99

The context 08
for ERM
Changing face of risk management
As with any management initiative that becomes embedded within the way the or-
ganization operates, a successful risk initiative should develop and become more
sophisticated over time. Developments in the discipline of risk management, espe-
cially during the past 10 years, have been dramatic; technology has enabled better
reporting, recording, analysis and quantification of risk. Regulation, which has
forced some sectors to introduce new risk techniques such as enhanced accountabil-
ity, could be said to have ‘seeped’ into other sectors, in particular for listed compa-
nies, and has driven the requirement for more extensive risk management reporting
and transparency. In the UK, the Wates principles require boards to have a clear
understanding of the views of shareholders, including those with a minority interest;
larger companies must report on their stakeholders.
The universally accepted terminology for the broad application of risk management
across the whole organization is enterprise risk management. Similarly, operational
risk management (ORM) has been established and developed very substantially. The
risk management discipline as a whole continues to develop and derive opportunity
from newly available techniques, brought about by enhanced availability of data
sources and rapidly advanced processing power.
There is a need for the continued education and training of boards and senior
members of those boards to maintain knowledge of the changing basis on which risk
management analysis and advice is offered. Without ‘laying the groundwork’, the
risk management department could stand accused of changing the nature of the risk
management process and sow confusion and lack of interest amongst the senior
board members.

Lessons from the past: Financial and health crises

Any review of the changing face of risk management has to acknowledge two global
crises: the Covid-19 pandemic originating in China in 2019 and the global financial
100 Enterprise risk management

crisis (GFC) of 2008/9. These global events have similarities but can also show us
how the risk management practice has developed over the intervening years.
The argument might be offered that risk management failed to adequately prevent
the financial crisis and also failed to mitigate the effect of the pandemic. In some
circles a cynicism may have arisen as to the application of ERM processes, and the
risk manager needs to be aware of evidence to rebut these ideas and to argue their
case for resources.
Firstly, as to risk identification, both Covid-19 and the GFC were foreseen events.
For example, the warning from Mr Moore to HBOS (in Chapter 3) was not the only
counsel to go unheeded in the financial services sector prior to 2008. The probability
of a pandemic had been identified as a likely global risk event, and indeed it had been
foreshadowed by the SARS, Ebola, and Zika viruses. Risk management responses
had been applied to the extent that the USA set up the Directorate of Global Health
Security and Biodefense (DGHSB) in 2016 specifically to respond to these events.
The UK had run Exercise Cygnus in 2017 to identify any weaknesses in their health
preparedness for similar events.
Secondly, in terms of actions to limit loss (the inherent and residual risk), it is in-
structive to note how these events were handled differently in different regions. For
Covid-19 in particular, some countries took little coherent action, Brazil being a case
in point, which may be our best example of an inherent risk without any control meas-
ures. In the East, governments had experience of health crises (for example, SARS) and
had better-developed and recently deployed systems to use to protect their citizens.
Here we might see a target risk after control measures taking place.
There had also been a banking crisis, ‘the Asian contagion’ in 1997, which meant ac-
tion was taken swiftly to provide liquidity in Asian economies, which was not replicated
in the West. Whilst interconnectedness meant Covid-19 and the GFC impacted both re-
gions, the East could be said to have mitigated the effects of both better than the West.
Lastly, both events can provide learning points for the impact of timely actions.
During the GFC, governments acted quickly and in a co-ordinated fashion to pro-
vide immediate relief, albeit that the West required this to a greater extent. Regulators
followed with new rules on capital building and management behaviour.
In the aftermath of Covid-19 lessons will be learnt, but it could be said that most
governments acted quickly and science resources were co-ordinated to speed vaccine
development. The country with the highest health spend and seemingly best prepared
to provide mitigating actions, the USA, failed to act in a concerted fashion, with the
resultant negative impact on its citizens. In the UK the government failed to take the
threat seriously at an early stage, was consistently poor in implementing actions in a
timely manner, and has been said to have repeated the same mistakes time after time.
For the risk management profession there are lessons on how risk management
was deployed. In the GFC the example from HBOS in Chapter 3 is clear that techni-
cally qualified risk managers are important. In respect of Covid-19 the USA would
 The context for ERM 101

