Bip 2154-2008

Good Governance
A risk-based management systems approach

to internal control
DAVID SMITH and ROBERT POLITOWSKI

Good Governance
A risk-based management systems approach to internal control
David Smith and Robert Politowski, iMS Risk Solutions Ltd

First published in the UK in 2000
Second edition published in the UK in 2008
by
BSI
389 Chiswick H igh Road
London W4 4AL
© British Standards Institution 2000, 2008
All rights reserved. Except as permitted under the Copyright, Designs and Patents Act 1988, no
part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means – electronic, photocopying, recording or otherwise – without prior permission in
writing from the publisher.
Whilst every care has been taken in developing and compiling this publication, BSI accepts no
liability for any loss or damage caused, arising directly or indirectly in connection with reliance on
its contents, except to the extent that such liability may not be excluded in law.
The right of iMS Risk Solutions to be identi f ed as the authors of this Work has been asserted by
them in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.
Typeset in Frutiger by M onolith – http://www.monolith.uk.com

Printed in Great Britain by The MFK Group, Stevenage
British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library
ISBN 978-0-580-6431 3-2

Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
1 . I n tro d u cti o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2. S co p e a n d d e f n i ti o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3. Ri sk m a n a g e m e n t syste m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4. I m pl em en ta ti on of a ri sk m a n a g em en t system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5
5. O th e r m a n a g e m e n t p ro ce sse s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4
6. S e l f-a sse ssm e n t q u e sti o n n a i re . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 5
Appendix A. Summary of risk management tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Appendix B. Comparative table – common elements of quality,
environmental and OH&S Systems with PAS 99 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Appendix C. References and further reading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
iii
Foreword
This is a guide to how organizations can identify and manage their risks for good governance.
Since the publication of PD 6668:2000, Managing Risk for Corporate Governance , upon which
this book is based, there is a greater appreciation of the importance of risk management in
organizations and society at large. All organizations take risks but as the ‘credit crunch’ of
2008 showed, these risks need to be balanced. They also need to recognize and manage those
risks which, if realized, could prejudice the sustainability of the organization. The principles
apply to organizations worldwide, in the private or public sectors, NGOs, as well as not-for-
pro f t organizations. This book outlines a management framework for identifying the risks
and opportunities, determining the extent of the risks, implementing and maintaining control
measures and reporting on the organization’s commitment to this process.
There have been a number of developments in the international and national management
standards f eld since PD 6668 was published in 2000. These developments, including those on
risk management (2008), occupational health and safety (2007), environmental management
(2004) and sustainable development (2006), can help organizations with internal control for
good governance. Although the principles in many of these documents are similar they do not
use the same approach. This is unfortunate as there is an increasing demand for an integrated
approach. An integrated approach that was developed in 2006 was PAS 99, Specifcation of
common management system requirements as a framework for integration . The framework used
in this book has elements in common with PAS 99 and helps support the holistic approach to risk
management for internal control and good governance.
Acknowledgements
The authors would like to thank Chris Millidge for his help in drafting this document and M ichael
Faber for reviewing it for us and his helpful suggestions.
A risk-averse business culture is no business culture at all.

(Blair, 2005)
iv
1 . Introduction
This book provides guidance for organizations that wish to develop a framework for
managing risk for good governance. Research by analysts demonstrates the positive
link between good governance and organizational performance. In a recent study, the
Association of British Insurers – major investors in public companies in the UK – found
that ‘well-governed companies will produce better returns for shareholders over time’
(Association of British Insurers, 2008).
It is clear that well-managed organizations generally, whether in the public or private
sector, are far more likely to satisfy stakeholders. The focus of this publication is about
managing those risks for the sustainable operation of organizations using a management
systems standard approach.
In this introductory chapter the background to governance and the organizations to
which the approach is applicable are brie f y reviewed. The chapter explains why the
approach adopted is generally applicable and consistent with international management
systems standards.
Background
The term ‘corporate governance’ came into general use following a number of major
scandals and corporate failures in the late 1 980s and early 1 990s, and in the UK became
enshrined in the report from the Committee on the Financial Aspects of Corporate
Governance (the Cadbury Committee): ‘Corporate governance is the system by which
companies are directed and controlled’ (Cadbury et al, 1 992).
Such failures have occurred throughout the world and continue to occur, such as the crisis
facing the global banking industry in 2008. The impact of these worldwide corporate
failures had the potential to be of such a magnitude that there was the danger that the
whole structure of the means of f nancing corporations might become threatened. The
essence of the limited liability company is that external investors are willing to become
shareholders, in the con f dence that their interests will be safeguarded. Shareholders
accept that not all investments will prove rewarding, but they are entitled to assume
that there will be no mismanagement on the part of the directors and managers who
are in day-to-day control of the corporation. If they cannot be con f dent that this is the
case they will be unwilling to invest, and the basis of modern commercial activity will
be under threat. Whilst an individual shareholder might have been willing to accept the
risk, major investors such as insurance companies or pension funds began to demand
that to safeguard the interests of their clients, there should be greater regulation of the
behaviour of joint stock companies.
In 1 999 the Organisation for Economic Co-operation and Development (OECD) produced a
de f nition of corporate governance and a set of principles. These principles were revised in
2004 and at a high level comprise the following requirements of a corporate governance
framework (Organisation for Economic Co-operation and Development, 2004a). It should:
1. ‘… promote transparent and effcient markets, be consistent with the rule

of law and clearly articulate the division of responsibilities among different
supervisory, regulatory and enforcement authorities… ’;
2. ‘… protect and facilitate the exercise of shareholders’ rights… ’;
3. ‘… ensure the equitable treatment of all shareholders, including minority and
foreign shareholders. All shareholders should have the opportunity to obtain
effective redress for violation of their rights… ’;
1
Introduction
4. ‘… recognise the rights of stakeholders established by law or through mutual

agreements and encourage active co-operation between corporations and
stakeholders in creating wealth, jobs, and the sustainability of fnancially sound
enterprises… ’;
5. ‘… ensure that timely and accurate disclosure is made on all material matters
regarding the corporation, including the fnancial situation, performance,
ownership, and governance of the company… ’;
6. ‘… ensure the strategic guidance of the company, the effective monitoring of
management by the board, and the board’s accountability to the company and
the shareholders… ’
Th e re a re a n u m b e r o f su b -cl a u se s to e a ch o f th e m a i n p ri n ci p l e s th a t co ve r sp e ci f c a re a s.
Th e re h a ve b e e n fu rth e r d e f n i ti o n s o f g o ve rn a n ce a n d l e g i sl a ti ve p o we rs i n m a n y
co u n tri e s a ro u n d th e wo rl d . Th e se ra n g e fro m th e vo l u n ta ry co d e o f p ra cti ce a p p ro a ch
a s se e n i n th e U K to th e m o re p re scri p ti ve S a rb a n e s-O xl e y Act (U n i te d S ta te s o f Am e ri ca ,
2 00 2 ) – a re sp o n se fro m l e g i sl a to rs i n th e U S to h i g h -p ro f l e fa i l u re s su ch a s E n ro n a n d
Wo rl d Co m .
O rg a n i z a ti o n -wi d e ri sk m a n a g e m e n t a n d i n te rn a l co n tro l a re i m p o rta n t fo r th e su cce ssfu l
ru n n i n g o f a n y b u si n e ss a n d sh o u l d re m a i n re l e va n t o ve r ti m e i n th e co n ti n u a l l y
e vo l vi n g g l o b a l b u si n e ss e n vi ro n m e n t. Th e O E CD p ri n ci p l e s sp e ci f ca l l y h i g h l i g h t b o a rd
re sp o n si b i l i ty:
Ensuring the integrity of the corporation’s accounting and fnancial reporting

systems, including the independent audit, and that appropriate systems of control
are in place, in particular, systems for risk management, fnancial and operational
control, and compliance with the law and relevant standards.
(O E CD Pri n ci p l e VI . D . 7 )
Th i s h a s l e d to th e fo rm a l co n si d e ra ti o n o f ri sk a n d th e i d e n ti f ca ti o n o f i t a s a ‘ se p a ra te ’
a sp e ct th a t ca n b e n e f t fro m sp e ci f c m a n a g e m e n t a rra n g e m e n ts. Th a t i s n o t to sa y th a t
o rg a n i za ti o n s h a ve n o t p re vi o u sl y re co g n i z e d th e se ri sks, b u t si m p l y th a t a fo rm a l a n d
stru ctu re d a p p ro a ch h a d n o t b e e n a fe a tu re i n m a n y o rg a n i za ti o n s.
Th e ch a ra cte ri sti cs o f m a n y su cce ssfu l o rg a n i z a ti o n s te n d to re f e ct a n a tti tu d e a n d
cu l tu re o f i d e n ti fyi n g o p p o rtu n i ti e s, re co g n i zi n g th e ri sks a n d m a n a g i n g th e m
a p p ro p ri a te l y. Th e re a re u p si d e s a n d d o wn si d e s to th e ri sks th a t co m e wi th e ve ry
o p p o rtu n i ty a n d i t i s n e ce ssa ry to se l e ct th e ri g h t b a l a n ce . O rg a n i z a ti o n s th a t a re ri sk
a ve rse a re u n l i ke l y to th ri ve i n th e l o n g te rm b e ca u se o f co n ti n u a l ch a n g e i n th e m a rke t-
p l a ce a n d so ci a l e xp e cta ti o n s.
Application of this approach

Al l o rg a n i za ti o n s n e e d to d i sp l a y g o o d g o ve rn a n ce , wh e th e r th e y a re co rp o ra te b o d i e s,
p ri va te e n ti ti e s, p u b l i c b o d i e s o r ch a ri ti e s.
I n a n i n cre a si n g l y co m p l e x wo rl d wh e re sta ke h o l d e rs p l a y a n e ve r m o re i m p o rta n t ro l e
th e re i s th e e xp e cta ti o n o f g o o d g o ve rn a n ce a n d tra n sp a re n cy. Th e re a re a va ri e ty o f
ch a ra cte ri sti cs o f g o o d g o ve rn a n ce i n cl u d i n g p ro m o ti n g va l u e s i n th e o rg a n i z a ti o n ,
fo cu si n g o n th e p u rp o se o f th e o rg a n i z a ti o n , e ffe cti ve p e rfo rm a n ce , e n g a g e m e n t wi th
sta ke h o l d e rs a n d , m o st si g n i f ca n tl y fro m th e p e rsp e cti ve o f th i s b o o k, th e m a n a g e m e n t
o f ri sk.
2
Introduction
Many organizations need to manage a whole host of risks, for example:
— corporate organizations operate in an increasingly complex world with global

impacts, international supply chains and informed public opinion expressing
concern about social responsibility;
— public bodies have to determine the bene f ts of new technology against the
risk of data loss;
— charitable bodies have to balance the risks of supporting international disasters
against the risks faced by their workers and donors’ concerns about misuse of aid;
— public bodies have similar accountabilities to their ‘shareholders’ – often
taxpayers;
— charitable concerns need to assure their ‘investors’ that their donations are
being applied to the purpose for which they were intended.
The principles of good governance equally apply to public bodies, charities, voluntary
bodies, etc. There is a need for good governance of public bodies to re f ect the need to
ensure value for money, transparent decision making and reporting, proper codes of
conduct, accountability and so on.
Despite the difference between the public and private sectors it is essential that people
know for what they are responsible, and for what they are accountable.
There is also a drive for the public sector to be more creative and prepared to take more
calculated business risks in order to deliver the best possible services to the public. The
public and private sectors differ in this respect. The public sector needs good governance
to enable it to take certain calculated risks, whilst the private sector needs good
governance in order to manage the risks that are taken in everyday business. One way of
expressing the relationship between threat and opportunity can be seen in Figure 1 .1 .
EFFECT OF TH REAT I M PORTANCE OF

OPPORTUNI TY
Combined or individual risk

Unacceptabl e Critical
Acceptabl e if
Desirabl e
worthwhil e
Insignificant/
Negl igibl e
broadl y acceptabl e
Source: BS 6079-3:2000
Figure 1 .1 — Relationship between threat and opportunity
Public bodies need to direct and control their functions and nowhere can this be more
clearly demonstrated than in local government. Local government bodies have a real
need to relate to their communities in a similar manner to corporate bodies, and to
demonstrate continuous improvement and value for money through outward-looking,
accountable and responsive services.
3
Introduction
Risk management and internal control should be included in all dimensions of public
bodies such as:
— making public statements to stakeholders on the risk management strategy,

process and framework, demonstrating accountability;
— the capability and capacity within the organization;
— mechanisms for monitoring and reviewing effectiveness against agreed
standards;
— robust systems for identifying, pro f ling, controlling and monitoring all
signi f cant strategic, programme, project and operational risks;
— providing openness by involving all those associated with planning and
delivering services, including partners.
All the above issues are equally applicable to charities, clubs, societies and associations.
Large charitable concerns rely heavily on public donations to support their activities
internationally.
There is clear recognition amongst boards of directors and investors – mostly those in the
professional investment market – that there is a link between good corporate governance
and organizational performance that is valued by stakeholders. There are a number of
international ratings organizations that focus research on the development of scoring
systems for ranking governance performance. This research is often used by professional
investors to assist in making informed decisions to formulate an overall investment
strategy, as a screening tool for analysts and portfolio managers and to adjust for
governance risk when assessing credit risk, etc.
Additionally, companies themselves are beginning to use similar ranking research to help
in their decision making, to reduce the chance of being targeted for shareholder action, to
increase market trust in reported earnings, as a support in seeking lower borrowing costs,
and in attracting highly quali f ed and experienced directors who can add value to the
organization and achieve a higher market capitalization.
A management systems approach

