse between the occurrence and the detection of the incident. it is vital to understand that. It should be remembered that lost data may need to be re-entered before the system can be restarted and the business process fully resumed. It may only be necessary in some cases to recover specific information. • locating and informing key individuals. for a business process to resume to a satisfactory level. Other resources can of course be used to replace the failed or unavailable systems on which processes depend. This is why it makes sense to link the two and to consider aspects of business continuity planning when selecting and implementing IT systems. while these metrics refer specifically to business processes and not to systems or resources. • subsequent management decisions as to procedure for dealing with the incident. specific factors may vary from organization to organization. All these will have an impact on the RTO and therefore must be considered in the final calculation. Most importantly. As well as stipulating the recovery time for data and systems respectively. the RPO and RTO will usually define the service level to which that process must be recovered. These measurements allow IT and business continuity professionals to target and measure the time it takes to recover from a business outage and the point to which data can be recovered. or time to post-process restored data before restarting the downed applications. It is also important to understand that the RTO and RPO define objectives rather than mandatory targets for recovery. • any time necessary to locate the recovery media. When calculating the RTO. it defines the time in which key IT systems must be up and running once again. Essentially this defines how often snapshots of data and full backups need to be taken. The recovery time objective (RTO) defines the amount of time in which a business process must be recoverable for continuity of service to remain undamaged. In simple terms. however. they are almost always dependent on IT systems.

Business continuity plans can put in place alternative systems or provide for a reversion to manual processes. Organizations are thus highly dependent on the stability of their software. planned downtime. In these areas. there are six main causes of downtime. this is often not a viable option. it will always be difficult to recover as the business or process will have an inherent dependency on that software. suppliers and other stakeholders may not be able to get access to the systems they require. Certain high availability solutions can avoid both planned and unplanned downtime where systems may need to be available 24 × 7 × 365. Planned downtime Planned downtime is. the deployment of IT systems can be closely aligned with business continuity and disaster recovery plans to give an organization the best chance of a speedy recovery. a pre-planned exercise that is predictable but still means that employees. in order of magnitude: • • • • • • software failure. operator error. Software failure If a critical software application or operating system fails. According to Gartner Research. Whatever is stopping the system running on the main system will also prevent it being run on any other. environmental disaster The first four causes are IT-related and the frequency of an outage due to them will depend on the IT infrastructure in place. They are. The causes of downtime When organizations are reviewing their business continuity plan it is important to be aware of the causes of downtime so that appropriate solutions can be employed to prevent outages and help the recovery process. Thorough testing. customers. They can be made aware of the planned period of downtime but for the organization it can mean lost business or inefficiencies. hardware failure. The last two causes will require a comprehensive business continuity plan to keep downtime to a minimum. but stipulating acceptable tolerances. restoring the most recent data possible. However. ongoing maintenance and the availability of support from the supplier are all vital to minimizing the risk of software failures. by definition. building/site disaster. .HOW IT CAN MITIGATE CONTINUITY 237 • recovery within a time frame as close to the RTO as possible.

Building. ultimate achievement of RPOs and RTOs and subsequent higher levels of business availability. Of course. Hardware failure The potential for hardware failures can be obviated to a very significant degree through the deployment of systems that will make the recovery process faster.• 238 ROLE OF IT IN PROVIDING RISK SOLUTIONS Operator error Any organization that is dependent on its IT systems to support business processes will take all possible and practical measures to avoid errors or system failures from causing downtime. this can enable faster and more accurate recovery. IT systems will play a major role in these plans. training and the following of best practice in IT service provision using methodologies. Proper and thorough analysis of business requirements and the subsequent evaluation and testing of reliable solutions. thereby further reducing the margin for error. will help to minimize the risk of operator errors. If IT resources are deployed intelligently and with business recovery and disaster planning in mind. site or environmental disaster A comprehensive business continuity plan is needed to fully protect against the impact of any event. but it will never be possible to entirely eliminate the potential for human error. along with the provision of adequate bandwidth. various measures can be taken to minimize the potential for hardware failures in the first place. Ongoing monitoring and management of system and network resources will also help to prevent any outages due to hardware failure. Outages caused by operator error can be addressed to a limited degree by business continuity planning. The selection of systems and principles used can to some extent assist business recovery planning in this area. such as ITIL and PRINCE2. will help to minimize the risk of systems failing and prevent them being placed under excessive strain. storage capacity and other resources. their recovery in the event of a disaster or major systems failure will largely depend on the rapid restoration of systems and data. . disaster or incident that could render the building or site in which systems are located and processes carried out unusable or inaccessible. Management processes. Specific solutions that provide systems and/or data redundancy and enable faster or „hot‟ replacement and recovery of components and systems can be highly significant to both business continuity and disaster recovery planning. How IT and business continuity can work together As many business processes depend on IT. while the right management tools can make IT infrastructures easier to manage. But even these measures will not prevent all potential for downtime.

When triangulated with a business continuity centre. will provide improved performance and increased capacity. and will optimize use of available data storage in the live environment. including the need for business continuity planning. By adopting virtualization technologies such as VMware there is an opportunity to save on power and space as well as increasing uptime. However. in most cases. The main driver may be to reduce risk and ensure the organization can continue to function normally in the event of any system outage. There are many more tools on the market now to help increase the resilience and redundancy of systems. As it enables data to be shared or striped across a number of devices. electronic data vaulting and other such technologies to reduce their dependency on a single location. Any benefit to the business continuity plan will be incidental. Even so. The more the organization relies on IT. these systems can be used as an effective part of the recovery plan. The fact that fewer servers are used to service the needs of the business reduces the likelihood of a single failure. But in most cases the justification for investment will be made on the grounds of a defined business requirement and objective. more organizations are now starting to build greater resilience and redundancy into their systems as a matter of course and. organizations are realizing that they cannot have one without the other. the RTO and RPO will depend on the time taken for staff to physically relocate to the recovery site. Increasingly. are deploying storage area networks. . for example. the level of resilience this kind of infrastructure provides is extremely high. A systems area network (SAN). In the real world though. Rather than being dependent on the restoration of a server or specific data. While the impact on other systems and processes may be considered. but also a bulletproof continuity plan. complexity and cost of the datacentre. and in the case of a failure system requirements can be spread across the entire server estate. to bolster business continuity. little or no direct thought will be given to the potential implications for recovery. decisions are usually made to meet specific and more immediate requirements. Many.HOW IT CAN MITIGATE CONTINUITY 239 • This dependency makes business continuity planning even more essential. where they do. Virtualization as a tool for business recovery With virtualization the initial drive for adoption will almost certainly be the need to reduce the size. the more necessary it is to have not only a highly robust and resilient IT infrastructure. for example. it is important to remember that the principal reason for implementing any technology will not be. Most organizations are in this position today and need to develop the recovery plan around existing systems. it will also provide a high level of data redundancy and as such can be used as an effective component in the business continuity plan. and it is now more viable than ever to use those solutions as active elements of the business continuity plan. In an ideal world you would understand all the issues before you sit down and design your systems and infrastructure.

