Part 5

Risk response
1
Learning outcomes for Part 5
• provide alternative definitions of enterprise risk management (ERM)
and identify the key features of an enterprise-wide approach;
• describe the 10 steps in the implementation of a successful ERM
initiative, as set out in more detail in Appendix B;
• outline the importance of risk appetite as a planning tool in the
implementation of a risk management initiative;
• describe the relationship between risk appetite, risk exposure and
risk capacity and the interface with operations, projects and
strategy;
• describe the risk response options in terms of tolerate, treat,
transfer and terminate, and explain how these can be shown on a
risk matrix;
• describe the types of controls that are available, in terms of
preventive, corrective, directive and detective (PCDD) controls;
• explain how to determine whether controls are cost-effective, how
controls change loss expectancy and how to learn from controls; 2
25 3

ENTERPRISE RISK MANAGEMENT

Enterprise-wide approach
• The fundamental idea behind the ERM approach is to move
away from the practice of risk management as the separate
management of individual risks.
• The ERM approach means that an organization looks at all the
risks that it faces across all of the operations that it
undertakes.
• ERM is concerned with the management of the risks that can
impact the objectives, key dependencies or core processes of
the organization.

4
Definitions of ERM

5
Definitions of ERM
Comprehensive definition of ERM:
• ERM involves the identification and evaluation of significant
risks, assignment of ownership, completion and monitoring of
mitigating actions to manage these risks within the risk
appetite of the organization.
• The outputs are the provision of information to management
to improve business decisions, reduce uncertainty and provide
reasonable assurance regarding the achievement of the
objectives of the organization.
• The impact of ERM is to improve efficiency and the delivery of
services, improve allocation of resources (capital) to business
improvement, create shareholder value and enhance risk 6
reporting to stakeholders.
ERM in practice
• The principles of risk management set out as PACED are
fully applicable to the practice of enterprise risk
management.
• The principles of risk management are that it should be
proportionate, aligned, comprehensive, embedded and
dynamic (PACED).

7
8
ERM and business continuity
• The normal approach to risk management is to evaluate
objectives and identify the individual risks that could impact
these objectives.
• The output from a business impact analysis is the
identification of the critical activities that must be maintained
for the organization to continue to function.
• The process differs between ERM and BCP, because the
former is concerned with the management of the risks that
could impact processes, whereas business continuity is
concerned with actions that should be taken to maintain the
continuity of individual activities.
9
ERM in energy and finance
The objective of an ERM initiative is to enhance shareholder
value by:
• improving capital and efficiency by providing an objective
basis for allocating resources and exploiting natural hedges
and portfolio effects;
• supporting financial decision making by considering areas of
high potential adverse impact and by exploiting areas of risk-
based advantage;
• building investor confidence by stabilizing results and
protecting them from disturbances and thus demonstrating
proactive risk stewardship.
10
26 11

IMPORTANCE OF RISK APPETITE

Risk capacity
• Most organizations have not determined the
• value they should risk (risk appetite),
• nor calculated how much value is actually at risk (risk
exposure),
• nor the capability of the organization to take risk (risk
capacity).

12
13
 Nature of risk appetite

Figure 26.2 illustrates the concepts of risk appetite, risk exposure and risk capacity. Risk appetite
is illustrated by way of shaded squares on the risk matrix and the overall risk exposure of 14
the organization is shown as a curved line. This illustration represents risk appetite, exposure
and capacity for a risk-averse organization.
 Nature of risk appetite

This represents a situation where the organization may be taking risks 15

that are beyond the ultimate risk capacity of the organization. To make circumstances worse,
the actual risk exposure of the organization is shown as well within the darker area.
Risk management and
uncertainty

16
27
TOLERATE, TREAT, TRANSFER 17

AND TERMINATE
The 4Ts of hazard response
The 4Ts of hazard risk management can be summarized as:
• Tolerate;
• Treat;
• Transfer;
• Terminate.

18
19
20
Risk tolerance
• Risk tolerance is defi ned in British Standard BS
31100 as the ‘organization’s readiness to bear
the risk after risk treatments in order to achieve
its objectives’.
• An organization may have to tolerate risks that
have a current level beyond its comfort zone and
its risk appetite.

21
Risk treatment
• When the level of risk exposure (likelihood) associated with a
particular hazard is high but the potential loss (impact)
associated with it is low, the organization will wish to treat the
risk.
• Risk treatment will often be undertaken with the risk at the
inherent and/or current level, so that when the risk has been
treated, the new current level or target level may become
tolerable.