Good risk management is an essential element of good governance and it is against
this background that this publication focuses on a risk management framework to help
organizations in applying the principles of risk management throughout the whole
organization from the lowest operating levels to the board of directors.
It is clearly important that all aspects of corporate governance are managed in a holistic
manner. This book focuses speci f cally on the important management of risk and the
development of effective internal control mechanisms: Clause C.2 of The Combined
Code on Corporate Governance (Financial Reporting Council, 2008) as expanded upon
from Internal Control – Revised Guidance for Directors on the Combined Code (Financial
Reporting Council, 2005).
Chapter 2 provides details of the scope and de f nitions used. A more detailed description
of an approach to managing risks is given in Chapter 3 , which lays out a framework of the
issues that should be addressed and follows a Plan, Do, Check, Act (PDCA) approach that
is consistent with international management systems standards. This approach is based on
the model given in PAS 99:2006 (The requirements included in section 4 of the PAS can be
used as a speci f cation against which organizations can be assessed by changing the word
‘should’ to ‘shall’.). Appendix B details the correspondence between this publication and
the requirements of standards on quality, environment, health and safety and information
security, by way of example.
4
Introduction
Chapters 4 and 5 contain a practical guide to delivering Failure to identify risk of data loss
business requirements with respect to risk management
for good governance. Chapter 6 provides a questionnaire A government department was seeking
to enable organizations to carry out a self-assessment of to transfer personal data to another
their systems for governance. department in a short space of time.
Effective procedures were in existence but
A good management system will enable identi f cation the time and cost of removing the sensitive
of risks, their management and help in any disclosure
elements of the data was considered too
great. As a result, when the data was lost
requirements for stakeholders. The aspect of disclosure in transit the personal details of many
is speci f cally highlighted in the OECD principles for millions of people were lost.
governance, which additionally call for inclusion of The loss of this information has had many
material information on ‘Foreseeable risk factors’ repercussions:
(Principle V.A.6). • loss of con fdence by the public in
government departments handling
con fdential personal information;
• individuals whose details have been
compromised;
• a possibility for fraudulent activity
ASSESSMENT OF through the use of this information
CORPORATE RISK remains for many years to come.
ENABLING EFFECTIVE
ORGANIZATIONAL MANAGEMENT
CULTURE SYSTEMS
Charity and aid
Figure 1 .2 — Three key components for Charity A was challenged by a government

delivering effective corporate governance department that had made a grant for
an aid project. The charity was asked
to demonstrate that its governance
Figure 1 .2 shows a simple model of the interrelationship procedures were effective in the delivery
of aid as news media reports suggested
of the three main components of a risk management that those supposedly receiving the aid had
system for good governance. It is essential that the risks made claims that it was inappropriate for
are identi f ed and understood and decisions taken on their needs and some had fallen into the
how they will be managed. wrong hands. This threatened to become
a scandal and affect not only funding from
A key feature of a management systems approach government but also the many donations
from members of the public who regularly
is identi f cation of objectives and a programme for made a signifcant contribution to overall
delivering the de f ned objectives. Many international funds. The need for an effective control
management systems standards have differing framework and monitoring and auditing
approaches; PAS 99 provides a common approach for became obvious.
managing business risk requirements in an integrated
manner. Many organizations already have management
systems in place; meeting the requirements of these
international standards and the approach builds upon
these to ensure the bene f ts of existing systems can be
utilized, eliminating redundancy and increasing eff ciency.
H owever, good internal control and risk management
systems will not succeed in delivering the organizational
objectives unless the arrangements are embedded within
the organization and individuals are committed to
5
Introduction
Financial turmoil d e l i ve ri n g th e i r o b j e cti ve s – ‘ th e re h a s to b e so m e th i n g
i n th e l i fe b l o o d o f th e o rg a n i za ti o n th a t p e rsu a d e s i ts
The turmoil in the fnancial markets in 2007 p e o p l e to d o e xtra o rd i n a ry th i n g s fo r i t a s we l l a s fo r
was a good example of the consequences th e m se l ve s’ (H i l l so n , 2 00 7 ) .
of failing to recognize and manage risks.

The failure of ‘sub-prime’ home loans in
America led to failures in local banks. What
would have been a local problem became
international because large numbers of
these sub-prime loans had been packaged
up and sold to institutions around the
world. The realization by investors that they
had misjudged the risk of US mortgage
borrowers led to a conclusion that risk
had been underestimated in all kinds of
debt markets, and banks were left with
large amounts of unsellable debt. In the
UK, mortgage lenders who were used
to being able to borrow money when
needed suddenly found that banks were
no longer willing to provide the loans.
A regional mortgage lender had grown
substantially using wholesale money
market borrowing which it was able to
secure on very advantageous rates. The
change in international money markets
led to exposure to a shortfall in funding.
Assessment of the risk and control of
growth together with contingency
arrangements should have prevented the
collapse of the bank.
6
2. Scope and def nitions
Scope
Th e g u i d a n ce g i ve n i n th i s b o o k o u tl i n e s h o w a n o rg a n i za ti o n ca n i m p l e m e n t e ffe cti ve
a rra n g e m e n ts fo r m a n a g i n g ri sk, to e n su re th a t i t m e e ts i ts co rp o ra te g o ve rn a n ce n e e d s.
A PD CA fra m e wo rk i s u se d , wh i ch i s co n si ste n t wi th th e a p p ro a ch i n m a n a g e m e n t syste m s
sta n d a rd s p ro d u ce d b y th e I n te rn a ti o n a l O rg a n i z a ti o n fo r S ta n d a rd i za ti o n (I S O ) .
Th i s g u i d a n ce i s a p p l i ca b l e to a n y o rg a n i za ti o n th a t wi sh e s to :
— e sta b l i sh a rra n g e m e n ts a t to p m a n a g e m e n t l e ve l to i d e n ti fy, m a n a g e a n d
m i ti g a te ri sks;
— i m p l e m e n t, m a i n ta i n a n d co n ti n u a l l y i m p ro ve i ts m a n a g e m e n t o f ri sks i n a
m a n n e r wh i ch i s co n si ste n t wi th i ts p o l i cy;
— a ssu re i tse l f o f co n fo rm a n ce wi th th i s p o l i cy;
— m a ke a se l f-d e te rm i n a ti o n a n d se l f-d e cl a ra ti o n o f i ts p e rfo rm a n ce o n a n
a n n u a l b a si s.
Th e re a re a n u m b e r o f d o cu m e n ts a n o rg a n i z a ti o n m a y wi sh to re fe r to fo r fu rth e r
g u i d a n ce wi th i n i ts p a rti cu l a r co u n try, se cto rs, e tc; so m e a re i n cl u d e d i n Ap p e n d i x B .
Def nitions
acceptable risk ri sk a t a l e ve l th a t ca n b e to l e ra te d b y th e o rg a n i za ti o n
audit syste m a ti c, i n d e p e n d e n t p ro ce ss fo r o b ta i n i n g a u d i t e vi d e n ce a n d e va l u a ti n g i t
o b j e cti ve l y to d e te rm i n e th e e xte n t to wh i ch th e a u d i t cri te ri a a re fu l f l l ed
management system p a rt o f th e o ve ra l l m a n a g e m e n t th a t i n cl u d e s o rg a n i za ti o n a l
stru ctu re , p l a n n i n g a cti vi ti e s, re sp o n si b i l i ti e s, p ra cti ce s, p ro ce d u re s, p ro ce sse s a n d
re so u rce s fo r d e ve l o p i n g , i m p l e m e n ti n g , a ch i e vi n g , re vi e wi n g a n d m a i n ta i n i n g th e
o rg a n i za ti o n ’s p o l i cy
nonconformity n o n -fu l f l m e n t o f a re q u i re m e n t
N o te : a n o n co n fo rm i ty ca n b e a n y d e vi a ti o n fro m re l e va n t wo rk sta n d a rd s, p ra cti ce s, p ro ce d u re s,
l e g a l re q u i re m e n ts, e tc. (se e B S E N I S O 9 00 0: 2 0 05 , 3 . 6 . 2 a n d B S E N I S O 1 400 1 : 2 0 04, 3 . 1 5 ) .
organization co m p a n y, co rp o ra ti o n , f rm , e n te rp ri se , a u th o ri ty o r i n sti tu ti o n , o r p a rt
o r co m b i n a ti o n th e re o f, wh e th e r i n co rp o ra te d o r n o t, p u b l i c o r p ri va te , th a t h a s i ts o wn
fu n cti o n s a n d a d m i n i stra ti o n
N o te : fo r o rg a n i za ti o n s wi th m o re th a n o n e o p e ra ti n g u n i t, a si n g l e o p e ra ti n g u n i t m a y b e d e f n ed
a s a n o rg a n i za ti o n (se e B S E N I S O 1 40 01 : 2 00 4, 3 . 1 6 ) .
risk e ffe ct o f u n ce rta i n ty o n o b j e cti ve s
N o te 1 : a n e ffe ct i s a d e vi a ti o n fro m th e e xp e cte d – p o si ti ve a n d /o r n e g a ti ve .
N o te 2 : o b j e cti ve s ca n h a ve d i ffe re n t a sp e cts, su ch a s f n a n ci a l , h e a l th a n d sa fe ty, a n d e n vi ro n m e n ta l
g o a l s, a n d ca n a p p l y a t d i ffe re n t l e ve l s, su ch a s stra te g i c, p ro g ra m m e , p ro j e ct a n d o p e ra ti o n a l .
7
Scope and def nitions
N o te 3 : ri sk i s o fte n ch a ra cte ri z e d b y re fe re n ce to p o te n ti a l e ve n ts, co n se q u e n ce s o r a co m b i n a ti o n
o f th e se a n d h o w th e y ca n a ffe ct th e a ch i e ve m e n t o f o b j e cti ve s.
N o te 4: ri sk i s o fte n e xp re sse d i n te rm s o f a co m b i n a ti o n o f th e co n se q u e n ce s o f a n e ve n t o r a
ch a n g e i n ci rcu m sta n ce s, a n d th e a sso ci a te d l i ke l i h o o d o f o ccu rre n ce (se e B S 3 1 1 00 (D PC) 2 0 08) .
top management p e rso n o r g ro u p o f p e o p l e wh o d i re cts a n d co n tro l s a n o rg a n i z a ti o n
a t th e h i g h e st l e ve l (se e B S E N I S O 9 0 00 : 2 00 5 , 3 . 2 . 7 )
8
3. Risk management system
3.1 General requirements

An o rg a n i z a ti o n ’s to p m a n a g e m e n t sh o u l d co m m i t to e sta b l i sh i n g a rra n g e m e n ts th a t wi l l
e n su re th a t i ts ri sks a re i d e n ti f e d a n d e ffe cti ve l y m a n a g e d . I t sh o u l d e sta b l i sh a syste m
th a t o p e ra te s th ro u g h o u t th e o rg a n i za ti o n e n co m p a ssi n g a l l th e o rg a n i za ti o n ’s a cti vi ti e s.
S p e ci f ca l l y th e syste m sh o u l d :
— h a ve a d e f n e d sco p e ;
— b e d o cu m e n te d , i m p l e m e n te d , m a i n ta i n e d , re vi e we d p e ri o d i ca l l y fo r
e ffe cti ve n e ss a n d co n ti n u a l l y i m p ro ve d ;
— e n su re th e a va i l a b i l i ty o f a p p ro p ri a te re so u rce s a n d co m m u n i ca ti o n o f
i n fo rm a ti o n to su p p o rt i t.
3.2 Policy
Th e to p m a n a g e m e n t i n th e o rg a n i za ti o n sh o u l d d e m o n stra te co m m i tm e n t a n d d e ve l o p
a p o l i cy to fo cu s o n m a n a g i n g ri sk fo r co rp o ra te g o ve rn a n ce . Th i s sh o u l d l e a d to sp e ci f c
p o l i ci e s a n d a rra n g e m e n ts to d e a l wi th sp e ci f c ri sks. Th e co rp o ra te g o ve rn a n ce p o l i cy
sh o u l d re f e ct th e co m m i tm e n t o f th e o rg a n i za ti o n to i ts sta ke h o l d e rs. I t sh o u l d p ro m o te
a p o si ti ve cu l tu re wi th i n th e o rg a n i z a ti o n fo r m a n a g i n g ri sk fo r g o o d g o ve rn a n ce .
S p e ci f ca l l y th e p o l i cy sh o u l d :
— re f e ct th e n a tu re a n d si z e o f th e o rg a n i za ti o n , i ts a cti vi ti e s, p ro d u cts a n d
se rvi ce s, i ts p o si ti o n i n th e m a rke tp l a ce a n d th e ri sks th a t i t fa ce s;
— co m m i t to d e ve l o p i n g a cu l tu re to co n tro l ri sk;
— b e co m m u n i ca te d to a l l a p p ro p ri a te p e rso n s/o rg a n i z a ti o n s wo rki n g fo r o r o n
b e h a l f o f th e o rg a n i za ti o n ;
— co m m i t to co m p l y wi th a l l re l e va n t l e g a l re q u i re m e n ts, co d e s o f p ra cti ce a n d
o th e r re q u i re m e n ts to wh i ch th e o rg a n i za ti o n su b scri b e s;
— co m m i t to e n su ri n g th a t m a n a g e m e n t co m p e te n ce i s e sta b l i sh e d to m i ti g a te
ri sks;
— co m m i t to i n vo l vi n g e m p l o ye e s i n i d e n ti fyi n g ri sks a n d th e i r su g g e sti o n s o n th e
m o st e ffe cti ve m e th o d s o f m a n a g e m e n t;
— co m m i t to i n te rn a l co n tro l a u d i ts to ve ri fy th e a rra n g e m e n ts;
— co m m i t to re vi e wi n g re g u l a rl y th e b u si n e ss ri sks fa ce d b y th e o rg a n i za ti o n
to e n su re th a t th e a rra n g e m e n ts a re e ffe cti ve wi th a vi e w to co n ti n u a l
i m p ro ve m e n t;
— co m m i t to re p o rti n g a t l e a st a n n u a l l y to sta ke h o l d e rs a s a p p ro p ri a te .
3.3 Planning for risk management

Risk identifcation, assessment and control
Th e o rg a n i za ti o n sh o u l d e sta b l i sh a p ro ce ss fo r i d e n ti fyi n g th o se ri sks to th e b u si n e ss th a t
m a y i m p a ct u p o n o rg a n i za ti o n a l o b j e cti ve s, a sse ssi n g th e i r i m p a ct a n d a p p l yi n g co n tro l s
wh e re n e ce ssa ry.
9
Risk management system
Risk identifcation
Th e p ro ce ss sh o u l d co n si d e r, a m o n g st o th e r th i n g s, th e ri sks (i n cl u d i n g o p p o rtu n i ti e s) th a t
a ri se fro m :
— d a y-to -d a y o p e ra ti o n s;
— m a rke t d e ve l o p m e n ts;
— p o l i ti ca l ch a n g e s;
— n a tu ra l d i sa ste rs;
— so ci o -e co n o m i c ch a n g e s;
— te ch n i ca l d e ve l o p m e n ts.
Risk analysis and evaluation

A p ro ce ss sh o u l d b e e sta b l i sh e d fo r ri sk a sse ssm e n t th a t ta ke s a cco u n t o f:
— e xp o su re to th e ri sk (o n a sca l e o f ra re to co n ti n u o u s) ;
— p ro b a b i l i ty, ta ki n g i n to a cco u n t th e m a n a g e m e n t co n tro l s i n p l a ce ;
— i m p a ct, sh o u l d th e ri sk b e re a l i ze d .
Deciding how the risks are to be managed