The need for a well-thought-out and tested business continuity plan is therefore as great as it ever was and. Other legacy technologies. Virtualization solutions need to be configured to meet recovery needs. in order to be effective in the case of a major outage. and generating the backup from that snapshot. there is no one technology that will do everything that is required to recover your business processes. but there is no single solution. the rapid recovery of systems and data will be fundamental to the reinstatement of those processes. data vaulting. data replication tools. but they can never replace the business continuity plan. but you still need a carefully planned strategy for dealing with unforeseen events or downtime. New technologies can help to improve and enhance recovery. . Virtual backup solutions can minimize backup time by taking a snapshot of a virtual machine‟s virtual disk. given the increased dependency on IT systems. Data restoration is also quicker because the reduced length of time it takes to provision or restore virtual servers aids the recovery time and point. Technology and the business continuity plan Indeed. organizations depend on IT more than ever. as a consequence. many of the established systems cannot be used to complement the business continuity plan. only provide limited recovery options and offer little in the way of additional options for business continuity planning. Few business processes can operate and deliver the required level of service without the computer systems that underpin them. Certain technologies can provide building blocks for the business continuity plan.• 240 ROLE OF IT IN PROVIDING RISK SOLUTIONS Virtualization also provides a useful tool for business recovery. SANs. Summary: achieving optimum business availability for IT-dependent processes Today. to recover those processes. In most organizations today. This will not necessarily recover the entire business process however. Servers are still largely dependent on ageing backup regimes and out-of-date recovery plans that will no longer meet business requirements. perhaps greater than it has ever been. Virtualization. Because snapshots can be created quickly. Businesses are increasingly dependent on technology to operate and. While the focus must always be on the business process itself. and allow more ambitious RPOs and RTOs to be set. hosting and other technology solutions are making it possible for organizations to build more inherent resilience and redundancy into their infrastructures and achieve faster recovery times for key business processes. The need to plan for outages or loss of access to systems is therefore vital. such as directly attached storage. operations are only briefly interrupted.

there are many tools that can simplify and enhance the process of business continuity planning and recovery. as well as all the technologies and how they can be used to best effect as part of an integrated business continuity plan. data vaulting. replication. By implementing technologies that will make recovery more straightforward. they are deployed for specific purpose and not considered as part of an integrated continuity plan. taken as point solutions. virtualization and other IT solutions and services can all assist and contribute to mitigating risk and to the business continuity plan.HOW IT CAN MITIGATE CONTINUITY 241 • As such. SANs. it is important to carry out professional business continuity assessment and planning. and significantly reduce risk. it is only sensible to consider business continuity and disaster recovery planning when selecting new systems that will support key business processes. You need to understand business needs and what needs to be recovered. However. There is no panacea. For this reason. organizations can reduce the amount of time and cost associated with a recovery from unplanned downtime. faster and easier to manage. . hosting. Business continuity is about understanding the organization and what you need to recover and restore to ensure key processes can be carried out. Another factor to consider here is that. but it is only a comprehensive and professionally prepared strategy that can ensure your organization minimizes the risk of downtime and achieves optimum levels of business availability.

but real time will extend into . Coupled with the „need for speed‟. The Faster Payments initiative is just one example of how speed of transactions is increasing and that service delivered will have an immediate impact. mortgage processing and secured loans amongst others – will be carried out with an immediate effect. and this is true in our commercial life. Decisions are based upon information – the analysis of data. Soon the expectation will be that other transactions and applications – risk assessment. With the amount of available data doubling every year we are able to make more informed decisions that improve enterprise performance. Activities that used to take hours now take minutes. We are living in the NOW! society. SAS UK & Ireland Introduction A study of pedestrians in major cities around the world concluded that we are walking up to 30 per cent faster than in 1990. Speed is now essential in transactional process delivery and in the management of certain risks. Decisions that previously took time to reach are expected to be made in shorter time frames.1 Quite literally homo sapiens has stepped up a gear. we are now able to make those decisions more quickly. The initial driver is transaction based.5.2 The real-time enterprise: the need for NOW! Bart Patrick and Mark Elkins. It has not always been so for payment card processing but this is changing.

there are still systems in use that are over 20 years old. „The amount of data being generated is doubling every 11 months and some think it will double every month soon‟ (Dr Jim Goodnight.Smith. sales and others. At the same time. you are presented with a long-term strategic challenge. This has created an environment of hugely different hardware and software even within the same enterprise. to effectively manage the performance of the business. The ability to bring modern risk management techniques into the real-time environment will improve performance. delivering improved dividends to shareholders. These systems are often deeply embedded into the core operations of enterprises and difficult to replace. it‟s about taking the NOW! experience and predicting the future through effective modelling with proven methodologies. better service to clients and competitive advantage to the company. Companies will often wrap these hardened credit. Real time is just not about what is happening at this moment. . There are many challenges in collating that data. after improving risk management functions in real time. May 2007 at the SAS Executive Forum). A Smith or ASmith? Are they all the same person? Have staff entered codes incorrectly? How can we find and cleanse these? • Legacy systems: IT is a rapidly changing environment. in fully meeting the needs of shareholders key decision makers will need to understand just how the business is performing. • Diverse geographies: there is only slow progress in standardizing language. However. • Data integration: if you bring together the geographies. marketing. which has so far been taken on by relatively few organizations. data quality. differing standards.THE REAL-TIME ENTERPRISE 243 • all functions of the enterprise: risk. including: • Diverse systems: companies have merged. differing management and staffing regimes will have entered data in different manners – is it A. • Data quality: over time. market and operational risk systems in newer technology to reduce the impact of the requirements they can no longer support. This will take end-user service to new levels. The need for NOW! The growth in the amount of reliable data available to aid risk decision making and performance management continues to grow. finance. the financial status of the business will need to be ascertained. coding structure and data-entry formats within most multinational organizations. Again. SAS CEO. acquired and divested businesses with differing IT standards and protocols. and diverse and legacy systems. This creates huge issues in creating a consolidated view of data.