22
Risk transfer
• When the likelihood of a risk materializing is low but the
potential is high, the organization will wish to transfer that
risk.
• Insurance is a well-established mechanism for transferring the
financial consequences of losses arising from hazard risks and
(to a lesser extent) control risks.

23
Risk termination
• When a risk is both of high likelihood and high potential
impact, the organization will wish to terminate or eliminate
the risk.
• It may be that the risks of trading in a certain part of the world
or the environmental risks associated with continuing to use
certain chemicals are unacceptable to the organization and/or
its stakeholders.
• It is likely that such control measures will be a combination of
risk treatment and risk transfer.

24
Project and strategic risk
response

25
26
28 27

RISK CONTROL TECHNIQUES

Hazard risk zones

28
Types of controls
• The most convenient classification system is to
describe these controls as
• preventive,
• corrective,
• directive and
• detective.

29
Description of types of hazard
controls

30
31
29
CONTROL OF SELECTED HAZARD 32

RISKS
Risk control
• Risk treatment is sometimes referred to as risk
control and it includes the selection and
implementation of actions to reduce risk
likelihood and risk impact.

33
34
Control of financial risks
• Fraud
• Fraud occurs when there is the motive for undertaking it, the
organization has assets that are worth stealing, there is an
opportunity to undertake the theft or fraud and there is a lack of
adequate control.

35
Control of financial risks
• Historical liabilities
• One of the most difficult financial risk areas for organizations is
related to their exposure to historical liabilities. These liabilities
arise from previous activities of an organization, or acquired parts
of the organization that were purchased together with their
historical liabilities.

36
Control of infrastructure
risks
• Health and safety at work
• The health and safety risks faced by an organization include
prosecution by a regulatory authority, being sued by an injured
employee and disruption caused by accidents and dangerous
occurrences.

37
Control of infrastructure
risks
Detailed guidance is available on the management of specific health
and safety risks, including;
• dangerous machinery;
• pressure systems;
• noise and vibration;
• electrical safety;
• hazardous substances;
• lifting and manual handling;
• slips, trips and falls;
• display screen equipment;
• human factors and repetitive strain injury;
• radiation;
• vehicles and driving risks;
• fi re safety;
• stress at work. 38
Control of infrastructure
risks
Property fire protection
Most fi res at work are caused by one or more of the following:
• electrical hazards;
• hot work;
• machinery;
• smoking materials;
• flammable liquids;
• bad housekeeping;
• arson.

39
Control of infrastructure
risks
IT security
The consequences of IT failure can include:
• loss of business or customers;
• loss of credibility or goodwill;
• cash-flow problems;
• reduced quality of service;
• inability to pay staff;
• backlog of work or loss of production;
• loss of data;
• financial loss;
40
Control of infrastructure
risks
IT security
The consequences of IT failure can include:
• loss of business or customers;
• loss of credibility or goodwill;
• cash-flow problems;
• reduced quality of service;
• inability to pay staff;
• backlog of work or loss of production;
• loss of data;
• financial loss;
• loss of customer account information;
• loss of financial controls. 41
Control of infrastructure
risks
HR risks
• employee engagement and termination;
• legislative and regulatory compliance;
• recruitment, retention and skills availability;
• pension arrangements;
• performance and absence management;
• health and safety.

42
Control of reputational
risks
Brand protection
Damage to brand can occur for a number of reasons,
including:
• changes in government policy;
• changes in the marketplace;
• new entrants into the marketplace;
• price and specification competition;
• counterfeiting and fake goods;
• inappropriate franchisee behavior;
• failure of sponsor or joint-venture partner. 43
Control of reputational
risks
Environment
Evaluate the following issues:
• What impacts to the environment may occur?
• How harmful are these impacts to the environment?
• How likely is it that these impacts will occur?
• How frequently and where will these impacts occur?

44
Control of marketplace risks
• Technology developments
• One of the main challenges facing organizations is
keeping up with customer expectations and demands.
• This challenge is made more difficult by continuing
developments in technology.
• Organizations supplying consumer goods that are
technology-based face a continuous challenge, which
can be turned into a continuous set of opportunities.

45
Control of marketplace risks
• Regulatory risks
• Compliance may appear to be a relatively
straightforward issue, but there are often complexities
associated with the potential for changes to
regulations, changes in the regulatory environment
and different regulatory requirements in different
territories.

46
Learning from controls

47
Learning from controls

48
Learning from controls

49