E a ch i d e n ti f e d ri sk sh o u l d b e co n si d e re d a n d d e ci si o n s m a d e to :
— a cce p t – n o a cti o n ;
— a vo i d – a vo i d a cti vi ti e s th a t g i ve ri se to th e ri sk;
— a d o p t – a d o p t m e a su re s fo r co n ta i n m e n t a n d /o r m i ti g a ti o n ;
— ch a n g e – ch a n g e th e n a tu re , m a g n i tu d e o r co n se q u e n ce s;
— se e k – se a rch fo r wa ys o f e xp l o i ti n g th e ri sk;
— tra n sfe r – o p ti o n s su ch a s ‘ sh a ri n g ri sk’ wi th o th e r p a rti e s/i n su ra n ce .
Arra n g e m e n ts sh o u l d b e p u t i n p l a ce fo r th o se ri sks th a t a re n o t a cce p ta b l e .
Al th o u g h u l ti m a te re sp o n si b i l i ty fo r ri sk m a n a g e m e n t wi l l l i e wi th to p m a n a g e m e n t,
th o se ri sks i d e n ti f e d a s re q u i ri n g co n tro l , wh i ch m a y b e i n cl u d e d i n th e m a n a g e m e n t
p ro g ra m m e , sh o u l d b e ca sca d e d i n th e fo rm o f p o l i ci e s, o b j e cti ve s, ta rg e ts a n d o p e ra ti n g
p ro ce d u re s a s a p p ro p ri a te to th e re l e va n t l e ve l i n th e o rg a n i za ti o n .
N o te : so m e ri sks m a y n e e d to b e co n tro l l e d a t stra te g i c l e ve l , a n d m a y n o t b e i n cl u d e d i n th e
m a n a g e m e n t p ro g ra m m e .
Identifcation o f compliance and stakeholder requirements
Th e o rg a n i za ti o n sh o u l d e sta b l i sh , i m p l e m e n t a n d m a i n ta i n a rra n g e m e n ts to d e te rm i n e
th e l e g a l re q u i re m e n ts, co d e s o f p ra cti ce a n d sta ke h o l d e r re q u i re m e n ts th a t i t h a s to
sa ti sfy wi th re sp e ct to i ts a cti vi ti e s, p ro d u cts a n d se rvi ce s. I n te rn a ti o n a l re q u i re m e n ts to
m e e t th e d e m a n d s o f d i ffe re n t m a rke ts sh o u l d b e co n si d e re d i n th e a sse ssm e n t.
Contingency planning
Th e o rg a n i za ti o n sh o u l d e sta b l i sh a n d m a i n ta i n a rra n g e m e n ts fo r i d e n ti fyi n g a n d
re sp o n d i n g to a n y u n p l a n n e d e ve n t, p o te n ti a l e m e rg e n cy o r d i sa ste r. Th e a rra n g e m e n ts
sh o u l d se e k to p re ve n t o r m i ti g a te th e co n se q u e n ce s o f a n y su ch o ccu rre n ce a n d m a i n ta i n
b u si n e ss co n ti n u i ty.
10
Objectives and management programme
Th e o rg a n i za ti o n sh o u l d e sta b l i sh m e a su ra b l e o b j e cti ve s ta ki n g i n to a cco u n t:
— b u si n e ss o b j e cti ve s;
— b ra n d va l u e a n d re p u ta ti o n i ssu e s;
— l e g a l re q u i re m e n ts, co d e s o f p ra cti ce a n d sta ke h o l d e r re q u i re m e n ts;
— co n ti n g e n cy a n d co n ti n u i ty p l a n s;
— f n a n ci a l re q u i re m e n ts;
— m a rke t o p p o rtu n i ti e s;
— th e su p p l y ch a i n .
Th e o rg a n i za ti o n sh o u l d e sta b l i sh , i m p l e m e n t a n d m a i n ta i n a p ro g ra m m e to a ch i e ve th e se
o b j e cti ve s a t th e a p p ro p ri a te fu n cti o n , l o ca ti o n a n d l e ve l wi th i n th e o rg a n i z a ti o n .
Organizational structure, roles, responsibility, accountability

and authority
Th e u l ti m a te re sp o n si b i l i ty a n d a cco u n ta b i l i ty fo r m a n a g i n g ri sks fa ce d b y th e o rg a n i za ti o n
l i e s wi th to p m a n a g e m e n t. To p m a n a g e m e n t sh o u l d b e a cco u n ta b l e a n d sh o u l d e n su re
th a t i n d i vi d u a l ro l e s a n d re sp o n si b i l i ti e s a re d e f n e d a n d u n d e rsto o d a t e a ch l e ve l wh e re
co n tro l n e e d s to b e e xe rci se d a n d th a t th e n e ce ssa ry tra i n i n g h a s b e e n p ro vi d e d . Al l
th o se wi th m a n a g e m e n t re sp o n si b i l i ty sh o u l d d e m o n stra te th e i r co m m i tm e n t to th e
ri sk m a n a g e m e n t co n tro l m e a su re s, fo ste ri n g a p o si ti ve cu l tu re fo r ri sk m a n a g e m e n t
th ro u g h o u t th e o rg a n i za ti o n .
Th e o rg a n i za ti o n sh o u l d e n su re th a t th o se p e rso n s to wh o m re sp o n si b i l i ti e s a re a ssi g n e d
h a ve th e n e ce ssa ry a u th o ri ty to a ct wh e n re q u i re d , a n d th a t th e i r ro l e s a n d re sp o n si b i l i ti e s
a re d o cu m e n te d a n d co m m u n i ca te d b o th u p a n d d o wn th e o rg a n i z a ti o n a l stru ctu re .
3.4 Implementation and operation

Operational control
Th e o rg a n i za ti o n sh o u l d i d e n ti fy th e sp e ci f c o p e ra ti o n a l co n tro l a rra n g e m e n ts th a t a re
n e ce ssa ry to m e e t th e o rg a n i za ti o n ’s ri sk m a n a g e m e n t p o l i cy a n d o b j e cti ve s a s we l l a s
co m p l i a n ce a n d sta ke h o l d e r re q u i re m e n ts.
To e n su re th a t th e se co n tro l a rra n g e m e n ts a re e ffe cti ve , th e o rg a n i z a ti o n sh o u l d :
— sti p u l a te th e o p e ra ti n g co n tro l s a n d co n d i ti o n s;
— e sta b l i sh a n d m a i n ta i n d o cu m e n te d p ro ce d u re s fo r u se i n si tu a ti o n s wh e re
th e i r a b se n ce co u l d l e a d to d e vi a ti o n s fro m th e p o l i cy a n d o b j e cti ve s;
— m a i n ta i n th e syste m s a n d i n fra stru ctu re to e n su re e ffe cti ve o p e ra ti o n a l co n tro l .
Managing resources
Th e o rg a n i za ti o n sh o u l d e n su re th a t p e rso n n e l a re co m p e te n t o n th e b a si s o f a p p ro p ri a te
tra i n i n g , ski l l a n d e xp e ri e n ce to u n d e rta ke th e d u ti e s a n d ta sks a ssi g n e d to th e m .
At e ve ry l e ve l wi th i n th e o rg a n i z a ti o n m a n a g e rs sh o u l d re g u l a rl y e va l u a te th e
e ffe cti ve n e ss o f a cti o n s ta ke n to e n su re co m p e te n ce .
11
Th e o rg a n i za ti o n sh o u l d e n su re th a t i ts p e rso n n e l a re a wa re o f th e re l e va n ce a n d
i m p o rta n ce o f th e i r a cti vi ti e s a n d h o w th e y co n tri b u te to th e a ch i e ve m e n t o f th e
o b j e cti ve s.
Th e o rg a n i za ti o n sh o u l d e n su re th a t a d e q u a te re so u rce s (i n cl u d i n g f n a n ce ) a re a va i l a b l e .
Th e se a re re so u rce s th a t a ffe ct th e o p e ra ti o n a n d m a i n te n a n ce o f i n fra stru ctu re , p l a n t a n d
fa ci l i ti e s th a t h a ve a n i m p a ct o n th e o rg a n i za ti o n ’s a rra n g e m e n ts fo r co n tro l o f i ts ri sks,
a n d a sso ci a te d d o cu m e n ta ti o n .
Documentation
I t i s i m p o rta n t th a t th e o rg a n i z a ti o n h a s so m e wa y o f d o cu m e n ti n g o r re co rd i n g i ts
a rra n g e m e n ts a n d o f co n tro l l i n g d o cu m e n ts. Th e o rg a n i za ti o n sh o u l d e sta b l i sh a n d
m a i n ta i n i n fo rm a ti o n i n a su i ta b l e m e d i u m , wh i ch d e scri b e s th e co re a rra n g e m e n ts a n d
g i ve s d i re cti o n o n re l a te d d o cu m e n ta ti o n .
Th e d o cu m e n ta ti o n sh o u l d i n cl u d e :
— a d e scri p ti o n o f th e syste m ;
— a sta te m e n t o f p o l i ci e s a n d o b j e cti ve s;
— d o cu m e n ts d e te rm i n e d a s n e ce ssa ry to e n su re e ffe cti ve p l a n n i n g a n d
o p e ra ti o n a l co n tro l .
Re co rd s sh o u l d b e e sta b l i sh e d , d o cu m e n te d a n d m a i n ta i n e d to p ro vi d e e vi d e n ce o f
co n fo rm i ty to re q u i re m e n ts. Re co rd s sh o u l d b e m a i n ta i n e d o f:
— e a ch ri sk i d e n ti f e d a n d co n si d e re d ;
— th e d e ci si o n s ta ke n o n a n y co n tro l m e a su re s;
— th e n a m e s o f th e p e rso n n e l wh o i d e n ti f e d a n d co n si d e re d th e ri sk a n d wh o
a u th o ri z e d th e d e ci si o n o n th e a p p ro p ri a te m a n a g e m e n t a cti o n ;
— th e n a m e o f th e p e rso n a ssi g n e d a s th e ri sk o wn e r.
Communication
Th e o rg a n i za ti o n sh o u l d e sta b l i sh a p p ro p ri a te p ro ce d u re s a n d /o r syste m s fo r e n su ri n g th a t
p e rti n e n t i n fo rm a ti o n i s co m m u n i ca te d a n d re co rd e d :
— to a n d fro m e m p l o ye e s;
— to a n d fro m o th e r sta ke h o l d e rs.
Th e a i m sh o u l d b e tra n sp a re n cy, i n l i n e wi th cu rre n t re g u l a ti o n s re co g n i zi n g th a t fu l l
d i scl o su re m a y n o t a l wa ys b e p o ssi b l e b e ca u se o f th e co m m e rci a l se n si ti vi ty o f th e ri sk.
3.5 Performance assessment