and information is needed now to beat the competition. for instance. As a society we are moving at an ever-increasing pace.1 Level of data quality and integration in the organization Source: SAS Research. March 2007. Because of the amount of data. But there is now another factor – speed.1 illustrates that only a small proportion (between 1 per cent and 5 per cent) of the companies surveyed in 2007 had any form of fully integrated data. 3% 14% Figure 5. to improve customer service and to win the business. The requirement is for more reliable quality data than ever to be analysed at the point of use. time sensitive . competitive market place. This also impacts on risk where.• 244 ROLE OF IT IN PROVIDING RISK SOLUTIONS Figure 5. accurate analysis needs to be performed – and subject to constant improvement to reflect the dynamic. which is doubling annually. 3% 13% My organization has a standard set of data definitions that everyone follows.2. the inability to give a mortgage applicant an instant decision risks a company taking their business elsewhere. The diagram illustrates traditional considerations in data collation. and of the need for NOW! it sounds like an insurmountable challenge.2. There can be no compromise in terms of the quality of decision making – particular with risk rising up the corporate agenda and being used to direct day-to-day business activity. 5% 12% Data from across all areas of the organization is integrated. Swift. Fully implemented My organization has a single set of accurate. Let‟s look at the need for NOW! In the financial services industry many transactions could be classed as time critical (decisions required in milliseconds). Fairly consistent execution 1% 17% Data within my functional area is integrated. good-quality data that is used for decision making.

application processing default Portfolio stress testing Operational risk management Intermediary and customer Low/no speed driver – service. Loss reduction Need for speed need driver Risk – analytic need Customer and merchant service. customer and employee confidence Fraud. industry commitment eg postal mortgage (faster payments). secured loans. efficient and risk-sensitive use of excess liquidity is the concern of most institutions. RegNMS.2. Treating customers fairly MiFID Operational risk monitoring Customer may go elsewhere if time lines too extended Risk of fines from regulators The bottom line Customer confidence Lower priority – less urgency Figure 5. and will suffer as a consequence. In order to achieve this. 28 per cent . a near real-time assessment of risk levels. etc) and the underwriting of profitable business that delivers shareholder value plus sustainable growth. Anti Money Laundering. MiFID.2 illustrates. All transaction types will and can move. Companies that refuse to recognize this are failing to understand their customers‟ expectations. The accurate.THE REAL-TIME ENTERPRISE 245 • Time critical Time sensitive Time agnostic Business issue Fraudulent transaction Fund transfer within same bank Losses Credit risk – mortgage. In a recent survey. credit. market and operational risk is required and companies must have in place a suitable data and systems architecture that can deliver the analytics required. This is based on what is acceptable to the customer as Figure 5. application mid volume. Organizations are making progress in creating the bedrock on which to build realtime platforms to transform the way they do business. The drivers for real-time or near real-time risk management are competitive pressure compliance (the FSA‟s Treating Customers Fairly (TCF). Managing channels to market Shareholder. from time sensitive and time agnostic to time critical. high volume. Imagine how the deployment of a real-time enterprise platform would benefit the performance of the entire organization – remember we live in the NOW! society where new channels (the internet and mobile particularly) promote speed and customer convenience. HP. relatively low value Loss reduction Limiting financial loss through fraud Managing reputational loss risk Lowering customer attrition.2 The time continuum: the need for speed (decisions in less than two hours) and time agnostic (a decision needs to be made – at some point within the next week!). PCP.2. Kaisen (continuous improvement) techniques must be applied – to adapt to a constantly changing environment. loans. Cheque 21. Compliance reporting Credit scoring and electronic transfer. Mid value. But the concept of real-time analytics – with the immediate response – does not benefit only the transactional element of the banking environment.

3 Real-time analytics Source: SAS Research. in conjunction with suppliers and internal IT. a phased approach to deliver the long-term vision of the real-time. of companies stated that they had exceeded their previous year ‟s reliance on business intelligence for decisions. But this trend will have to be accelerated in order to make it fast and convenient to manage the business in real time.2. In the pursuit of a flexible real-time adaptive platform. models on which decisions are taken on an individual transaction need to reflect the latest corporate experience. customers and shareholders.• 246 ROLE OF IT IN PROVIDING RISK SOLUTIONS Exceeded previous years Maintained/declined % of companies fairly consistently or strongly executing in areas 10% 26% 22% 38% 8% 22% 27% 40% 19% 32% 22% 35% 15% 28% Advanced analytics Availability of technology for information access Cross organizational data integration Openness to change Information sharing across organization Access to variety of information sources Reliance on business intelligence for decisions Figure 5. The sea can change rapidly and experience needs to be applied to that changing environment in order to reach the desired objective. as illustrated in Figure 5. responsive to transactional and risk dynamics. organizations need to develop. The confidence of proven. March 2007. and 32 per cent had also improved on their information sharing across the organization.2. Over a quarter (26 per cent) of companies reported that they had improved their use of analytics in the last 12 months (SAS Global Enterprise Risk Management research 2007). Real time: a partnership approach? Creating a real-time decision-making environment is like sailing. robust analytical modelling needs to grow so that a win–win– win situation is created for the organization. risk- . In other words.3.