undoubtedly have been better off if they had not dismantled the DGHSB in 2018 for
political reasons. Both of these examples indicate that risk management messages are
sometimes disregarded with calamitous consequences. Senior risk managers need to
provide compelling evidence and argument to enable the deployment of effective and
well-resourced risk management practices, and sometimes need to show courage to
make sure their messages are heard.

The power of taking risks

It is undoubtedly the case that taking too much risk may be inappropriate and can
result in the failure of the whole organization. However, for many organizations,
losses caused by aggressive risk taking are survivable. Understanding the level of risk
embedded in an organization should not put a stop to all bold strategic decisions.
Risk awareness should not prevent an organization embarking on a high-risk strat-
egy, but should enable decisions to be taken on an informed basis.
Organizations should continue to look for opportunities and, from time to time,
acknowledge that there is a good opportunity that is high risk. The organization can
still embark on that strategy, but should understand how to manage the risks so as
to remain within appetite, and measure the risks so that the board is aware of the
actual exposure.
Figure 26.1 illustrates where an organization’s risk appetite and capacity
might fall within a risk matrix. If the organization is risk aggressive and operates
in the ‘critical zone’ identified in Figure 26.1 they should identify ways to in-
crease their risk capacity in that specific instance, or stand accused of being reck-
less rather than risky. For example, risk may be transferred through contractual
means, diminished by establishing a joint venture or through financial means
such as insurance. The board will need to revisit risk assessments, challenge the
scope and results of risk analysis activities, and ensure that a highly dynamic ap-
proach to risk management is maintained at all times and at all levels in the or-
ganization.
As a general principle, a risk matrix helps to prioritize risks and show which are
considered the most significant. It should be noted that risk appetite and capacity
can change over time so that at some point risks in the comfort zone might subse-
quently fall outside of appetite.

Managing emerging risks

All organizations are concerned about changes in the external and internal context
that give rise to new challenges. These changes can be considered to be the emerging
102 Enterprise risk management

risks facing the organization. The International Risk Governance Council defines
these risks as:

a risk that is new, or a familiar risk in a new or unfamiliar context or under new context
conditions (re-emerging). Emerging risks are issues that are perceived to be potentially
significant but which may not be fully understood and assessed, thus not allowing risk
management options to be developed with confidence.1

Consideration of these risks can be difficult unless the organization clearly under-
stands the nature of the emerging risks that it faces. Following the above definition
emerging risks can be divided into three categories:

●● new risks that have emerged in the external environment, but are associated with
the existing strategy of the organization – new risks in a known context;
●● existing risks that were already known to the organization, but have developed or
changed circumstances have triggered the risk – known risks in a new context;
●● risks that were not previously faced by the organization, because the risks are
associated with changed core processes – new risks in a new context. This last
category is where the risk manager will have the least confidence and will need to
actively seek further information.

The level of risk faced by organizations is constantly shifting, caused by increased in-
terconnectedness, new technology and increasingly complex supply chains. Some of
these increasing risks will be under the control of the organization itself but many
emerging risks will not be within the control of an individual organization, including:

●● government direction;
●● climate change;
●● sovereign debt;
●● national security;
●● changing demographics.