Monitoring and measuring
To d e m o n stra te th a t i n te rn a l co n tro l a rra n g e m e n ts a re e ffe cti ve , th e o rg a n i za ti o n sh o u l d
i m p l e m e n t a m o n i to ri n g a n d m e a su ri n g re g i m e o f re l e va n t o p e ra ti o n a l co n tro l s. Th e
p ro ce ss sh o u l d b e p ro a cti ve a n d sh o u l d :
12
— d e te rm i n e th e e xte n t to wh i ch a p p l i ca b l e re q u i re m e n ts a re b e i n g m e t;
— m o n i to r th e e ffe cti ve n e ss o f co n tro l s;
— i n cl u d e th e re co rd i n g o f i n fo rm a ti o n to tra ck p e rfo rm a n ce ;
— e va l u a te co n fo rm a n ce wi th th e o rg a n i z a ti o n ’s o b j e cti ve s.
Evaluation o f compliance
Th e o rg a n i za ti o n sh o u l d ca rry o u t p e ri o d i c e va l u a ti o n s o f co m p l i a n ce wi th l e g a l
re q u i re m e n ts, re g u l a ti o n s, co d e s o f p ra cti ce a n d o th e r re q u i re m e n ts to wh i ch th e
o rg a n i za ti o n su b scri b e s.
Internal audit
Th e o rg a n i za ti o n sh o u l d e sta b l i sh a n d m a i n ta i n a n a u d i t p ro g ra m m e a n d p ro ce d u re s
fo r p e ri o d i c syste m a u d i ts to b e ca rri e d o u t. Th e b a si s o f th e a u d i t p ro g ra m m e sh o u l d
b e d e te rm i n e d b y th e si g n i f ca n ce o f th e ri sk a n d th e o rg a n i z a ti o n ’s p e rfo rm a n ce i n th e
m a n a g e m e n t o f i ts ri sks, i n o rd e r to :
— d e te rm i n e wh e th e r o r n o t th e ri sk m a n a g e m e n t syste m :
– co n fo rm s to p l a n n e d a rra n g e m e n ts;
– h a s b e e n p ro p e rl y i m p l e m e n te d a n d m a i n ta i n e d ; a n d
– i s e ffe cti ve i n m e e ti n g th e o rg a n i za ti o n ’s p o l i cy a n d o b j e cti ve s;
— re vi e w th e re su l ts o f p re vi o u s a u d i ts;
— p ro vi d e i n fo rm a ti o n o n p e rfo rm a n ce to to p m a n a g e m e n t.
Au d i ts sh o u l d b e u n d e rta ke n b y co m p e te n t p e rso n n e l a n d , wh e re ve r p o ssi b l e ,
co n d u cte d b y p e rso n n e l i n d e p e n d e n t o f th o se h a vi n g d i re ct re sp o n si b i l i ty fo r th e
a cti vi ty b e i n g e xa m i n e d .
3.6 Improvement
General
To p m a n a g e m e n t sh o u l d stri ve co n ti n u a l l y to i m p ro ve th e m a n a g e m e n t o f ri sk i n th e
o rg a n i za ti o n . I t sh o u l d ta ke i n to a cco u n t:
— a u d i t re su l ts;
— a n a l ysi s o f p e rfo rm a n ce d a ta ;
— co rre cti ve a n d p re ve n ti ve a cti o n s;
— l o ss e ve n ts a n d n e a r m i sse s;
— m a n a g e m e n t re vi e w;
— l e sso n s l e a rn t.
Analysis and handling o f noncon formities
Th e re sp o n si b i l i ti e s fo r h a n d l i n g n o n co n fo rm i ti e s a n d re p o rti n g sh o u l d b e d e f n ed by
to p m a n a g e m e n t.
Th e o rg a n i za ti o n sh o u l d e sta b l i sh a rra n g e m e n ts fo r:
13
— re vi e wi n g a ctu a l o r p o te n ti a l n o n co n fo rm i ti e s;
— d e te rm i n i n g th e ro o t ca u se ;
— e va l u a ti n g th e n e e d fo r a p p ro p ri a te a cti o n to b e ta ke n .
An y su b se q u e n t ch a n g e s th a t co u l d h a ve a m a j o r i m p a ct sh o u l d b e re vi e we d b y to p
m a n a g e m en t b e fo re i m p l e m e n ta ti o n to e n su re th a t th e y d o n o t i n tro d u ce a n e w ri sk o r
co m p ro m i se e xi sti n g i n te rn a l co n tro l m e a su re s.
3.7 Review
Management review
Th e o rg a n i za ti o n ’s to p m a n a g e m e n t sh o u l d , a t p l a n n e d i n te rva l s, re vi e w th e ri sk
m a n a g e m e n t syste m a n d a rra n g e m e n ts to e n su re th e i r co n ti n u i n g su i ta b i l i ty, a d e q u a cy
a n d e ffe cti ve n e ss. Th e m a n a g e m e n t re vi e w p ro ce ss sh o u l d e n su re th a t th e n e ce ssa ry
i n fo rm a ti o n i s co l l e cte d to a l l o w m a n a g e m e n t to ca rry o u t th i s e va l u a ti o n . Re co rd s o f th e
m a n a g e m e n t re vi e w sh o u l d b e re ta i n e d .
N o te : i n so m e o rg a n i z a ti o n s th e m a n a g e m e n t te a m m a y re p o rt to a n e xe cu ti ve b o a rd , co m m i tte e
o r i n d i vi d u a l .
Input
Th e i n p u t to th e m a n a g e m e n t re vi e w sh o u l d i n cl u d e :
— re su l ts o f a u d i ts;
— fe e d b a ck fro m sta ke h o l d e rs;
— sta tu s o f a n y re m e d i a l a cti o n s;
— fo l l o w-u p a cti o n s fro m p re vi o u s m a n a g e m e n t re vi e ws;
— ch a n g i n g ci rcu m sta n ce s, i n cl u d i n g d e ve l o p m e n ts i n l e g a l re q u i re m e n ts, co d e s
o f p ra cti ce a n d o th e r re q u i re m e n ts, re l a te d to th e o rg a n i za ti o n ’s ri sks;
— re co m m e n d a ti o n s fo r i m p ro ve m e n t;
— d a ta a n d i n fo rm a ti o n o n th e o rg a n i z a ti o n ’s p e rfo rm a n ce ;
— re l e va n t ch a n g e s i n th e e xte rn a l e n vi ro n m e n t o r m a rke t-p l a ce .
Output
Th e o u tp u t fro m th e m a n a g e m e n t re vi e w sh o u l d i n cl u d e a n y d e ci si o n s a n d a cti o n s
re l a te d to :
— i m p ro ve m e n t to th e e ffe cti ve n e ss o f th e ri sk m a n a g e m e n t syste m ;
— i m p ro ve m e n t re l a te d to sta ke h o l d e r re q u i re m e n ts;
— re so u rce n e e d s to e n a b l e i m p ro ve m e n t.
Reporting
To p m a n a g e m e n t sh o u l d re p o rt to sh a re h o l d e rs a n d /o r sta ke h o l d e rs. Th i s sh o u l d i n cl u d e
a ssu ra n ce th a t i t h a s ta ke n m e a su re s, th ro u g h i n te rn a l co n tro l , to m a n a g e th e ri sks fa ce d
b y th e o rg a n i za ti o n . I t m a y n o t b e p o ssi b l e to d i vu l g e th e n a tu re o f so m e ri sks a n d co n tro l
m e a su re s fo r re a so n s o f co m m e rci a l se n si ti vi ty u n l e ss th e re i s a re g u l a to ry re q u i re m e n t to
d o so .
14
4. Implementation of a risk
management system
General
This chapter is provided to give guidance on
Trading losses
implementing an effective risk management system for
meeting corporate governance requirements. Guidance A large multinational bank, Bank A,
is given only in those areas where it is thought additional with a substantial investment banking
explanation is necessary and would be helpful to arm allowed traders to make substantial
trades over which there was ineffective
the reader. control. The discovery of large losses that
a trader had sought to hide led to some
of the largest losses ever recorded with
Establishing a risk management strategy repercussions around the global fnancial
markets. This situation had occurred before
Reference is often made to ‘strategic’ risks, implying that when the actions of a single trader led to
there is only one category of risks that could have a major the collapse of Bank B. Although Bank A
was aware of the previous history it failed
impact on the organization and, by implication, that there to implement adequate controls to prevent
are other classes of risk of less signi f cance. This distinction suffering a similar problem.
is erroneous. There are numerous cases where operational
errors at the lowest level have produced catastrophic
consequences that threaten the whole organization. The
management of risks at all levels is equally important. It is
certainly true that a board of directors may take decisions
which have associated risks that are certainly strategic.
If, for example, the board decided to close all its UK
operations and operate from offshore call centres, that
would certainly be a strategic decision that involved risks,
which may accordingly be categorized as strategic risks. If,
on the other hand, a junior employee made a mistake at
operating level which resulted in the whole plant being
burned down, the consequences would clearly involve
strategic decisions even though the original risk would not
have been classi f ed as strategic.
It is important to understand that, although different
risks may be managed at different levels within the
organization, there should be an overall strategy for
risk management. This should be established by top
management in the organization, whether it is in the
private or public domain. The strategy for managing
risk within the organization cannot be developed in
isolation. It should be developed along with, and support,
overall organizational strategy. Furthermore, the strategy
should recognize that the organization does not exist
in a vacuum and for the risk management strategy to
be effective account should be taken of both internal
and external forces and stakeholders. When formulating
strategy, top management should ensure it is aware of
stakeholder expectations and, where appropriate, should
either include representation for the stakeholders or have
access to their input.
15
Implementation of a risk management system
General system requirements
I f a n o rg a n i za ti o n i s to i n tro d u ce a syste m o f ri sk m a n a g e m e n t su cce ssfu l l y, th e
o rg a n i za ti o n sh o u l d b e o n e th a t i s re a d y to a cce p t ch a n g e . I n th i s co n te xt, ‘ su cce ssfu l l y’
i m p l i e s m o re th a n h a vi n g a fo rm a l syste m i n p l a ce . I t a l so e xp re sse s a syste m th a t i s
wo rki n g to th e e xte n t th a t th e m a n a g e m e n t a n d a l l sta ke h o l d e rs fe e l co n f d e n t th a t:
— fo re se e n ri sks a re b e i n g m a n a g e d ; a n d
— u n fo re se e n ri sks a re p re p a re d fo r.
Th e su cce ssfu l m a n a g e m e n t o f ch a n g e – a n d ri sk – i n a n o rg a n i za ti o n d e p e n d s u p o n th e
va l u e s a n d b e h a vi o u r p a tte rn s th a t fo rm th e cu l tu re o f th e o rg a n i z a ti o n .
Policy
To p m a n a g e m e n t s h o u l d d e m o n s tra te th e l e a d e rsh i p a n d co m m i tm e n t n e ce s sa ry fo r th e
e ffe cti ve i m p l e m e n ta ti o n o f i ts g o ve rn a n ce a n d ri s k m a n a g e m e n t a rra n g e m e n ts , a n d
th e i r co n ti n u i n g o p e ra ti o n a n d i m p ro ve m e n t. Th e d e ve l o p m e n t o f a h i g h - l e ve l p o l i cy
s h o u l d a s s i st i n a ch i e vi n g a co n si s te n t a p p ro a ch th ro u g h o u t th e o rg a n i z a ti o n . A we l l -
wri tte n p o l i cy ca n b e co m m u n i ca te d e ffe cti ve l y to a l l l e ve l s o f th e o rg a n i z a ti o n a n d
s h o u l d re f e ct th e n a tu re a n d s ca l e o f th e o rg a n i z a ti o n a n d i ts ri s ks .
Al th o u g h th e re n e e d s to b e a ri sk p o l i cy i n l i n e wi th th a t se t o u t i n Ch a p te r 3 (se e p . 9 ) ,
th e re wi l l a l m o st ce rta i n l y n e e d to b e p o l i ci e s a n d a rra n g e m e n ts to d e a l wi th sp e ci f c
ri sks th a t a ri se th ro u g h re g u l a to ry re q u i re m e n ts o r fro m sta ke h o l d e rs, e . g . l i sti n g ru l e s,
co n tra ctu a l re q u i re m e n ts o r o ccu p a ti o n a l h e a l th a n d sa fe ty l e g i sl a ti o n . Co n si ste n cy wi th i n
th e va ri o u s p o l i ci e s i s i m p o rta n t.
As a g e n e ra l ru l e th e ri sk p o l i cy wi l l e sta b l i sh a n o ve ra l l se n se o f d i re cti o n a n d p ri n ci p l e s
fo r ri sk m a n a g e m e n t wi th i n th e o rg a n i z a ti o n . Th e p o l i cy sh o u l d b e ‘ o wn e d ’ b y a m e m b e r
o f to p m a n a g e m e n t a l th o u g h th e to p m a n a g e m e n t te a m b e a rs co l l e cti ve re sp o n si b i l i ty
fo r o ve ra l l p o l i cy, a n d th e re m a y b e i n d i vi d u a l re sp o n si b i l i ty fo r m a n a g e m e n t o f sp e ci f c
g o ve rn a n ce ri sks. Wh e re a p p ro p ri a te th e p o l i cy sh o u l d b e d e ve l o p e d i n co n j u n cti o n wi th
re l e va n t sta ke h o l d e rs a n d re vi e we d a t l e a st a n n u a l l y.
Planning risk management

for governance
A p ro ce ss i s n e e d e d fo r i d e n ti fyi n g ri sks, a sse ssi n g th e m a n d m a n a g i n g th e m ; i t sh o u l d b e
a p p ro p ri a te to th e b o a rd ’s p o l i cy a n d o b j e cti ve s. I n si m p l e te rm s th e fo l l o wi n g n e e d to b e
a d d re sse d :
— Wh a t co u l d g o wro n g (o r ri g h t; ri sks ca n b e p o si ti ve a s we l l a s n e g a ti ve ) ?
— H o w l i ke l y i s th i s to h a p p e n ?
— Wh a t wo u l d b e th e co n se q u e n ce s i f th i s d i d a ri se ?
— Are th e se co n se q u e n ce s su f f ci e n tl y si g n i f ca n t to ca l l fo r a cti o n to re d u ce o r
e xp l o i t th e ri sk?
— Wh a t a cti o n sh o u l d b e ta ke n to re d u ce th e ri sk to a n a cce p ta b l e l e ve l ?
— I s th e re th e a u th o ri ty to ta ke th i s a cti o n , o r d o e s i t n e e d to b e so u g h t a t a
h i g h e r l e ve l ?
16
In organizations that have not previously carried out a process of risk identi f cation and
management, this will be a new requirement involving training so that every manager
regards it as part of the routine business of managing his or her department.
Process for assessing and responding to business risks

A process for risk management is shown in Figure 4.1 .
Develop
Methodology
Identify
Hazards
Monitor & Implement Manage Assess

Review Controls Change Risks
Determine
Controls
Figure 4.1 A process for risk management
The organization should establish a methodology for identifying risks to the organization
that have the potential to affect the achievement of objectives. This process should ensure
that these risks are fully understood, assessed, prioritized and controlled.
Develop methodology
There is no single methodology for identi f cation of risks that will suit all organizations
and it is important that organizations choose something that is appropriate to their
nature and size and also meets expectations in terms of the detail of output, complexity,
time and costs.
Identify the risks

Identi f cation of risk can be extremely complex depending upon the nature and scale
of the organization and its f eld of operation. Whatever methodology is chosen it is
important to address both positive and negative aspects of risks and ensure that the
validity of assumptions is fully tested. The process of risk identi f cation is of paramount
importance to the organization for identifying opportunities.
In order to identify risks pertinent to the organization a variety of techniques may be
employed. A list of such approaches is given in BS 31 1 00 – see Appendix A of this book.
17
S o u rce s o f i n fo rm a ti o n ca n i n cl u d e :
— p ro fe ssi o n a l /tra d e b o d i e s;
— g o ve rn m e n t;
— re g u l a to rs;
— i n su re rs;
— p u b l i c i n fo rm a ti o n /m e d i a o n p ro b l e m s e xp e ri e n ce d b y si m i l a r o rg a n i za ti o n s.
Th e re a re m a n y a cti vi ti e s th a t ca n g i ve ri se to si g n i f ca n t ri sk. S o m e e xa m p l e s a re g i ve n
b e l o w; th e l i st i s n o t i n te n d e d to b e e xh a u sti ve .
— fra u d ;
— u n e th i ca l d e a l i n g s;
— p ro d u ct a n d /o r se rvi ce fa i l u re ;
— p u b l i c p e rce p ti o n ;
— l a ck o f b u si n e ss fo cu s;
— e xp l o i ta ti o n o f wo rke rs a n d /o r su p p l i e rs;
— e n vi ro n m e n ta l m i sm a n a g e m e n t;
— o ccu p a ti o n a l h e a l th a n d sa fe ty m i sm a n a g e m e n t a n d /o r l i a b i l i ty;
— re g u l a to ry a cti o n ;
— ci vi l a cti o n ;
— fa i l u re to re sp o n d to m a rke t ch a n g e s;
— fa i l u re to co n tro l i n d u stri a l e sp i o n a g e ;
— fa i l u re to ta ke a cco u n t o f wi d e sp re a d d i se a se o r i l l n e ss a m o n g st th e wo rkfo rce ;
— fa i l u re to co m p e te ;
— fa i l u re to a d o p t n e w te ch n o l o g y;
— fa i l u re to i n ve st;
— fa i l u re to co n tro l I T e ffe cti ve l y;
— fa i l u re to e sta b l i sh a p o si ti ve cu l tu re ;
— vu l n e ra b i l i ty o f re so u rce s (m a te ri a l a n d h u m a n ) ;
— fa i l u re to e sta b l i sh e ffe cti ve co n ti n g e n cy a rra n g e m e n ts i n th e e ve n t o f a
p ro d u ct a n d /o r se rvi ce fa i l u re ;
— fa i l u re to e sta b l i sh e ffe cti ve co n ti n u i ty a rra n g e m e n ts i n th e e ve n t o f a d i sa ste r;
— i n a d e q u a te i n su ra n ce p ro vi si o n .
An y o n e o f th e a b o ve ca n d a m a g e a n o rg a n i za ti o n ’s re p u ta ti o n . Lo ss o f re p u ta ti o n i s o n e
o f th e g re a te st p o te n ti a l i m p a cts fa ce d b y a n o rg a n i za ti o n . I t ca n h a ve ca ta stro p h i c e ffe cts
i n th e sh o rt-te rm , a n d l o n g -te rm co n se q u e n ce s.
I t i s i m p o rta n t to re m e m b e r th a t wh e re a n o rg a n i za ti o n o p e ra te s i n m a n y d i ffe re n t
co u n tri e s a n d cu l tu re s th e i d e n ti f ca ti o n p ro ce ss sh o u l d ta ke o n b o a rd a n y re l e va n t
re q u i re m e n ts th a t a re sp e ci f c to th e l o ca ti o n .
Analyse and evaluate the risks