• Customer analysis: acting on customer data. Business intelligence and analytics need to evolve to new levels of sophistication to support this. has been deployed. Evolution is important. For this to happen. No one wants a customer or merchant to wait minutes or hours for a decision. Accept and Modify Chip Logic. this needs to be a platform-led development with the partners. Any delay in processing huge (and growing) amounts of data in real time can affect profitability. Fraud risk is being managed in real time. This has been eliminated by integrating the huge amounts of data. just in time. New modelling technologies and methodologies are available to provide better and faster fraud detection and model evolution. a close global working relationship needs to be garnered for the global arrangement to work. these basics need to be supplemented by three vital items: • First. Refer or Decline. However. capable of running multiple organizations or levels of hierarchy within a single instance. a global agreement that supports the global drive needs to be arranged with all suppliers in the chain. All systems. payments and non-monetary transactions. people and processes need to be brought together. Fraudsters do not stay still and scams constantly evolve. The ability to learn from experience is particularly crucial in fraud detection. At point of sale or ATM there are four simple options: Accept. However. Milliseconds are allowable for a decision. Both to protect reputation and to prevent financial loss requires the constant evolution of models and incorporation within the authorization process. A platform should be robust enough to evolve over time to support all global needs. Two examples where real-time decisioning is already impacting on business success are: • Transaction monitoring for payment cards: whereby a true enterprise fraud-detection application. which would be embarrassing for all concerned. The consumer has no awareness of the authorization process cycle. • Finally. is critical in the competitive retail industry. . with no commercial disruption. and to lower the potential for technology redundancy. • Second. a holistic approach is needed in order to obtain the granularity required. in real time. These are low-level instances. to reduce the need for retooling each time a new real-time resource comes on line. and presenting this at the point of demand to ensure sales opportunities are never missed. in order to have the true real-time enterprise these isolated usages of real-time decision making and analytics need to be expanded. This provides a 100 per cent real-time score processing on card purchases.THE REAL-TIME ENTERPRISE 247 • driven enterprise.

The additional value of a partnered. Ad-hoc internal analysis. 4. 3. Providing data back to the supplier for customer model refreshes. to build and update risk models. fraud. 8. legal and reputational.• 248 ROLE OF IT IN PROVIDING RISK SOLUTIONS Any risk-modelling approach must be able to integrate both the value of pooled consortium data and customers‟ own data into customer-specific and controlled models. This. Providing feeds to regulatory authorities and industry initiatives (eg the APACS PIPJIU). By using a champion/challenger approach. . leading to an intimate knowledge of the capabilities of the real-time platform developed. will ensure that an organization can cope with multiple business applications as the real-time environment grows to include all types of risk. Maintenance of data quality and credibility Your data integration system should evaluate data as it comes in. new models can be tested against old ones to preserve their effectiveness. Running what-if analyses and simulations during rule building. in the right format. Real-time maintenance For this type of solution each and every activity should be captured and stored within a risk data model. These models must be frequently updated to minimize the inevitable effect of model decay over time. Items (5) and (6) mean that a software vendor has the information it requires. shortening the model build process and enabling an increased model refresh rate. more reflective of the current environment. 6. The information stored within this database can be used for a number of different purposes: 1. in turn. The benefit of partnering increases the organizational understanding of how the system operates. Standardized internal reporting. 5. operational. The modelling and real-time scoring environment should also be able to support a champion/challenger strategy and the ability to use a range of models for different purposes. Monte Carlo and other scenario analysis. Providing feeds into the consortium database for consortium model refreshes. Stress testing. global development should ease transition from the legacy non-time-focused management system. market. This is true for any type of risk: credit. dynamically correcting errors before they are pushed further into the process. 7. The benefit of this is greater accuracy. 2. thus improving data credibility. This methodology eliminates the high traditional effort required to collate data.

Credit and debit cards are purely the beginning. and the vision should be for the real-time capability to extend into other risk management areas. . Developing on the real-time platform Delivering real-time fraud management for card portfolios shows how organizations can start the real-time journey. in order to reach into all areas of organizational performance. any software deployed must reduce the exposure to default and impaired credit agreements at the point of inception. not in the future. but a real-time platform means that solutions can be added to ensure an enterprise-wide approach to risk.THE REAL-TIME ENTERPRISE 249 • Creating automated processes for system resilience Rather than swapping out part or all of the architecture each time there is a capacity issue. Any forward-thinking business strategy should be to take a real-time platform. even better news. There is a huge systems and maintenance overhead in delivering end-of-month reports. Many software vendors claim to offer real-time solutions. why not accommodate this load as a marginal increase in hardware. In addition. such as that used for fraud management. In credit management the issues run from predicting bankruptcy to fraud detection and on to initial credit risk assessment through to holistic portfolio management. increasing system stability and availability? Delivering mid-process report viewing Why not create a system that can ensure that decision makers have the information they need to do their jobs as soon as they get to the office or go online? Batch processing does not give you the up-to-date information required. In terms of credit underwriting. the speed and accuracy of decision can be an important factor for both intermediaries and customers alike. The ability to achieve this will determine which businesses lead the pack and which struggle to follow the leaders. Why not make them real time? The real-time platform offers the potential to reduce maintenance and reporting overheads. The development of a real-time decision-making capability will deliver that competitive advantage. The EU faster-payments initiative shows the pace of life and customer service is changing and a real-time processing capability will be required for internet and other payments. The most time sensitive area of the banking industry is in risk management – in particular credit risk. These issues can only be overcome by ensuring that those who need to understand the credit risk status of their entire business know this accurately and can address these challenges NOW!. giving the business the up-to-date information it needs to create competitive advantage in a changing business environment. making systems more efficient and.

org.britishcouncil.• 250 ROLE OF IT IN PROVIDING RISK SOLUTIONS Note I.Singapore May 2007.www. . British Council Press Release.

flexible ways of recording risk appetite and linkage to control self-assessment. The firm was trying to help some of its middle-market clients find a risk management tool that was economical to buy and yet included features that other systems appeared to be ignoring.5. rather than actual software. such as virtual workshops. we thought nothing of it and readily agreed. It did not want to get into selling risk management software itself as its policy in this area is to provide consulting and advice. Symbiant Introduction Symbiant specializes in creating data management solutions. So ownership of the software would be ours. So. .3 Creating a risk management software solution Andrew Birch. as would all the costs of development. when we were approached by a Big-Four accountancy firm that needed a risk management solution for its clients. The firm gave us some inputs and agreed to work with us as a means of pushing forward risk management thinking and practice. In the past we have developed some very powerful and complex tools for some of the world‟s biggest corporations.

com Symbiant Risk Suite is a web based ERM solution that is easy to embed and facilitates an ongoing and continuous risk management program. For more information on Risk Suite or to order a free trial please visit www. creates all reports including risk registers and risk maps with appetite lines. For more information on Tracker or to order a free trial please visit www.symtrack.The right software makes all the difference Symbiant Tracker is a web based issue tracking solution for Internal Audit. Issues are assigned to assignees who receive automated emails then log on and keep the issue updated with their progress.symrisk.com .