When seeking to manage these changes in context, an organization should evaluate

whether the risks are to be treated as hazard, control or opportunity risks. Depending
on the activities of the organization, many of these emerging risks may simply be
threats to the organization or represent opportunities for future development. In
some cases, the emerging risks will simply represent additional uncertainties that
need to be managed.
An important consideration when thinking about emerging risks is the speed at
which they can become significant. Some risk management practitioners refer to the
speed of development and change of risks as the risk velocity.
A good example of emerging risk is nanotechnology.
 The context for ERM 103

The risks of nanotechnology

Nanotechnology is used extensively in the medical and, to some extent, cosmetics

industry to improve the effectiveness of cosmetic treatment of skin conditions. Whether
any long-term risks will emerge from the use of nanotechnology has not yet been fully
established. As nanotechnology is an emerging field, there is great debate regarding
the extent that it will benefit or pose risks for human health. Nanotechnology’s health
impact can be split into two aspects: the potential for medical applications to cure
disease, and the potential health hazards posed by exposure to nano-materials.
The extremely small size of nano-materials means that they are much more
readily taken up by the human body than larger-sized particles. How these nano-
particles behave inside the organism is not fully resolved and cannot be without
being applied at some scale. Health and environmental issues combine in the
workplace of companies engaged in producing or using nano-materials and in the
laboratories engaged in nano-science and nanotechnology research.

Increasing importance of resilience

In recent years, there has been an increasing interest in the topic of resilience.
Governments and local or municipal authorities recognized during the 1990s and
2000s that society in general, and communities in particular, had to become more
resilient to cope with civil emergencies, as well as natural catastrophes such as earth-
quakes and extreme weather events. Although the initial concern with resilience may
have started with the consideration of how to respond to wide area events, broader
concerns have developed.
The increasing awareness and concern in relation to resilience was demonstrated
by the replacement of the 2006 British Standard BS 25999-1:2006 Business
Continuity Management: Code of practice with ISO 22301. Standards for these
areas are set out in ISO 22316:2017 Security and Resilience: Organizational
­resilience — Principles and attributes. Chapter 19 discusses resilience in greater
­detail.
This ASIS standard takes an enterprise-wide view of risk management, enabling
an organization to develop a comprehensive strategy to prevent when possible, pre-
pare for, mitigate, respond to, and recover from a disruptive incident. This allows
integration with ISO 31000. It is also compatible with existing ISO management
system standards (such as ISO 9001, ISO 14001, ISO 27001 and ISO 28000). The
overall approach is that a resilient organization needs to ‘prevent, protect and pre-
pare’ in relation to resources and assets, and at the same time be able to ‘respond,
recover and review’ when a crisis occurs.
104 Enterprise risk management

When seeking to make an organization more resilient, it is essential to have a

definition of the desired state of resilience that is being sought. It has been defined as
the ‘ability to absorb and adapt in a changing environment’. This is a useful defini-
tion, but resilience is often associated with crisis management, and this definition
does not explicitly address the behaviour of an organization during a crisis. Perhaps
a better definition would be the ‘capacity of an organization to consistently achieve
a desired state following a change in circumstances’. This definition is more inclusive
of the management of a crisis, as well as the ability to successfully respond to less
dramatic or disruptive events.
The emergence of resilience is an opportunity for risk management and business
continuity management specialists to work more closely together to ensure a more
co-ordinated approach to enterprise risk management, emergency management,
­crisis management, disaster management and business recovery. There are three
­behaviours that should be achieved by an organization if it is to achieve increased
resilience:

●● awareness of changes in the external, internal and risk management environments,

so that constant attention to resilience is ensured;
●● ‘prevent, protect and prepare’ in relation to all types of resources, including assets,
networks, relationships and intellectual property;
●● ‘respond, recover and review’ in relation to disruptive events, including the ability
to respond rapidly, review lessons learnt and adapt.

As the increasing importance of resilience is recognized, advice on achieving resil-

ience is becoming more widespread.