A p ro ce ss sh o u l d b e e sta b l i sh e d to i d e n ti fy th e l i ke l i h o o d o f th e ri sk b e i n g re a l i ze d a n d
th e co n se q u e n ce o f su ch a n e ve n t, so th a t th e ri sks ca n b e p ri o ri ti ze d . Th e p ro ce ss o f
i d e n ti fyi n g th re a ts m a y g i ve ri se to a l o n g l i st o f p o ssi b i l i ti e s. Cl e a rl y i t i s n o t se n si b l e to
ta ckl e a l l th e se a t o n e ti m e e ve n i f th e y co u l d b e re a l i ze d a s ri sks. Th e o rg a n i za ti o n sh o u l d
e sta b l i sh wh a t th e co n se q u e n ce wo u l d b e i f th e ri sk wa s re a l i z e d . I f th e o u tco m e i s m i n o r
th e n th e e va l u a ti o n p ro ce ss sh o u l d b e d e fe rre d i n fa vo u r o f th o se th re a ts wi th m o re
p o te n ti a l l y d i sa stro u s o u tco m e s.
18
H a vi n g i d e n ti f e d th e p o ssi b l e o u tco m e , th e ri sk sh o u l d b e e va l u a te d a s to i ts fre q u e n cy.
Th o se ri sks th a t h a ve co n ti n u o u s e xp o su re sh o u l d b e vi e we d a s h a vi n g a h i g h e r p ri o ri ty
th a n th o se wi th i n fre q u e n t e xp o su re . Th e re a re m a n y p ro ce sse s fo r i d e n ti fyi n g ri sk, b u t
o n e wa y o f ra n ki n g th e se two d i m e n si o n s i s to u se a si m p l e m a tri x a s sh o wn i n Ta b l e 4. 1 .
Th o se ri sks th a t a re co n si d e re d u n a cce p ta b l e sh o u l d b e p ri o ri ti ze d fo r fu rth e r e va l u a ti o n .
Table 4.1 Matrix for threat assessment
I n fre q u e n t Co n ti n u o u s
e xp o su re e xp o su re
1 2 3
M i n or Tolerable
1
co n se q u e n ce s threat (1 )
D i sa stro u s Intolerable
3
co n se q u e n ce s threat (9)
Th i s m e th o d pri ori ti ze s ri sks th a t wo u l d g i ve ri se to si g n i f ca n t p ro bl e m s i n th e org a n i za ti on
i f th e y were to o ccu r. I t d oe s n o t i d en ti fy wh e th er th e ri sk i s l i kel y to be re a l i ze d .
Th e o rg a n i za ti o n sh o u l d i d e n ti fy th e l i ke l i h o o d o f th e ri sk b e i n g re a l i z e d , b e a ri n g i n m i n d
th e i n te rn a l co n tro l s i n p l a ce a n d th e a p p e ti te a n d cu l tu re o f th e o rg a n i za ti o n wi th re g a rd
to th e m a n a g e m e n t o f ri sks.
Th e o rg a n i za ti o n sh o u l d e va l u a te i ts p ri o ri ti z e d ri sks a n d th e l i ke l i h o o d o f th e i r b e i n g
re a l i ze d i n two wa ys:
1. wi th th e n e ce ssa ry m a n a g e m e n t a n d i n te rn a l co n tro l s e m b e d d e d i n th e cu l tu re
o f th e o rg a n i za ti o n ; a n d
2. i n th e a b se n ce o f i n te rn a l co n tro l s e m b e d d e d i n th e o rg a n i za ti o n .
Th e ri sks ca n b e e va l u a te d a s sh o wn i n Ta b l e 4. 2 .
Ri sks i d e n ti f e d a s u n a cce p ta b l e a n d wh i ch m a y h a ve a si g n i f ca n t i m p a ct u p o n
sta ke h o l d e r e xp e cta ti o n s sh o u l d b e d e a l t wi th a s a m a tte r o f p ri o ri ty i n o rd e r to
d e m o n stra te g o o d g o ve rn a n ce .
19
Table 4.2 Matrix for risk assessment
Excellent
control Negligible
measures control
embedded measures
in culture
Minor
consequences
and infrequent
1 -3 Tolerable
exposure etc.
4-6
Disastrous
consequences
9
Intolerable
and continual risk
exposure
Decide how the risks are to be managed

The strategic risks that top management includes in the risk management programme
should be cascaded in the form of policies, objectives and targets, as appropriate, to the
relevant level within the organization. A management system model may be a mirror
(daughter) of the overall strategic model, as shown in Figure 4.2.
Management Policy
Review
Strategic
Assess
& improve Planning
Implementation
&
Operation
Management Policy
Review
Management
Assess
& improve Planning
Implementation
&
Operation
Management Policy
Review
Operational
Assess
& improve Planning
Implementation
&
Operation
Figure 4.2 Management system model with daughters
20
Plan for the management of individual risks

Each identi f ed unacceptable risk should have arrangements in place for dealing
with the risk as identi f ed in the previous chapter (see p. 9). In order to do this the
organization should ensure that it has a plan that is consistent with its policy(ies),
objectives and targets. This can be achieved using a mirror management system as
shown in Figure 4.2. Alternatively, an integrated system or other arrangements that are
considered satisfactory by the organization should be used. The arrangements should be
documented to allow audit.
Compliance and stakeholder requirements
Many countries have now introduced a variety of regulations and/or guidance outlining
the requirements for corporate governance within their jurisdiction. All organizations will
have to take into account any relevant territory-based requirements when developing
arrangements for controlling risk, in addition to possible sector-based regulations or
expectations. This is an area that is of even greater importance to an organization that has
operations in more than one country as there may be speci f c control arrangements for a
particular country or, in some cases, particular stakeholders.
There needs to be a process in place for identifying what requirements, legal, guidance
or otherwise, apply in the sphere of operation of the organization as well as any new or
forthcoming requirements.
Contingency planning
An organization should make arrangements to deal with any foreseeable emergency

and implement contingency arrangements for prevention or minimization of the
consequences. Emergency situations can arise from both the organization’s own activities
and from external events over which the organization has little or no control or in f uence.
The organization should consider its range of activities, including products or services, to
determine if there are situations, no matter how unlikely, that it should plan to mitigate in
the event of an emergency. Aspects that should be considered are:
— Has a list of potential emergency situations been compiled?

— Has a contingency response team been established?
— Has there been consultation with all senior managers to contribute to this list?
— When considering each emergency situation have the consequences been
documented, and the likelihood of occurrence (i.e. the risk) assessed and
categorized?
— Have plans been developed for business continuity with procedures issued and
tested regularly?
In order to mitigate the effects on all stakeholders it is essential that the board sets in
place procedures and plans that anticipate that things can go wrong so that it can take
planned and rehearsed steps to protect the business.
A guide on business continuity has been published by BSI: BS 25999-1 :2006, Business
continuity management – Part 1 : Code of practice .
21
Objectives and management programme
Top management has a responsibility to shareholders, investors, staff, etc. to de f ne and

rank effective and measurable objectives for the organization. These objectives should
be determined from the risk identi f cation process, contingency plans, stakeholder
requirements and the overall business planning. Objectives selected should take into
account resources available; a simple but well-recognized methodology is the SMART
process: objectives that are speci f c, measurable, achievable, realistic and time-orientated.
The organization should develop a strategic plan for managing those risks that have
been identi f ed as needing control. The programmes developed for achieving the
objectives needs to be established with appropriate personnel who have the necessary
accountabilities, responsibilities and resources.
Organizational structure, roles, responsibility, accountability

and authority
Establishing the appropriate structure and accountability is essential if the policy and
objectives are to be achieved and a climate for good governance created. The organization
should establish the owners of particular risks and have a structure in place for managing
those risks it has identi f ed as needing control.
Organizational structure
Structure is closely related to leadership and decision making. The extent to which the
organization is decentralized and managers are held accountable and rewarded for
success (and sanctioned for failure) affects the culture. The willingness to take risks is an
example. The organization should recognize this and ensure that the structure and the
accountabilities, the freedom to act and resources are appropriate for effective operation,
and develop policies, guidance and frameworks that support this.
The structure should re f ect how individual risks are managed within the operation of the
organization; see Figure 4.3.
Strategic management
Financial Marketing Operations Administration Technology H uman resources
BCM/DEMS OH &S/Env. Technical Information

Security
Strategic and operational risks
Source: Hillson, 2007
Figure 4.3 Corporate governance organogram
22
Although a certain part of the organization (divisions, functions, etc.) may be assigned
ownership of a risk it may well be necessary for other parts of the organization to be
involved for a pan-organizational risk governance system to be effective.
There may be a need for speci f c arrangements for dealing with certain areas/disciplines
of risk, e.g. health and safety and information security. One way of managing this
requirement is to have supportive management systems to the overall risk management
framework. Despite the fact that the organization has sought input from experts in
these individual areas the board should recognize that it has overall accountability for
the management of the speci f c risk area. Where necessary, additional training/guidance
should be provided at board level to ensure the management of the risk is effective and
meets organizational accountability and policy objectives. Where risks are managed by
specialists in an independent manner, it is important that the board recognizes the danger
that there is the possibility that a coherent organizational strategy for dealing with risk
will be undermined.
Establishing ownership o f risk
The management of risks should be cascaded as appropriate within the organization.

Some risks should be discussed, prioritized and actioned exclusively at top management
level. The internal controls and any actions may be treated in secrecy because, for
example, of the sensitivity of the risk or for security reasons. The risk classi f cation process
and more speci f cally the controls required should help in determining where risk is best
managed. Although top management may identify the risk, it may be that it is managed
at middle management and/or at operational level; see Table 4.3.
Table 4.3 — Cascade of risk management system

Operational level Responsibility
Top M iddle Operational

management management
Strategic ✓
Strategic/management ✓ ✓
Strategic/management/operational ✓ ✓ ✓
Management ✓
Management/operational ✓ ✓
Operational ✓
For example, the organization may have determined that not maintaining security of its
site during non-operational hours is a signi f cant risk. The control is the employment of a
subcontracted security company. Top management has identi f ed this risk and allocated
accountability within the organization, but day-to-day responsibility will have been
assigned at a more junior level, where control of the outsourced function is managed.
In contrast, health and safety management will have to be controlled throughout the
organization. Some market risks will be handled at a senior level and will not be cascaded.
23
Implementation and operation

General
The control measures necessary for meeting the policy and objectives should be imple-
mented, ensuring that the necessary arrangements, documents and resources are in place.
There is also a need to instigate the monitoring procedure to verify and validate that what
should be happening really is happening.
Building capability for effective risk management requires a strategy that takes into
account the organization’s present position and appetite for risk, and the relation to
organizational objectives. It is, unfortunately, commonplace to f nd that these strategies
focus upon risk as having a possible adverse effect on organizational performance, and a
‘source of risk’ as a threat to ongoing and planned activities.
It is essential to view risk in the widest possible interpretation and the outcomes are not
always a threat. An appropriate understanding might be:
Risk is something that might happen which could have either negative (threats) or
positive (opportunities) effects on the achievement of objectives.
When risk management within an organization becomes primarily a threat-focused

activity it tends to foster the development of specialists who focus on speci f c classes of
threat (for example, health and safety, security, legal and treasury staff). This in turn can
lead to the creation of organizational silos in which the specialist develops a position
totally disproportionate to their importance, separated from line management decision
making, rather than one that is fully integrated into all management decision processes.
It is important to remember that resources for the management of risk are always limited
and every organization has to be wise in the manner in which it deploys its resources to
maximum effect. Cost-effective approaches to creating risk management capability within
the organization can often be achieved by focused, incremental developments, targeting
the speci f c areas where effective management of risk matters most and where the
improvement in the decisions taken by management can have the greatest impact.
It will be impossible for any organization to develop effective capability in risk management
without involving the workforce and convincing it of the value of what is being put in place.
There have been many instances where poor operational control has led to catastrophic
failures. In many cases the risks had been identi f ed and control measures implemented; the
failures were due, at least in part, to a poor culture within the organization.
The role of culture in the strategic management of organizations is important because:
— the prevailing culture is a major in f uence on current strategies and future

changes; and
— any decisions to make major strategic changes may require a change in the
culture.
Culture is, therefore, a vital element in both strategy creation and strategy
implementation. The model in Figure 4.4 demonstrates the in f uence that culture and
values have within organizations.
When creating a climate for a culture that values people for the contribution they
can make to the business, it is necessary to ensure that effective mechanisms exist for
involvement of the workforce. In many areas of ‘risk management’ there is much evidence
24
to su g g e st th a t th e i n vo l ve m e n t o f th e wo rkfo rce i n a m e a n i n g fu l wa y ca n h a ve a
p o si ti ve i m p a ct u p o n ri sk e ve n a t th e l o we st l e ve l s i n a n o rg a n i z a ti o n . E a ch o rg a n i za ti o n
i s d i ffe re n t a n d th e re ca n b e n o si n g l e m o d e l fo r e ffe cti ve i n vo l ve m e n t o f th e wo rkfo rce .
H o we ve r, so m e g e n e ra l p ri n ci p l e s th a t ca n b e a d o p te d a re o u tl i n e d b e l o w.
— Leadership – d e m o n stra ti n g co m m i tm e n t, a n d se tti n g o rg a n i za ti o n a l vi si o n ,
o b j e cti ve s a n d g o a l s.
— Provision of information – sh a ri n g i n fo rm a ti o n wi th e m p l o ye e s. Th e p ro vi si o n
a n d e xch a n g e o f i n fo rm a ti o n a n d i n stru cti o n s e n a b l e s th e o rg a n i za ti o n
to fu n cti o n e f f ci e n tl y a n d e m p l o ye e s to b e p ro p e rl y i n fo rm e d a b o u t
d e ve l o p m e n ts a n d tra i n i n g .
— Consultation – m a n a g e m e n t a n d wo rke rs o r th e i r re p re se n ta ti ve s j o i n tl y
co n si d e r i ssu e s o f m u tu a l co n ce rn wi th a vi e w to i d e n ti fyi n g ri sks a n d se e ki n g
a cce p ta b l e so l u ti o n s to p ro b l e m s th ro u g h a g e n u i n e e xch a n g e o f vi e ws a n d
i n fo rm a ti o n .
— Involvement and participation of the workforce in joint problem solving –
e ffe cti ve wo rke r i n vo l ve m e n t i s m o re th a n p ro vi si o n o f i n fo rm a ti o n a n d
co n su l ta ti o n a n d ca n l e a d to j o i n t p ro b l e m so l vi n g , wh i ch o ffe rs e m p l o ye rs
a n d wo rke rs a n e ve n g re a te r l e ve l o f i n vo l ve m e n t.
Style of
Decision Making
Information Objectives
Systems
Culture Competitive
Functional Strategies
and Policies and Advantage
Values
Management of Organizational
People Structure
Management
Systems
Figure 4.4 The in f uence that culture and values have within organizations
Co n su l ta ti o n wi th th e wo rkfo rce wi l l e n a b l e th e o rg a n i za ti o n to co n si d e r so m e a re a s
i n wh i ch ri sk sh o u l d b e m o re a p p ro p ri a te l y m a n a g e d a n d , wo rki n g wi th th e wo rkfo rce ,
e m b e d a p o si ti ve a tti tu d e to wa rd s ri sk m a n a g e m e n t i n th e o rg a n i za ti o n b y i n co rp o ra ti n g
i t i n to e a ch i n d i vi d u a l ’s j o b d e scri p ti o n . Th i s wi l l e n a b l e i n d i vi d u a l s a t a l l l e ve l s wi th i n
th e o rg a n i z a ti o n to u n d e rsta n d th e ri sks th a t re l a te to th e i r ro l e a n d a cti vi ti e s a n d h o w
th e m a n a g e m e n t o f th e m ca n co n tri b u te b o th i n d i vi d u a l a n d o rg a n i za ti o n a l g o a l s a n d
o b j e cti ve s. I t wi l l fu rth e r th e d e ve l o p m e n t o f a n a p p ro p ri a te ri sk m a n a g e m e n t cu l tu re
wi th i n th e o rg a n i za ti o n a n d fo ste r a n u n d e rsta n d i n g o f h o w i n d i vi d u a l s ca n co n tri b u te to
co n ti n u o u s i m p ro ve m e n t o f ri sk m a n a g e m e n t. Pro vi si o n sh o u l d b e m a d e fo r p ro te cti n g
th o se wh o ra i se i ssu e s o f co n ce rn wh e re th e i n d i vi d u a l fe e l s th e o rg a n i z a ti o n i s n o t ta ki n g
a d e q u a te p re ca u ti o n s to m i ti g a te th e ri sk.
25
Contractor problems
H owever, the involvement of the workforce at all
levels in the organization can in no way diminish the
Small- and medium-sized enterprises accountability of top management for the management
(SMEs) have an equal need to apply of risk. In addition to using the ‘eyes’ of the workforce
governance principles to their organization, in improving risk management throughout the
particularly when this is a requirement or
expectation of contract tendering. organization, management should ensure that there
are strong and effective processes for internal control
A local contractor working in a school
failed to control the activities of an and the management of risk. These controls need to be
apprentice working under inadequate embedded within the organization.
supervision. Whilst unsupervised the
apprentice was able to access the school IT
network and used it to access the internet, Managing resources
communicating with indiscrete outside
parties. When the matter came to light
the contractor was suspended from the Identifying resources
approved contractors’ list and the member
of staff responsible dismissed. The organization should clearly identify and commit the
resources necessary to deliver the policies, objectives and
targets it has established, including:
— people;
— infrastructure, machinery, plant, etc;
— f nance, investment, etc.
The organization should commit those resources