On the other hand. I think the main problem with the other solutions we looked at was that they had been written by experts in a set methodology that directed programmers what to write and assumed everyone who used the solution would understand the process as they performed it. This was our main advantage over the other products on the market. a period of almost 12 months. The task in hand The problems we faced were plentiful. but it is difficult to create a solution that will get others to do what you want them to do. we had to create a tool that simplified it for the users.000. The groundwork We first looked at other solutions on the market to make sure we were not reinventing the wheel. They also commented on the powerful reporting suite and how it made producing reports for the audit committee such a simple affair. how they had managed to roll it out and how. we anticipated three to six months and up to £500. which was an internal audit tool for implementing issues and recommendations. For something that is ideally a company-wide issue (risk management). this is never the case. these other solutions would require a good level of user knowledge and a great deal of training. they just will not use it and that makes the expense pointless. without any training. the auditees (users) had taken to it. Even though there are many more elements to risk management. We had to create something we could use and understand. In reality. we are software developers who knew nothing about risk management or its practices. and this is almost our trademark. with nine programmers on the job. it must be intuitive and need little or no training for the clients to use it.RISK MANAGEMENT SOFTWARE SOLUTIONS 253 • This therefore was the gamble: how much would it cost us in time and money to develop such a solution? From our initial conversations with the firm. This was the precedent we had to follow. they were all more than satisfied with what we had created. This was in April 2005. Thus at any one time the auditors know the exact state of all the issues on the system. What surprised us the most was the lack of user friendliness that seemed to dominate software in this area. could use and understand. Solutions we create have to be useable. We had done this very successfully with Symbiant „Tracker ‟. The companies that had already bought Tracker were telling us how wonderful it was. This gives ownership of the action and the auditees keep the issue updated with their progress. but more importantly that any risk manager. We knew from years of writing software solutions that if users don‟t get to grips with the software quite quickly you can forget it. However complicated the software or the tasks it performs. It is fairly easy to create a solution that will do what you want it to do. computer literate or not. The auditors enter issues on to the system and then assign the issue actions to auditees. It took us until March 2006 to have the first working model. It had to allow someone who may never have seen the program before to . We had to make a risk management tool as good and as easy to use as Symbiant Tracker. In essence.

Worst of all. gross impact and likelihood. standard deviation and distance from appetite. We had our voting paddles and a list of 10 risks we had to discuss then measure. with many parts. the next five were just a rush and any button would do. The problem was putting this together in a workable intuitive solution. Risk management is actually quite a complex issue. This in itself seemed to conflict with the combined codes recommendation (derived from the Turnbull Report) that a company‟s risk identification process should be continuous. Rather than being continuous. We also discovered that companies tend to run these workshops only once a year at most. Due to the potentially mundane nature of these workshops it has also to be said that the accuracy and quality of the results must be questionable. A to Z is not always that simple Eventually we had a road map. In the afternoon session the first two risks were probably quite accurate. This involved lots of flip charts and asking what must have seemed like very silly questions. The basic architecture of what a solution needs to do provides a total risk management solution: not something that only deals with a small section of the risk process but a solution that would cover all the areas a company needs to run an effective risk programme. We started the day full of enthusiasm and by lunch time just wanted the pain to go away. at best. simplifying would not be easy. We then learned about risk appetite and producing risk registers – normal. and this was when the huge scale of the task started to dawn on us. So. We just wanted to bring the day to an end. What was that all about? The workshops helped us to understand this. Workshops or sweatshops Our first step was to understand the risk management framework: the information that needs to be collected and how that information is assessed. We had to have a risk identification process: some way that users could make management aware of potential threats. and net impact and likelihood. this seemed like an annual event. other paddles missed responses and had to be redone. which . the risks that companies face on a dayto-day basis are generally only tackled once a year. One of the voting paddles stopped working for no apparent reason. and not one to which people would look forward. This could partially be done via incident reporting. scores totalled and averaged and risk maps plotted with hot spots. the main reason being the logistics and costs involved in getting all the required people together at the same time in the same room. and that they may last a week. It took us two hours to vote on three risks. We had got the message and learned that this had to be the most arduous task risk managers have to endure. we knew we had another seven risks to assess. especially when we got to risk maps. How can anybody be working efficiently and thinking clearly when they are willing the day to end? The next part of our training was learning how the results are assessed. In other words.• 254 ROLE OF IT IN PROVIDING RISK SOLUTIONS use it without any training. Give users the ability to report an incident and all the relevant details. we were seeking a solution that a company could embed with very little effort and no steep learning curve.