Note
1 IRG (2019) Governance of emerging risks, https://irgc.org/risk-governance/emerging-risk
(archived at https://perma.cc/XTE9-GV7T)
 105

Setting objectives 09
for ERM
Setting objectives for the ERM approach is intrinsically associated with the o­ bjectives
for the organization as a whole. Making sure that the ERM objectives are aligned
with the organization’s objectives is therefore critical if the ERM approach is to be
embedded correctly.
In terms of the risks to be managed, Figure 1.2 showed where risks attach in terms
of the mission of the organization and flowing down from the strategic plan. Here it
could be considered that certain risks ‘attached’ to aspects of the business in terms of
key dependencies, core processes, stakeholder expectations or, finally, corporate ob-
jectives. It can be seen therefore that both the risk management process and the
identification of the risks themselves are intimately related to the objectives of the
organization.
Therefore, a clear understanding of the organization’s objectives is critical. Any
misalignment of these objectives could be a risk in itself, as this could mean the risk
management activity may support incorrect, unclear or vague objectives, leading to
excellent risk management but of the wrong risks. In this section we consider the
aspect of risks attaching to the objectives of the organization.

Risk management standards and objectives

The various risk management standards that have been discussed all consider objec-
tive setting to be important. Both COSO and ISO have statements that are concerned
with objective setting.
In 2004 COSO issued its ‘cube’ (see Figure 4.3), which has objective setting in the
second row after the internal environment. The text states that ‘the board should set
objectives that support the mission of the organization that are consistent with its
risk appetite.’ If the board is to set objectives effectively, it needs to be aware of the
risks arising if different objectives are pursued.
The COSO framework was supplemented in 2017 with the rainbow double helix,
which states: ‘Enterprise risk management ensures that management has in place a
process to set objectives and that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.’ It further states that ‘There
106 Enterprise risk management

is a direct relationship between objectives, which are what an entity strives to achieve,
and enterprise risk management components, which represent what is needed to
achieve them’.1

Strategy and objectives in standards

It can be seen by considering these standards that ERM, strategy and objective-
setting are closely aligned and need to be integrated to work together in the
strategic planning process. The ERM approach should ensure that the organiza-
tion takes into account its risk appetite when framing its strategy. The strategy
will in turn enable objectives to be designed and implemented and these
­objectives in turn will serve as a basis for identifying, assessing and responding
to risk.
Again, in COSO 2017 the Executive Summary states, ‘Enterprise risk manage-
ment is as much about understanding the implications from the strategy and the
possibility of strategy not aligning as it is about managing risks to set objectives’.
Overall, therefore, the strategy is paramount: the ERM approach will inform s­ trategy
but strategy must come first. Whilst easily said, this can still be challenging for the
risk management practitioner for the following reasons.
Firstly, we should assume the organization has a consistent mission which is
agreed upon by all senior management. From this it will be necessary to choose a
range of suitable objectives that support the mission. This can be more challenging
and will require consensus between senior management and the various stakeholders
whose expectations need to be met. At this stage risk appetite will be an important
factor in both making the choice of strategy and communicating that strategy to
stakeholders.
Secondly, strategy does not exist in isolation: it will have been set according to the
context of the organization at a point in time. That context will change, either grad-
ually or through some form of disruptive activity caused by events such as technol-
ogy failure. So, there will need to be a review of strategy at appropriate intervals, at
which point it will be necessary to update and align the ERM approach to any newly
aligned strategy.
Thirdly, in some organizations, and particularly large, geographically dispersed
organizations, there may be different interpretations of the mission, and from that
there may be a difference in the implementation of the strategy. This is where the
culture of the organization will play a part and, as Peter Drucker the management
educator said, ‘culture eats strategy for breakfast’! By this he was meaning that the
organization’s culture is the dominant factor in its success and is clearly critical in
terms of an agreed interpretation of the mission.
 Setting objectives for ERM 107

Fourthly, and linked to both the cultural issue discussed above and the
r­ equirement for consensus amongst management to the strategy, there is a need
for the strategy to be accepted by all. There will be different agendas amongst
management who have to deliver on the objectives that have been set and it will
be important that those ‘informal’ objectives are aligned as far as possible to the
formal objectives of the organization. Where they are not it can become toxic
for an organization and at the extreme may need some ‘fresh thinking’ to deliver
the objectives.
Lastly, it is important that the ERM approach does not overwhelm the setting
of strategy, and therefore objectives. If ERM plays too great a role in the activity it
may lead to the organization becoming overly risk averse and reducing its expo-
sure to risk by being less ambitious in its strategy and setting too easily achievable
targets.