that are essential to the implementation, control and
improvement of the risk management arrangements.
There will always be f nancial limitations and possibly
human resource factors (numbers, time and skill sets) that
have to be taken into consideration. These may affect the
priority in which tasks are tackled.
People
The organization should establish whether people are
committed and capable of managing the risks that have
been identi f ed and where individual personnel are
expected to enforce controls.
H owever, it should be recognized that an organization
may be vulnerable to the inappropriate actions of an
individual employee who can do untold damage –
consider the collapse of Barings Bank. For this reason,
there needs to be recognition of the importance of
individuals and the vulnerability of the organization to
those individuals.
Establishing appropriate competencies

and behaviours
Commonly, organizations arrange training without
fully establishing the needs of the organization or the
individual. Failure can occur through one individual
either being incompetent or failing to demonstrate the
26
a p p ro p ri a te b e h a vi o u r. O rg a n i z a ti o n s sh o u l d e n su re
Safety and environmental incidents
th a t th o se re sp o n si b l e fo r e sta b l i sh i n g , i m p l e m e n ti n g
a n d m a n a g i n g g o ve rn a n ce h a ve kn o wl e d g e a n d A multinational oil exploration and refning

u n d e rsta n d i n g o f: organization, which typically performed
well on the fnancial market and attracted
ethical investors, experienced major failures
— stra te g i c p l a n n i n g ; with both safety and environmental
— l e g a l re q u i re m e n ts;
incidents. These incidents received global
media exposure and adverse comment
— a g re e m e n ts a n d co n tra cts;
about the board and its commitment to
— o rg a n i z a ti o n ; the management of these operational risks.
— co m m u n i ca ti o n te ch n i q u e s a n d /o r i n fo rm a ti o n Investigators pointed to a lack of internal
m a n a g e m e n t;
control and poor cultural issues as having
a large part to play in the incidents and,
— i n vo l ve m e n t a n d m o ti va ti o n ;
at a time of escalating oil prices, its stock
— e d u ca ti o n a n d co n ti n u a l p ro fe ssi o n a l market performance was poor.
d e ve l o p m e n t;
— co n ti n u o u s i m p ro ve m e n t a n d /o r a n a l yti ca l
te ch n i q u e s;
— e va l u a ti o n a n d m o n i to ri n g ;
— d e l e g a ti o n a n d /o r e q u a l o p p o rtu n i ti e s;
— re so u rce m a n a g e m e n t.
O rg a n i z a ti o n s sh o u l d p ro vi d e d e ta i l e d sp e ci f ca ti o n s o f
th e p e rfo rm a n ce th a t e m p l o ye e s a re e xp e cte d to a ch i e ve ,
b a se d o n th e kn o wl e d g e a n d u n d e rsta n d i n g re q u i re d to
d e l i ve r p o si ti ve ta sk o u tco m e s.
O rg a n i z a ti o n s sh o u l d a l so e sta b l i sh b e h a vi o u ra l sta n d a rd s
to u n d e rp i n th e i r co m p e te n cy fra m e wo rk. An e xa m p l e o f
m a n a g e m e n t co m p e te n cy i s sh o wn i n Ta b l e 4. 4.
Table 4.4 An example of management competency

Competency Behavioural characteristic(s)
1 . Acti n g i n a n e th i ca l S h o ws i n te g ri ty a n d fa i rn e ss
m a n n er i n d e ci si o n m a ki n g
2 . An a l ysi n g i n fo rm a ti o n De f n e s p ro ce sse s b y ta sk
a n d ta ki n g d e ci si o n s a n d a cti vi ty
Ta ke s re a l i sti c d e ci si o n s fo r a
g i ve n si tu a ti o n
D e m o n stra te s a n a b i l i ty to
i d e n ti fy p a tte rn s fro m e ve n ts
a n d d a ta wh e re th e re i s n o
o b vi o u s re l a ti o n sh i p
Performance – towards a culture of

good governance
Ach i e vi n g su cce ss i n a n e ve r m o re co m p l e x a n d
co m p e ti ti ve g l o b a l m a rke t-p l a ce i s b e co m i n g i n cre a si n g l y
ch a l l e n g i n g . Th e sp e e d o f ch a n g e i s a cce l e ra ti n g , th e re i s
a co n se q u e n t l a ck o f o rg a n i z a ti o n a l h i sto ry a s a re fe re n ce
p o i n t a n d th e b o u n d a ri e s b e twe e n o rg a n i za ti o n s a re
27
becoming progressively more blurred. It is important that organizations develop a culture

of performance and this is equally applicable to a commercial organization, a hospital or a
charity, and the backbone in achieving the desired performance is the workforce.
Clearly, if members of the workforce are to be enthused about their responsibilities
for managing risk within their roles and linking their activities directly to the overall
performance of the organization, there has to be some sort of mechanism for providing
appropriate reward. This is often achieved through a performance management process
that links individual reward to achievement of individual objectives that support overall
organizational objectives.
Performance management is a process, or set of processes, which should enable
organizations to achieve their objectives. It should f rst establish shared understanding
between managers and their staff about what is to be achieved. Then it should encourage
management and development that increases the probability of achieving short- and
long-term goals.
Outputs from effective performance management should be the communication and
reinforcement of organizational strategies, values and norms. Most importantly, it
enables the integration of individual and corporate objectives. It can also be a conduit to
enable expression of individuals’ views about achieving current goals for their team or
department.
Features of good performance management are:
— that it is a continuous process, not an annual event;

— the communication of vision, objectives and strategy;
— that it is subjected to regular evaluation;
— that use is made of existing processes for objective setting and work planning;
— top management commitment;
— line management understanding and commitment;
— cultural commitment.
Managing other resources

A whole range of resources is required for the effective running of a business. Some
considerations might be:
— buildings, workspace and associated utilities

The provision of infrastructure to meet needs is an obvious requirement but
it is sometimes forgotten that buildings, work areas and support facilities
need regular maintenance, replacement, cleaning, etc. You need to provide
for reviewing the infrastructure in the broadest sense, bearing in mind
technological changes, workplace expectations, changes in workload, and
reliability, consistency and other quality aspects.
— process equipment (both hardware and software)
The point about infrastructure is particularly important in respect of hardware
and software, which date very quickly. Reliance on computers increases the risk
of accidental loss of data, which is a serious danger.
— supporting services (such as transport or communication hardware)
Transport services are also sometimes not seen as a core issue. H owever, they
can impact on the environment through poor environmental speci f cation
28
a n d th e re a re o ccu p a ti o n a l h e a l th a n d sa fe ty i ssu e s re l a te d to tra n sp o rt:
d ri ve r h o u rs, ca rri a g e o f d a n g e ro u s l o a d s, tra i n i n g , th e typ e o f ve h i cl e s u se d
o r p o o r m a i n te n a n ce .
Documentation
I t i s i m p o rta n t th a t th e o rg a n i z a ti o n h a s so m e wa y o f d o cu m e n ti n g o r re co rd i n g i ts
a rra n g e m e n ts a n d co n tro l l i n g i ts d o cu m e n ts. Th e o rg a n i za ti o n sh o u l d e sta b l i sh a n d
m a i n ta i n i n fo rm a ti o n i n a su i ta b l e m e d i u m , wh i ch d e scri b e s th e ca re a rra n g e m e n ts a n d
g i ve s d i re cti o n o n re l a te d d o cu m e n ta ti o n .
An y d o cu m e n ta ti o n o r e l e ctro n i c m e d i a sh o u l d b e so m a n a g e d th a t:
— i t ca n b e l o ca te d ;
— i t i s p e ri o d i ca l l y re vi e we d , re vi se d a s n e ce ssa ry a n d a p p ro ve d fo r a d e q u a cy b y
a u th o ri z e d p e rso n n e l ;
— cu rre n t ve rsi o n s o f re l e va n t d o cu m e n ts a n d d a ta a re a va i l a b l e a t a l l l o ca ti o n s
wh e re o p e ra ti o n s e sse n ti a l to th e e ffe cti ve fu n cti o n i n g o f th e syste m a re
p e rfo rm e d ;
— o b so l e te d o cu m e n ts a n d d a ta a re p ro m p tl y re m o ve d fro m a l l p o i n ts o f i ssu e
a n d p o i n ts o f u se o r o th e rwi se a ssu re d a g a i n st u n i n te n d e d u se ; a n d
— a rch i va l d o cu m e n ts a n d d a ta re ta i n e d fo r l e g a l p u rp o se s o r kn o wl e d g e
p re se rva ti o n , o r b o th , a re su i ta b l y i d e n ti f ed .
Communication
Co m m u n i ca ti o n fro m sta ke h o l d e rs ca n g i ve a n e a rl y wa rn i n g o f p o ssi b l e p ro b l e m s th a t
co u l d a d ve rse l y a ffe ct th e re p u ta ti o n o f th e o rg a n i za ti o n . Re p u ta ti o n s a re b u i l t u p o n
tru st, th e tru st th a t sta ke h o l d e rs, p a rti cu l a rl y cu sto m e rs, h a ve i n th e o rg a n i z a ti o n .
Pro a cti ve co m m u n i ca ti o n wi th sta ke h o l d e rs ca n d o m u ch to d e ve l o p tru st a n d p ro vi d e
fe e d b a ck o n a re a s o f co n ce rn .
E xte rn a l co m m u n i ca ti o n to a n d fro m sta ke h o l d e rs sh o u l d b e i n te g ra te d i n th e
o rg a n i za ti o n ’s fra m e wo rk. Th i s i n cl u d e s m a rke ti n g a n d co m m u n i ca ti o n wi th n a ti o n a l
b o d i e s, i n ve sto rs, th e m e d i a a n d a n y o th e r a p p ro p ri a te a re a s. I t m a y b e n e ce ssa ry to h a ve
a n a p p o i n te d p e rso n wh o i s ta ske d wi th co o rd i n a ti n g a n d d e a l i n g wi th m e d i a e n q u i ri e s.
O rg a n i z a ti o n s sh o u l d co n si d e r th e fo l l o wi n g .
— I s i n te rn a l co m m u n i ca ti o n se e n a s e sse n ti a l to th e o rg a n i z a ti o n ’s stra te g i c
su cce ss?
— I s th e o rg a n i z a ti o n wi l l i n g to ch a n g e th i n g s wh e n th i s i s n e ce ssa ry to i m p ro ve
i n te rn a l co m m u n i ca ti o n ?
— I s th e o rg a n i z a ti o n p re p a re d to i n ve st i n re so u rce s fo r i n te rn a l co m m u n i ca ti o n ,
fo r e xa m p l e , i n tra i n i n g p e o p l e i n th e u se o f n e w te ch n o l o g y?
— D o e s th e o rg a n i z a ti o n m a ke su re th a t th o se re sp o n si b l e fo r i n te rn a l
co m m u n i ca ti o n h a ve a cce ss to a l l th e ri g h t i n fo rm a ti o n , a t th e ri g h t ti m e , to
e n a b l e th e m to p l a y th e i r p a rt i n i m p l e m e n ti n g th e b u si n e ss stra te g y?
— D o e s th e o rg a n i z a ti o n va l u e a n d sh o w th a t i t va l u e s th e vi e ws a n d i d e a s o f
p e o p l e a t a l l l e ve l s th ro u g h o u t th e o rg a n i za ti o n ?
— I s th e o rg a n i z a ti o n ’s co l l e cti ve co m m i tm e n t to p o si ti ve co m m u n i ca ti o n se l f-
g e n e ra te d su ch th a t p e rso n n e l a ct o n i t co n si ste n tl y e ve n wh e n u n p ro m p te d ?
29
Performance assessment
Monitoring and measuring
Internal control is a requirement of corporate governance. Audit is one powerful tool