a new target date set for when the voting stage will end and an automated e-mail sent notifying the relevant people of what they have to do. vote on them and then suggest and ballot a specific treatment. All members of the group would receive an e-mail notifying them of the new workshop and all the relevant details. Using preset responses users could decide on the gross and net impact and likelihood for each issue and.3. This would allow everyone to discuss the issues and ask any questions they may have had.1). A workshop would be opened and assigned to a group or groups. Again an automated e-mail would notify individuals of the action assigned to them and they could report back via the system.3. Goodbye sweatshops Now to tackle the workshops. All we now had to do was get some users to test it under realistic conditions. . applying standard. Also. keeping the action progress up to date. from their own computers. Users would then log in. But we had managed to make sense of and simplify what had been quite a drawn-out and complicated procedure. a risk appetite choice (Figure 5. When the target date was reached the workshop could be moved into its voting phase. Users would then log in and either suggest treatments or agree with other users‟ suggestions. if required. we just didn‟t know how much of a better way it would be until someone actually used it for real. with a date set when the open stage would finish. A virtual workshop would allow users to discuss the issues. It would also allow risks to be assessed in small. This would provide a key solution to the current problem of annual risk assessment in the boardroom.2). and the solution we were creating was certainly achieving that. The workshop would start in the open stage. Management could then assess those responses in real time using risk maps and other reports. members of those groups would have access to the workshop(s). The reports would let the management know which were the most popular treatments and they could then adopt one or more of the proposed actions (Figure 5. questionnaires would help with this task. The final stage would involve assigning the actions to people so they could carry them out. in their own time.RISK MANAGEMENT SOFTWARE SOLUTIONS 255 • could then be converted to a potential risk by management. The workshop would then be moved into its treatment phase and the automated e-mails triggered. read user comments and add their own responses. workable chunks as they emerged. For this tracking part of „Risk Suite‟ we decided to use a cut-down version of Symbiant Tracker. Issues would then be added to the workshop and users could discuss them in a forum/blog style. assessment and key risk indicators/performance indicators. A better way The key to a good product is giving the user a „better way‟. something to replace the annual boardroom nightmare. In this way management could ask specific questions and use the indicator questions to see if trends or danger zones were emerging. Once the risks have been assessed the issues that the group felt were not major risks or were within the appetite could be removed from the workshop.

3.Gross Net Impact Catastrophic Insignificant Appetite Medium Likelihood Almost Certain Unlikely Score 25 2 Figure 5.3.2 Proposal options .1 Workshop discussion – voting on gross and net impact Risk 18:Summary: Credit card fraud Risk: If we are seen as a soft spot for card fraud it could cost us a lot in bank charges and possible revoking of our merchant account Objective: To hit €20m turnover by January 2010 (3 years) Add New Subject risk rating RE: risk rating Co Cash only RE: Co Cash only RE: Co Cash only RE: Co Cash only Needs urgent attention RE: Needs urgent attention Doesn't chip and pin check for fraud cards? If we have chip and pin surely we have only what everyone else has? [Respond] [Delete] User Demo User Administrator Paul Pennington Carl Jensen Elena Barros Julia Young Eugenia Solla Peter Cross Date 2007 2007 2007 2007 2007 2007 2006 2006 19 Sep 19 Sep 05 Oct 05 Oct 05 Oct 05 Oct 20 Jul 21 Jul Figure 5.

We are now on Version 2. When we first started out to develop Risk Suite the last thing I would have expected is that risk management is fun. it is fun to use and they are impressed with its capabilities. Apparently. which was then looking for a risk management solution. because it is intuitive. If readers would like to learn more about Risk Suite or Tracker. Once we had fixed the bugs we knew about. it does not need to be installed on everyone‟s PC. and added all the „nice to have‟ features that our volunteers had suggested. The bugs One of the most annoying parts of software development is the bugs. the basic structure was in place and so all we had to do was modify it so that it would fit into all 10 companies. We get people without any training who have never seen Risk Suite identifying risks. As they had never endorsed any software before or since.RISK MANAGEMENT SOFTWARE SOLUTIONS 257 • We approached our client base and asked for volunteers. this in itself gave testimony to what a superb product we had created. Out of about 35 volunteers we picked 10 from different sectors so that we could get a spread of opinion. To say they were impressed may be an understatement. User feedback is the best way to develop a program.uk. One of our first clients was the Institute of Chartered Accountants in England and Wales (ICAEW). This in itself became a new task. . We have also recently learned that The Cape Peninsula University of Technology in Cape Town South Africa uses our Risk Suite to teach students about risk management and what an effective risk program should consist of. the students enjoy using the program. When we provide the risk managers with a risk register and risk maps. we launched „Risk Suite Version 1‟ as an affordable total risk management solution.co.symbiant. all created from their users‟ input. We ended up making the solution use a skin template so users could rename things and change the layout to suit their own individual requirements and terminology. but after a few months of intensive trials across 10 companies we found probably 98 per cent of them. and Risk Suite had its fair share. This makes rolling it out simple and. it is easy to embed. we can feel their joy of knowing there is finally a product to help them do their job properly. please contact Symbiant at www. All the testers liked the solution and made suggestions as to what they would need to make it work for them. but I have to admit that I now love running the workshops when we are doing demonstrations for clients. assessing them and suggesting treatments.4 and have users all over the world. They were so impressed they took the unusual step of endorsing it as a user. or to arrange a free trial. Since then we have continued to build and develop Risk Suite in response to user feedback. Roll out Because Risk Suite is installed on the corporate intranet or internet.

uk www.co.com .com www.uk Beck Greener Fulwood House 12 Fulwood Place London WC1V 6HR Tel: +44 (0) 20 7693 5600 Contact: Jacqueline Needle e-mail: jneedle@beckgreener.hartop@appleyards.beckgreener.appleyards.com www.Appendix: Contributors‟ contact list Appleyards Ltd Appleyards House 72 Brighton Rod Horsham West Sussex RH13 5BU Tel: +44 (0) 8705 275201 Fax: +44 (0) 8705 143047 Contact: Scott Hartop e-mail: scott.co.birdgoen.com Bird Goën & Co Klein Dalenstraat 42A B-3020 Winksele Belgium Tel: +32 (0) 1648 0562 Fax: +32 (0) 1648 0528 Contact: William Bird e-mail: ipadmin@birdgoen.