Implementing objectives
The objectives once agreed will need to be cascaded in some form from the c­ entre to
each division or business unit that delivers the output of the organization and from
there to each team or individual. It will be necessary to set some form of time period
within which the objectives are to be achieved, and this should also be communi-
cated at the organizational, divisional and team or i­ndividual level. Typically, or-
ganizations will seek to implement objectives over a one- to-three-year time horizon
depending upon complexity. That time p ­ eriod will shorten as objectives are cascaded
downwards, as shown in Figure 9.1.
Along with time period in which to achieve objectives, it is important that there is
a way of determining whether an objective has been achieved, and if so by how
much. In other words, to be able to measure its realization some way. This may be
challenging in an ERM setting where the ERM practitioner is being set objectives
and at a strategic level the objective is to reduce risk.
From the tactical level this may be translated into quantitative terms in order to
provide a measurability. This may not be available for all objectives, however, and
more qualitative aspects of reducing risk may have objectives set around specific
tasks to accomplish in a set period. For example, improving culture as a strategic
objective may be translated to tactics such as running training or workshops.
Measurability may be provided by some form of feedback scores from attendees.
Care needs to be taken in more qualitative areas as they can provide an opportunity
for ‘gaming’ the system by that individual, which would not achieve the stated
­intention of reducing risk.
108 Enterprise risk management

Figure 9.1  Three levels of objective setting

External Internal
analysis analysis

Organizational mission

Consensus forming
amongst management
and stakeholders

Strategic objectives Level 1: Strategic

1–3 years

Alignment Delegation
required process

Informed
Tactical objectives Level 2: Tactical
by ERM
Division or department Typically annual
approach

Alignment Delegation
required process

Operational objectives Level 3: Operational

Team or personal One year or shorter

Objectives need to be set in reality and with sufficient resources available to achieve
them. And, finally, there must be a specific outcome to be achieved. The objectives
will need to meet the SMART test as shown here. SMART objectives are:

Specific
Measurable
Achievable
Realistic and resourced
Time limited

Aligning objectives to risk management principles

In Figure 9.1 it is noted that there needs to be alignment between each level of objec-
tive and the risk management perspective. This is because objectives are delivered by
individuals, and different individuals respond to different criteria. There needs to be
alignment between the longer- and shorter-term objectives, and between individual
actions and organizational outcomes.
 Setting objectives for ERM 109

For example, how staff are rewarded according to the achievement of their
­ bjectives can have a significant effect on risk culture. Rewards that provide
o
­immediate and large bonus payments for the achievement of short-term gains may
promote a culture of excessive risk taking, for instance by the aggressive selling
tactics of banks prior to the global financial crisis. It was for this reason that ‘claw-
backs’ were introduced to many financial services bonus arrangements in order to
promote a longer-term perspective on risk taking. These clawbacks allow an or-
ganization to recover some element of previously paid bonuses should outcomes
change over the longer term.
The Institute of Operational Risk recommends that ‘relevant professionals, from
the operational risk function and the HR function, should be consulted about the
organization’s performance management and appraisal strategy to ensure that it pro-
motes an appropriate risk culture’.2 They recommend, for example, that to help
promote an appropriate risk culture, rewards are based on longer-term performance
criteria such as customer satisfaction and retention, or profits over periods longer
than one year, and that appraisals should reflect concern for operational risk and its
management, as well as profit and sales growth.

Notes
1 COSO (2017) Enterprise Risk Management: Integrating with strategy and performance,
www.coso.org/documents/2017-coso-erm-integrating-with-strategy-and-performance-
executive-summary.pdf (archived at https://perma.cc/DV2C-EDT5)
2 Institute of Operational Risk (2021) Sound practice guidance, www.ior-institute.org/
sound-practice-guidance (archived at https://perma.cc/RT4C-WX6K)