for assessing the organization’s performance against the arrangements it has speci f ed,
which is described below. In addition, there are other ways of assessing performance that
are extremely valuable and may be required for a number of reasons. There are many
activities undertaken within an organization on a daily basis that are essential to ensuring
the organization manages its operational risks, e.g. visitors, site security, delivery of correct
supplies and safety. The aim should be to monitor, check, inspect and measure those
activities or parameters that could have a signi f cant impact should they fail in some way.
The requirement to monitor what is happening in an organization, either at an individual
operating unit or across the organization, together with effective systems for measuring
results and reporting these at the appropriate level, is particularly important. Everyone
will be familiar with the regular reporting on f nancial matters (fundamental in the
ongoing sustainability of any organization) but, equally, monitoring activities that relate
to other speci f c organizational objectives is important in effective internal control.
For example, local government may have best-value performance indicators in the
following areas:
— corporate health;
— education;
— Social Services;
— housing and homelessness;
— Housing Bene f t and Council Tax;
— waste;
— transport;
— planning;
— environment/environmental health and trading standards;
— cultural services/libraries and museums;
— community service and well-being;
— f re;
— quality of services.
In a commercial organization these could re f ect differing objectives and might include:
— return to shareholders;
— dividend per share and dividend cover;
— operating pro f t before tax;
— customer satisfaction;
— waste management;
— emissions and pollution;
— transport;
— health and safety performance;
— employee satisfaction;
— quality.
The selection of indicators will depend entirely upon the organization, its sector and its
stakeholders, and both of the above lists comprise high-level strategic objectives for the
organizations that will require monitoring. There will also be many lower-level monitoring
activities that feed into the organizational objectives. These might include the following:
30
— M a n a g e rs d e m o n stra ti n g g e n u i n e i n te re st i n ‘ sh o p f o o r’ a cti vi ti e s wi l l
e n co u ra g e b u y-i n b y e m p l o ye e s a n d h e l p e n co u ra g e fe e d b a ck o n p o te n ti a l
p ro b l e m s a n d o p p o rtu n i ti e s fo r i m p ro ve m e n t.
— Re g u l a r ch e cks to e n su re wa ste i s d i sp o se d o f a p p ro p ri a te l y.
— E va l u a ti n g th e e f f ci e n cy a n d co st o f d e a l i n g wi th p l a n n i n g a p p l i ca ti o n s.
— M o n i to ri n g th e sa ti sfa cti o n o f h o u se h o l d e rs wi th co u n ci l se rvi ce s.
I n a n y e ve n t, th e m e th o d s u se d sh o u l d b e p ro a cti ve , th a t i s, se e ki n g i n fo rm a ti o n o n wh a t
i s h a p p e n i n g a n d i d e n ti fyi n g a re a s o f p o ssi b l e co n ce rn b e fo re th e y b e co m e a n i ssu e .
Evaluation o f compliance
At va ri o u s ti m e s th e o rg a n i za ti o n n e e d s to d e te rm i n e wh e th e r i t i s co m p l i a n t wi th a n y
re g u l a to ry co n tro l s o r re q u i re m e n ts th a t a p p l y to i ts o p e ra ti o n s. Th i s e va l u a ti o n m a y n e e d
to b e a g a i n st th e re q u i re m e n ts sp e ci f e d i n o th e r co u n tri e s i f th e o rg a n i za ti o n p ro vi d e s
g o o d s o r se rvi ce s to o th e r p a rts o f th e wo rl d . Th e fre q u e n cy o f th i s e va l u a ti o n ca n va ry
d e p e n d i n g o n th e ri sk a n d th e co n tro l s th a t a re a p p l i e d .
A si m i l a r p ro ce ss i s a l so a p p ro p ri a te fo r e va l u a ti n g cu sto m e r o r sta ke h o l d e r re q u i re m e n ts.
Internal audit
M a n y p e o p l e a re fa m i l i a r wi th th e co n ce p t o f a u d i ti n g fo r f n a n ci a l p u rp o se s. Th e
fu n cti o n o f f n a n ci a l a u d i to rs i s q u i te d i ffe re n t fro m th a t o f a syste m s a u d i to r. I n th e ca se
o f ri sk m a n a g e m e n t fo r co rp o ra te g o ve rn a n ce , th e i n te rn a l a u d i t sh o u l d b e fo cu se d o n
th e ri sk m a n a g e m e n t syste m s a n d th e i r a b i l i ty to d e l i ve r th e o rg a n i z a ti o n ’s p o l i ci e s a n d
o b j e cti ve s. Th e a u d i to r h a s a re sp o n si b i l i ty to m a ke su re th a t th e d e f n e d syste m i s i n fa ct
b e i n g fo l l o we d .
Au d i t co n si d e ra ti o n s a t a h i g h l e ve l sh o u l d i n cl u d e :
— b o a rd p o l i cy o b j e cti ve s a n d p ri o ri ti e s;
— sta ke h o l d e r re q u i re m e n ts;
— sta tu to ry a n d re g u l a to ry re q u i re m e n ts;
— ri sks to th e o rg a n i z a ti o n ;
— syste m s a n d o p e ra ti o n a l a rra n g e m e n ts.
Th e a u d i t sh o u l d e sta b l i sh th a t th e fo l l o wi n g re q u i re m e n ts h a ve b e e n m e t:
— p l a n s p re p a re d , d o cu m e n te d a n d co m m u n i ca te d ;
— re sp o n si b i l i ti e s d e si g n a te d ;
— ti m e -sca l e s se t to a ch i e ve o b j e cti ve s;
— p l a n s re vi e we d a t p l a n n e d re g u l a r i n te rva l s;
— d o cu m e n ta ti o n o f ro l e s, re sp o n si b i l i ti e s, a n d a u th o ri ti e s;
— a m a n a g e m e n t re p re se n ta ti ve h a s b e e n a p p o i n te d a s a ri sk o wn e r;
— re so u rce s (i n cl u d i n g h u m a n re so u rce s, sp e ci a l i z e d ski l l s, te ch n o l o g y a n d
f n a n ci a l re so u rce s) ;
— ro l e s, re sp o n si b i l i ti e s a n d a u th o ri ti e s d e f n e d a n d d o cu m e n te d ;
— e ffe cti ve p ro ce d u re s fo r e n su ri n g th e co m p e te n ce o f p e rso n n e l to ca rry o u t
th e i r d e si g n a te d fu n cti o n s.
Al l i n te rn a l a u d i t a cti vi ti e s sh o u l d re su l t i n a fo rm a l re p o rt d e a l i n g wi th th e sp e ci f c a re a s
th a t h a ve b e e n a u d i te d . Th i s re p o rt sh o u l d b e co n f d e n ti a l a n d , wh i l st a sp e cts o f th e
31
f n d i n g s m a y h a ve b e e n d i scu sse d wi th a p p ro p ri a te l e ve l s o f m a n a g e m e n t, i t sh o u l d b e
p ro vi d e d d i re ctl y to th e to p m a n a g e m e n t re sp o n si b l e fo r ri sk m a n a g e m e n t.
Pe rso n n e l ch o se n to u n d e rta ke th e i n te rn a l a u d i t sh o u l d b e se l e cte d o n th e b a si s o f
co m p e te n ce a n d i n d e p e n d e n ce fro m th e a re a b e i n g a sse sse d .
Improvement
General
N o syste m sh o u l d b e sta ti c a s th e e xp e cta ti o n s o f sta ke h o l d e rs co n ti n u a l l y ch a n g e o ve r
ti m e . M o re o ve r, th e a b i l i ty to m a n a g e ri sk m a y we l l i m p ro ve , a n d th e syste m n e e d s to ta ke
a cco u n t o f e m e rg i n g ri sks.
Th e p ro ce sse s o f m o n i to ri n g , m e a su re m e n t a n d a u d i t p ro vi d e va l u a b l e i n fo rm a ti o n o n
wh e re i m p ro ve m e n ts to th e syste m a re n e ce ssa ry o r ca n b e m a d e .
Analysis o f noncon formity
I f th e syste m i s fa i l i n g i n so m e wa y, th i s i s o fte n te rm e d a s a n o n co n fo rm i ty a n d
a rra n g e m e n ts n e e d to b e e sta b l i sh e d fo r a n a l ysi n g a n d co rre cti n g th i s. Th e ro o t ca u se fo r
th e n o n co n fo rm i ty sh a l l b e d e te rm i n e d a n d th e fa i l i n g a d d re sse d .
Th e l e ve l a t wh i ch re sp o n si b i l i ty a n d a u th o ri ty fo r a n y sp e ci f c a cti o n to d e a l wi th
p re ve n ti n g n o n co n fo rm a n ce wi l l o b vi o u sl y d e p e n d u p o n th e n a tu re o f th e ri sk. Th i s
sh o u l d b e d e a l t wi th a t a su f f ci e n tl y se n i o r l e ve l to d e m o n stra te co m m i tm e n t to th e
p ro ce ss. Th e re n e e d s to b e so m e p ro ce ss i n sti g a te d to ch e ck th a t a cti o n h a s b e e n ta ke n
a n d th a t i t h a s b e e n e ffe cti ve i n d e a l i n g wi th th e ro o t ca u se o f th e n o n co n fo rm a n ce . An y
n e w a rra n g e m e n ts p u t i n p l a ce sh o u l d b e e va l u a te d b e fo re i m p l e m e n ta ti o n to d e te rm i n e
th a t n o n e w u n a cce p ta b l e ri sks wi l l b e cre a te d .
Management review
Re vi e wi n g ri sk m a n a g e m e n t g o ve rn a n ce syste m s i s a fu n d a m e n ta l re q u i re m e n t i n a n y
o rg a n i za ti o n . Th e re vi e w e n su re s th a t i n te rn a l co n tro l s a re b e i n g a p p l i e d e ffe cti ve l y, a s
i n te n d e d , a n d d e l i ve r o rg a n i z a ti o n a l o b j e cti ve s. M o st i m p o rta n tl y, re vi e ws p ro vi d e th e
m e ch a n i sm to d ri ve th e co n ti n u a l i m p ro ve m e n t re q u i re d o f a n y m a n a g e m e n t syste m .
Th e re a re sp e ci f c i n p u ts to th e m a n a g e m e n t re vi e w a n d wh a t i s e xp e cte d i n th e
fo rm o f o u tp u ts. Th i s re i n fo rce s th e vi ta l ro l e o f th e se re vi e ws i n d ri vi n g th e co n ti n u a l
i m p ro ve m e n t cycl e .
— Results of audits
Th e a u d i t p ro ce ss sh o u l d b e e m b ra ce d a s a n e sse n ti a l a cti vi ty a n d to p
m a n a g e m e n t sh o u l d vi e w th e o u tp u ts i n a p o si ti ve m a n n e r, wh e th e r th e
re su l ts a re p o si ti ve o r n e g a ti ve . Th e re su l ts a re o n e o f th e m o st i m p o rta n t
i n p u ts to th e re vi e w p ro ce ss. Th e y sh o u l d h e l p to i d e n ti fy wh e th e r th e e xi sti n g
f
a rra n g e m e n ts a re su f ci e n t fo r d e l i ve ri n g th e p o l i cy a n d o b j e cti ve s.
— Feedback from stakeholders

An y e m e rg i n g tre n d s, sta ke h o l d e r re q u i re m e n ts o r i n fo rm a ti o n fro m
e xte rn a l so u rce s sh o u l d b e d e a l t wi th a s th e y a ri se th ro u g h o u t th e ye a r.
Th e m a n a g e m e n t re vi e w n e e d s to co n si d e r wh e th e r th e re i s a n e e d fo r n e w
stra te g i e s o r a rra n g e m e n ts.
32
For the system to be effective there is a need to involve the workforce and
encourage its contribution. Its concerns should be considered with a view to
identifying opportunities for continuing and/or improved commitment to the
organization in its management of the risks for good governance.
— Status of remedial actions
The organization should review any actions it has taken or is taking following
any incidents.
— Follow-up actions from previous management reviews
The follow-up actions should be presented and an indication given where
possible of the timeliness of the implementation of new measures and their
effectiveness.
— Changing circumstances, including developments in legal and other
requirements
This includes both internal and external factors, such as takeovers or mergers,
reorganizations, new technology, new projects and any new legal or regulatory
impacts.
— Data and information on organizational performance
This is where the overall performance of the organization is reviewed to see
how well it has been managing its risks for governance and whether the
objectives have been delivered within the de f ned schedule.
— Recommendations for improvement
A frequent misconception is that the management review should just
be carried out annually. In reality, the frequency should be determined
by circumstances. To be truly effective, the management review of the
organization’s processes should be structured around areas of delivery where
uncertainty and risk matter most.
The management review differs from the audit in that it is more strategic
in its focus. For example, the audit may conclude that everything is in place
to meet the policy and objectives, but the management review may show, for
example, that internal or external considerations justify a change.
As well as seeking to remedy de f ciencies, the management review
offers the opportunity for a more proactive approach: to consider where
the organization wishes to be in the governance of its risks and how it can
maximize the resulting bene f ts.
33
5. Other management processes
Th e re a re m a n y i n te rn a ti o n a l a n d n a ti o n a l m a n a g e m e n t syste m p ro ce sse s th a t ca n
h e l p a n o rg a n i z a ti o n i n th e i m p l e m e n ta ti o n , o p e ra ti o n a n d m a i n te n a n ce o f i n te rn a l
co n tro l a rra n g e m e n ts. Th e re m a y b e i n d i vi d u a l a rra n g e m e n ts to d e a l wi th sp e ci f c ri sks
th a t a re ve ry so u n d i n th e m se l ve s, wh i ch a re e xte rn a l l y a sse sse d a n d ce rti f e d . Th e se
i n d i vi d u a l a rra n g e m e n ts m a y b e u se fu l a s a fra m e wo rk fo r d e ve l o p i n g o ve ra l l i n te rn a l
co n tro l a n d ri sk m a n a g e m e n t a rra n g e m e n ts. I n a n y e ve n t, th e u se o f e xte rn a l p a rti e s
to u n d e rta ke i n d e p e n d e n t a u d i t sh o u l d g i ve a ssu ra n ce to th e b o a rd th a t a rra n g e m e n ts
a re so u n d a n d ca n m e e t re p o rti n g re q u i re m e n ts e xp e cte d u n d e r co rp o ra te g o ve rn a n ce
fra m e wo rks. Ad d i ti o n a l l y, th e u se o f su ch ce rti f e d syste m s ca n a ssi st i n e m b e d d i n g wi th i n
th e o rg a n i z a ti o n a rra n g e m e n ts fo r ri sk a sse ssm e n t a n d i n te rn a l co n tro l , e n a b l i n g a n
o rg a n i za ti o n to d e m o n stra te co m p l i a n ce to i n te re ste d sta ke h o l d e rs.
Th e l i st b e l o w i n cl u d e s sta n d a rd s th a t re l a te to so m e a re a s th a t m i g h t b e co n si d e re d :
B S 2 5 9 9 9 –1 : 2 0 06 , Business continuity management — Part 1 : Code of practice

B S 2 5 9 9 9 –2 : 2 0 07 , Business continuity management — Part 2: Specifcation
B S 3 1 1 0 0 (D PC) (2 00 8) Code of practice for risk management
B S E N I S O 1 400 1 : 2 0 04, Environmental management systems — Requirements with
guidance for use
Food safety management systems — Requirements for any
B S E N I S O 2 2 0 00 : 2 00 5 ,
organization in the food chain

Information technology — Security techniques —
B S I S O /I E C 2 7 0 01 : 2 0 0 5 ; B S 7 7 9 9 -2 : 2 00 5 ,
Information security management systems — Requirements