Muir@cimaglobal.com www.com www.org www.cimaglobal.cedr.uk Chartered Institute of Management Accountants (CIMA) 26 Chapter Street London SW1P 4NP Tel: +44 (0) 20 7663 5441 Fax: +44 (0) 20 7663 5442 Contact: Lottie Muir e-mail: Lottie.com www.miller@comsec-international.cision.lees@cips.uk www.APPENDIX 259 • Centre for Effective Dispute Resolution (CEDR) 70 Fleet Street London EC4Y 1EU Tel: +44 (0) 20 7536 6000 Fax: +44 (0) 20 7536 6001 Contact: Andy Rogers e-mail: arogers@cedr.com Commercial Security International Ltd 123 Aldersgate Street London EC1A 4JQ Tel: +44 (0) 20 7553 7960 Contact: Neil Miller e-mail: neil.org Cision UK Ltd Cision House 16–22 Baltic Street West London EC1Y 0UL Tel: +44 (0) 20 7251 7220 Fax: +44 (0) 20 7689 1164 Contact: Paul Miller Direct line: +44 (0) 870 736 0010 e-mail: paul.comsec-international.com .co.miller@cision.co.com Chartered Institute of Purchasing & Supply (CIPS) Easton House Easton on the Hill Stamford PE9 3NZ Tel: +44 (0) 1780 7567 77 Fax: +44 (0) 1780 7516 10 Contact: Liz Lees e-mail: liz.cips.

com .co.hsbc.uk www.com www.control-risks.com Gill Jennings & Every LLP Broadgate House 7 Eldon Street London EC2M 7LH Tel: +44 (0) 20 7377 1377 Fax: +44 (0) 20 7377 1310 Contact: Peter Finnie e-mail: pjf@gje.ey.com www.com www.com www.gje.com Corfin Communications Floor 11 78 Cannon Street London EC4N 6HH Tel: +44 (0) 20 7929 8998 Fax: +44 (0) 20 7929 4869 Contact: William Cullum e-mail: wcullum@corfinpr.co.com@ek.ey.com Ernst & Young LLP Risk Advisory Services 1 More London Place London SE1 2AF Tel: +44 (0) 20 7951 2000 Fax: +44 (0) 20 7951 1345 Contact: Fiona Sheridan e-mail: fsheridan@uk.ey.• 260 APPENDIX Control Risks Cottons Centre Cottons Lane London SE1 2QG Tel: +44 (0) 20 7970 2100 Fax: +44 (0) 20 7970 2222 e-mail: enquiries@control-risks.corfinpr.uk HSBC Operational Risk Consultancy Bishops Court 27–33 Artillery Lane London E1 7LP Tel: +44 (0) 7357 661 2853 e-mail: davidbreden@hsbc.

uk .uk www.loven@loven.briggs@lrqa.uk The Institute of Risk Management 6 Lloyd‟s Avenue London EC3N 3AX Tel: +44 (0) 20 7709 9808 Fax: +44 (0) 20 7709 0716 Contact: Rebecca Brueton e-mail: rebecca.org www.theirm.king@icm-computer.brueton@theirm.com www.loven.lrqa.co.uk www.icm-computer.co.com LOVEN Patents and Trademarks West Central Runcorn Road Lincoln LN6 3QP Tel: +44 (0) 1522 801111 Fax: +44 (0) 1522 870505 Contact: Keith Loven Direct line: +44 (0) 1522 801113 e-mail: keith.co.org Lloyds Register Quality Assurance Limited LRQA Centre Hiramford Middlemarch Office Village Siskin Drive Coventry CV3 4JF Tel: +44 (0) 24 7688 2288 Fax: +44 (0) 24 7630 6055 Contact: Alex Briggs e-mail: alex.co.APPENDIX 261 • ICM Computer Group ICM House Oakwell Park Oakwell Way Birstall West Yorkshire WF17 9LU Tel: +44 (0) 1924 422 111 Contact: Alistair King e-mail: Alistair.

com www.• 262 APPENDIX McKinty & Wright 5–7 Upper Queen Street Belfast BT1 6FS Tel: +44 (0) 28 9024 6751 Fax: +44 (0) 28 9023 1432 Contact: Sean McGahan Direct line: +44 (0) 28 9041 2820 e-mail: sean.co.saville-king@norlandmanagedservices.sas.fr www.patrick@suk.norlandmanagedservices.mcgahan@mckinty-wright.uk www.fr@novagraaf.com/uk .sas.fr SAS UK & Ireland Wittington House Henley Road Medmenham Marlow Buckinghamshire SL7 2EB Tel: +44 (0) 1628 486 933 Fax: +44 (0) 1628 483 203 Contact: Bart Patrick e-mail: bart.uk Novagraaf France 122 rue Edouard Vaillant 92593 Levallois-Perret France Tel: +33 (0) 1 49 64 60 00 Fax: +33 (0) 1 49 64 60 60 Contacts: Eric Achour and Jean-Louis Somnier e-mail: tm.novagraaf.uk Norland Managed Services Limited 454 – 460 Old Kent Road London SE1 5AH Tel: +44 (0) 20 7231 8888 Contact: Paul Saville-King e-mail: paul.co.co.

co.uk www.APPENDIX 263 • Siemens Insight Consulting 5 The Quintet Churchfield Road Walton on Thames Surrey KT12 2TZ Tel: +44 (0) 1932 241000 Fax: +44 (0) 1932 236868 Contact: Dominic Healey e-mail: dominic.com www.healey@siemens.siemens.uk .com www.uk www.uk Strategic Risk Partnerships Ltd St Clare House 30 –33 Minories London EC3N 1DD Tel: +44 (0) 20 7977 6770/6772 Contact: Karen Smith e-mail: grouprisk@srplondon.srplondon.symbiant.uk Symbiant Westgate House 100 Wellington Street Leeds LS1 4LY Tel: +44 (0) 113 237 394 Contact: Andrew Birch Direct dial: +44 (0) 1943 870052 e-mail: andrew@symbiant.co.co.co.sungard.com SunGard Availability Services (UK) Limited Units 12–13 Bracknell Beeches Old Bracknell Lane West Bracknell Berkshire RG12 7BW Tel: +44 (0) 800 143 413 Contact: Piper-Ann Shields e-mail: infoavail@sungard.co.

• 264 APPENDIX Thomas Miller Risk Management (UK) Ltd International House 26 Creechurch Lane London EC3A 5BA Tel: +44 (0) 20 7204 2569 Contact: Lee Tricker e-mail: lee.com www.xlgroup.tricker@thomasmiller.com .com www.kelly@xlgroup.tmrm.com XL Insurance Group XL House 70 Gracechurch Street London EC3V 0XL Contact: Donal Kelly e-mail: donal.

effect on 114 relationships and reputations 113 consolidation and transition risk 22 conspiratorial risk aversion policy 131 consumer demand risk 24 corporate reputation 81 corporate strategy and risk xxiv digital content. measurement 116 productivity.165 plan 185 et seq SMEs 188 and technology 240 business interruption cover 121 business planners. long tail 74 disease pandemic risk 24 emerging markets risk 21 China risk 25 complexity.Index ageing consumer and workforce risk 21 all risks property damage insurance 122 attention economy 73 board accountability 90 and responsibility 90 and risk management 90 brand. risk 209 et seq ownership 210 protection 211 quality 210 value maintenance 211 BS 25999. designing in 57 communications technology 72 et seq continuity risks. effect of 163 et seq and supply chain 188 business continuity and IT 238 management 163. and risk 67 combined risk profile 12 commercial property damage and business interruption insurance 119 et seq compliance. best practice 111 et seq management strategy 115 resolutions options 116 styles. securing 182 branding. use of IT 235 et seq contract risk 89 et seq contracts 91 cost inflation risk 23 corporate governance. managing risk 43 critical engineering and risk management (CREM) 149 et seq . burden of 173 compulsive risk assessment psychosis 130 conflict cost 112 literacy 116 management.

strength of 201 et seq risk estimation and management 216 et seq . 229 UK procedures 228 portfolio concept 220 SMEs 221 third party infringement 222 performance monitoring 174 plan failure risk 23 political risk 65 et seq best practice 70 business planning. future of 79 organizational structure. 9 and banking 8 enterprise-wide scenarios 13 nature 30 and role of technology 27 et seq trends 27 enterprise risk strategy 5 et seq Ernst and Young Strategic Risk Radar 19 global financial shock risks hidden structures. mitigation of continuity risks 235 et seq virtualization 239 kaisen techniques 245 loss exposure. and risk management 101 IT. visibility 21 58 internet. understanding 47 patents and patent portfolios 216 et seq auctions 222 commercial risks 217 default rates 219 freedom to operate analysis 222 litigation cost of 227. causes of 237 energy shocks risk 23 enterprise risk management (ERM) 8. expansion 205 R & D 204 rights.• 266 INDEX culture and behaviours 155 and engineering infrastructure 150 the five pillars 152 et seq data collation. need for 243 Disaster Cover Direct 187 downtime. misalignment with 69 nature of 66 power law graph 75 PRIMAL 141 innovation failure risk 25 insurance compliance and standardization 125 in corporate risk management 121 industrial/commercial tailored cover 123 principle of trust 126 integrator system approach 140 intellectual property risk 195 et seq due diligence 199 effective use of 229 the internet 206 litigation 226 et seq avoidance 231 nature of 203 new products 205 ownership. food risk 180 mitigation 182 management systems 40 adopting 139 certification 44 competitive advantage 44 and corporate governance 39 et seq implementing 42 management outside 135 risk management 135 et seq media information cycle 78 news.

risk management solution 251 et seq stakeholders. risk in food industry 177 et seq insurance 184 regulatory risk 177 unsafe product 179 property damage and business interruption insurance 122 real time maintenance 248 partnership approach 246 platform development 249 recovery point. 60 engineering 151 external 84 identification and assessment 10 intellectual property 195 et seq acquisition 196 enforcement 197 exploitation 196 monitoring 197 legal language 129 management applications 91 managerial 84 mitigation and controls 11. 57. recovery time objectives 236 regulatory and compliance risks 19 regulation and process 31 reinsurance 123 reputation 82. 98 and communications technology 72 et seq risk 83 reputation risk 102 identification 85 management 86. role 100 strategic purchasing and supply 157 et seq business risk environment 160 . problems of 5 scenario analysis in operational risk scenarios 148 shortcomings 147 scenario planning 146 scenario testing and operational risk 142 et seq definition 143 information sources 145 scenarios.INDEX 267 • private equity risk 25 product recall. strategy 17 et seq cultural 84 dynamics 55. comparison 9 risk management champions 48 communication. need for 49 and critical engineering 149 et seq incentives 48 fragmentation 68 practical embedment 46 software solution 251 et seq scale. 68 networks and impact families 57 and procurement 92 and quality 41 silos 12 supply chain 171 et seq types. 87 measurement 85 as PLC 98 et seq reporting 86 radical greening risk 23 real-time enterprise 242 et seq and transactional speed 242 risk allocation to third party 92 assessment workshops 47 aversion factors 29 business. development methodologies 144 search engine optimization 76 search performance 77 service or product delivery 93 procurement 95 siloed risk approach 34 social upheaval 77 software.

principles of 175 management 173 risk 171 et seq SME‟s. new perspectives 51 et seq communication 59 stress testing.• 268 INDEX role of professionals 159 strategic risk. and operational risk 142 et seq definition 143 information sources 145 supply chain assurance. designed-in 51 assumptions 52 value generators and value protectors 157 et seq war for talent risk 24 . crisis risk management 105 et seq current threat and motivations 106 evolution 105 management plan 108 organizational performance 106 planning 107 rehearsing and training 108 uncertainty. effect on risk management 32 pyramid 33 risk 35 impacts 37 temporary staff 161 terrorism. protection of 185 et seq systems.

28 Stewart – Risk Management Information Software lx–lxiv Strategic Risk Partnerships Limited 120 SunGard Availability Services 164 Symbiant Ltd 252 Synergi xviii XL Insurance xii. 178 . 234 Intercontinental Hotels & Resorts lii–lviii The Institute of Risk Management v–vii LOVEN 208 LRQA 136–37 McKinty and Wright Solicitors xxviii–xxxii Novagraaf 202 The Patent Office xxvi Risk Frisk xx–xxiii.Index of advertisers Appleyards 53 Assurant Solutions xxxvi–xl Beck Greener 225 Bird Goën & Co 215 BSI Business Information viii The Chartered Institute of Purchasing & Supply 158 CIMA ii Cision x–xi Companies House xiv CSi – Commercial Security International Ltd 104 Control Risks 64 Ernst and Young 16 Gill Jennings & Every LLP ix Halcrow xxiv HSBC Insurance 6–7 ICM 186. lxvi–lxix Rushton International xliv–xlviii SAS xvi.

Sign up to vote on this title
UsefulNot useful