B S O H S AS 1 80 01 : 2 00 7 , Occupational health and safety management systems
— Requirements
S A80 00 : 2 0 0 1 , Social Accountability
Pl e a se se e Ap p e n d i x B fo r co rre sp o n d e n ce o f th e re q u i re m e n ts b e twe e n va ri o u s
m a n a g e m e n t syste m s fo r q u a l i ty, e n vi ro n m e n t, h e a l th a n d sa fe ty a n d i n fo rm a ti o n se cu ri ty.
34
6. Self-assessment questionnaire
Th e si m p l e q u e sti o n s se t o u t b e l o w wi l l e n a b l e yo u to e sta b l i sh wh e re yo u r o rg a n i za ti o n i s
p o si ti o n e d wi th re sp e ct to th e b a si c e l e m e n ts i t n e e d s fo r co n tro l l i n g i ts ri sks.
E a ch q u e sti o n a ttra cts a sco re b e twe e n 0 a n d 2 . S co re 0 wh e re th e i ssu e h a s n o t b e e n
a d d re sse d , 1 fo r p a rti a l co m p l i a n ce a n d 2 i f yo u r o rg a n i za ti o n fu l l y sa ti s f e s th e q u e sti o n .
0 1 2
I s to p m a n a g e m e n t co m m i tte d to e ffe cti ve ri sk
m a n a g e m e n t fo r g o o d g o ve rn a n ce ?
I s th e ri sk m a n a g e m e n t syste m b a se d o n th e b e st
a va i l a b l e i n fo rm a ti o n ?
I s ri sk m a n a g e m e n t p a rt o f th e p ro ce ss o f
d e ci si o n m a ki n g i n yo u r o p e ra ti o n s?
Are yo u r ri sk m a n a g e m e n t syste m s a n d p o l i ci e s
a p p ro p ri a te fo r th e si ze , co m p l e xi ty a n d n a tu re
o f yo u r o rg a n i z a ti o n ?
Are yo u r ri sk m a n a g e m e n t syste m a n d p o l i ci e s
a p p ro p ri a te fo r th e n a tu re o f th e ri sks yo u r
o rg a n i z a ti o n fa ce s, re f e cti n g b e st p ra cti ce i n
yo u r se cto r?
D o e s th e o rg a n i z a ti o n h a ve a p ro ce ss fo r
i d e n ti f ca ti o n o f ri sks?
H a ve yo u i d e n ti f e d th e ri sks to th e
o rg a n i z a ti o n ?
H a ve yo u a sse sse d th e l i ke l i h o o d a n d
co n se q u e n ce s o f th e si g n i f ca n t ri sks b e i n g
re a l i ze d ?
I s th e ri sk m a n a g e m e n t syste m syste m a ti c a n d
stru ctu re d ?
D o e s th e ri sk i d e n ti f ca ti o n p ro ce ss ta ke i n to
a cco u n t o rg a n i z a ti o n a l cu l tu re , h u m a n fa cto rs
a n d b e h a vi o u r?
I s yo u r ri sk m a n a g e m e n t syste m d yn a m i c a n d
re sp o n si ve to ch a n g e ?
H a ve yo u a sse sse d th e ri sks th a t co u l d d a m a g e
yo u r o rg a n i z a ti o n ’s re p u ta ti o n ?
H a ve yo u a sse sse d th e ri sks th a t co u l d re su l t i n
p ro d u cti o n l o ss o r se rvi ce fa i l i n g ?
35
Self-assessment questionnaire
0 1 2
H a ve yo u a sse sse d th e ri sk th a t co u l d a d ve rse l y
a ffe ct yo u r m a rke t p o si ti o n ?
D o yo u h a ve a m e ch a n i sm to i d e n ti fy a n d a sse ss
ri sks o n a n o n g o i n g b a si s?
H a ve yo u e sta b l i sh e d i n te rn a l co n tro l
a rra n g e m e n ts to d e a l wi th th e i d e n ti f e d ri sks?
I s to p m a n a g e m e n t u p to d a te wi th
d e ve l o p m e n ts i n re g u l a to ry fra m e wo rks,
te ch n o l o g i ca l i ssu e s a n d p o l i ti ca l i ssu e s, wh i ch
m a y a ffe ct th e o rg a n i za ti o n ’s m a rke t?
I s th e re a p ro ce ss i n p l a ce to i d e n ti fy l e g a l a n d
o th e r re q u i re m e n ts th a t th e o rg a n i za ti o n n e e d s
to a d d re ss?
H a ve yo u i d e n ti f e d yo u r o rg a n i za ti o n ’s
sta ke h o l d e rs a n d th e i r e xp e cta ti o n s?
H a ve yo u e sta b l i sh e d a co n ti n g e n cy p l a n a n d
e va l u a te d i ts e ffe cti ve n e ss?
H a ve yo u e sta b l i sh e d co n ti n u i ty a rra n g e m e n ts i n
th e e ve n t o f a d i sa ste r o r e m e rg e n cy?
D o e s to p m a n a g e m e n t h a ve cl e a r o b j e cti ve s fo r
th e o rg a n i za ti o n th a t h a ve b e e n co m m u n i ca te d
to e m p l o ye e s a s a p p ro p ri a te ?
D o e s m a n a g e m e n t d e m o n stra te th e n e ce ssa ry
co m p e te n ce a n d i n te g ri ty to cre a te a cl i m a te o f
tru st?
Are th e a rra n g e m e n ts e m b e d d e d i n th e cu l tu re
o f th e o rg a n i za ti o n ?
Are m a n a g e m e n t co n tro l a rra n g e m e n ts
i m p l e m e n te d e ffe cti ve l y th ro u g h o u t th e
o rg a n i z a ti o n ?
D o e s m a n a g e m e n t e n su re th a t p e o p l e a re
a d e q u a te l y tra i n e d to m a n a g e th e ri sks th e y a re
a ssi g n e d to co n tro l ?
D o th e p e o p l e i n th e o rg a n i za ti o n h a ve th e
kn o wl e d g e , ski l l s, to o l s a n d re so u rce s to su p p o rt
th e a ch i e ve m e n t o f th e co m p a n y’s o b j e cti ve s?
Are a rra n g e m e n ts i n p l a ce fo r d o cu m e n ti n g
a rra n g e m e n ts a n d re co rd s ke p t wh e re n e ce ssa ry?
36
Self-assessment questionnaire
0 1 2
I s th e re e ffe cti ve co m m u n i ca ti o n b e twe e n to p
m a n a g e m e n t a n d th e m a n a g e m e n t te a m , o th e r
e m p l o ye e s a n d o th e rs to e n su re th a t a l l p a rti e s
u n d e rsta n d th e co m p a n y’s a p p e ti te fo r ri sk?
Are th e re e sta b l i sh e d ch a n n e l s o f co m m u n i ca ti o n
fo r i n d i vi d u a l s to re p o rt su sp e cte d b re a ch e s
o f l a w, re g u l a ti o n s, e tc. – a ‘ wh i stl e -b l o we r’s
ch a rte r’ ?
Are o p e ra ti o n a l co n tro l s m o n i to re d o n a re g u l a r
b a si s to e n su re co n ti n u e d e ffe cti ve n e ss?
D o yo u re g u l a rl y re vi e w a rra n g e m e n ts fo r
co m p l yi n g wi th cu sto m e r, sta ke h o l d e r a n d
re g u l a to ry re q u i re m e n ts?
D o yo u re g u l a rl y a u d i t th e ri sk m a n a g e m e n t
co n tro l a rra n g e m e n ts?
D o yo u re g u l a rl y se e k to i m p ro ve yo u r
a rra n g e m e n ts?
D o th e re su l ts o f a u d i ts, i n ci d e n ts a n d
p e rfo rm a n ce re p o rts re g u l a rl y fo rm p a rt o f th e
re vi e w p ro ce ss?
D o yo u re p o rt re g u l a rl y u p o n yo u r ri sk
m a n a g e m e n t p ro ce sse s?
If your total score is:

less than 30: yo u r o rg a n i za ti o n h a s h a rd l y m a d e a sta rt o n th e e ffe cti ve m a n a g e m e n t
o f i ts ri sks fo r g o o d g o ve rn a n ce a n d n e e d s to m o ve fo rwa rd q u i ckl y
31 to 60: yo u r o rg a n i za ti o n h a s m a d e a sta rt b u t n e e d s to d o m o re
more than 60: p ro vi d e d yo u d o n o t sco re l e ss th a n 1 i n a n y a re a , th e o rg a n i za ti o n
sh o u l d b e we l l o n th e wa y to e ffe cti ve co n tro l .
37
Appendix A. Summary of risk management tools
Table A.1 Summary of risk management tools

Tool I d e n ti f ca ti o n Asse ssm e n t Re sp o n se
Ri sk q u e sti o n n a i re s
✓
Ri sk ch e ckl i sts/Pro m p t l i sts
✓
Ri sk i d e n ti f ca ti o n wo rksh o p
✓ ✓
N o m i n a l g ro u p te ch n i q u e
✓ ✓
Ri sk b re a kd o wn stru ctu re
✓ ✓
D e l p h i te ch n i q u e
✓ ✓
Pro ce ss m a p p i n g
✓ ✓
Ca u se -a n d -E ffe ct d i a g ra m s
✓ ✓
Ri sk m a p p i n g /Ri sk p ro f ling
✓ ✓
Ri sk I n d i ca to rs
✓
B ra i n sto rm i n g / ‘ th o u g h t sh o we r’ e ve n ts
✓
I n te rvi e ws a n d fo cu s g ro u p s
✓
‘ Wh a t i f? ’ wo rksh o p s
✓
S ce n a ri o a n a l ysi s/sce n a ri o p l a n n i n g /h o ri z o n
✓ ✓ ✓
sca n n i n g
H a za rd a n d o p e ra b i l i ty stu d y (H AZ O Ps)
✓ ✓
PE S T (Po l i ti ca l , E co n o m i c, S o ci o l o g i ca l ,
✓ ✓
Te ch n o l o g i ca l ) a n a l ysi s
S WO T (S tre n g th s, We a kn e sse s, O p p o rtu n i ti e s

✓ ✓
a n d Th re a ts) a n a l ysi s
S ta ke h o l d e r e n g a g e m e n t/M a tri ce s
✓
Ri sk re g i ste r/D a ta b a se
✓ ✓ ✓
Pro j e ct p ro f l e m o d e l (PPM )
✓
Ri sk ta xo n o m y
✓
G a p a n a l ysi s: Pa re to a n a l ysi s
✓ ✓
38
Appendix A
Tool Identi f cation Assessment Response
Probability and consequence grid/Diagrams ✓ ✓

(PIDs)/Boston grid
CRAMM ✓ ✓ ✓
Probability trees ✓
Expected value method ✓
Risk modelling/Risk simulation ✓
(Monte Carlo/Latin Hypercube):
Flow charts, process maps and documentation ✓

Fault and event tree modelling: ✓
Failure Mode Effects Analysis (FMEA)
Stress testing ✓ ✓
Critical path analysis (CPA) or Critical path ✓
method (CPM )
Sensitivity analysis ✓
Cash f ow analysis ✓
Portfolio analysis ✓
Cost-Bene f t analysis ✓ ✓
Utility theory ✓
Visualization techniques ✓ ✓
H eat maps, RAG status reports, Waterfall
charts, Pro f le graphs, 3D Graphs, Radar charts,
Scatter diagrams
Source: Table A.1 is taken from DC BS 31100
39
Appendix B. Comparative table – common
elements of quality, environmental and OH&S
Systems with PAS 99
Table B.1 Comparative table illustrating the common elements of quality,

environmental and OH&S Systems with PAS99: speci f cation of common
management systems requirements as a framework for integration
Good Governance – Risk ISO 9001 ISO ISO ISO/IEC Requirements
Management System 1 4001 1 8001 27001 of PAS 99
3.1 General requirements 4. 1 4. 1 4. 1 4. 1 4. 1
5. 5 4. 2
3.2 Policy 5. 1 4. 2 4. 2 5. 1 4. 2
5. 3
3.3 Planning for risk 5. 4 4. 3 4. 3 4. 2 4. 3
management
3 . 3 Ri sk i d en ti f ca ti o n , 5. 2 4. 3 . 1 4. 3 . 1 4. 2 4. 3 . 1
a sse ssm e n t a n d co n tro l 5 . 4. 2
7.2
3 . 3 I d e n ti f ca ti o n o f 5. 3 4. 3 . 2 4. 3 . 2 4. 2 . 1 (b 2 ) 4. 3 . 2
sta ke h o l d e r re q u i re m e n ts 7. 2. 1
7. 2. 1
3 . 3 Co n ti n g e n cy p l a n n i n g 5. 4 4. 4. 7 4. 4. 7 4. 3 . 3
8. 3
3 . 3 O b j e cti ve s a n d 5 . 4. 1 4. 3 . 3 4. 3 . 3 4. 2 . 2 4. 3 . 4
m a n a g e m e n t p ro g ra m m e 5 . 4. 2
8. 5 . 1
3 . 3 O rg a n i za ti o n a l stru ctu re , 5. 1 4. 4. 1 4. 4. 1 4. 2 . 2 4. 3 . 5
ro l e s, re sp o n si b i l i ti e s, 5. 5
a cco u n ta b i l i ty a n d a u th o ri ty
3.4 Implementation and 7 4. 4 4. 4 4. 4
operation
3 . 4 O p e ra ti o n a l Co n tro l 7 4. 4. 6 4. 4. 6 4. 2 . 2 4. 4. 1
3 . 4 M a n a g i n g re so u rce s 5. 1 4. 4. 1 4. 4. 1 5. 2. 1 4. 4. 2
5. 5. 1 4. 4. 2 4. 4. 2 5. 2. 2
40
Appendix B
Good Governance – Risk ISO 9001 ISO ISO ISO/IEC Requirements

Management System 1 4001 1 8001 27001 of PAS 99
3 . 4 D o cu m e n ta ti o n 4. 2 4. 4. 4 4. 4. 4 4. 3 4. 4. 3
4. 4. 5 4. 4. 5
4. 5 . 4 4. 5 . 4
3 . 4 Co m m u n i ca ti o n 5. 3 4. 4. 3 4. 4. 3 4. 2 . 4(c) 4. 4. 4
5. 5. 1
5. 5. 3
7.2.3
3.5 Performance assessment 8 4. 5 4. 5 4. 5
3 . 5 M o n i to ri n g a n d 8 4. 5 . 1 4. 5 . 1 4. 2 . 3 4. 5 . 1
m e a su ri n g 7.6
3 . 5 E va l u a ti o n o f co m p l i a n ce 8. 2 4. 5 . 2 4. 5 . 1 4. 2 . 3 4. 5 . 2
4. 5 . 2
3 . 5 I n te rn a l Au d i t 8. 2 . 2 4. 5 . 5 4. 5 . 5 6 4. 5 . 3
3.6 Improvement 8. 5 4. 5 . 3 4. 6 . 8 4. 6 . 1
4. 6
3 . 6 G e n e ra l 8. 5 4. 5 . 3 4. 6 4. 2 . 4 4. 6 . 1
4. 6 8. 1
3 . 6 An a l ysi s a n d h a n d l i n g o f 8. 3 4. 5 . 3 4. 5 . 3 4. 2 . 4 4. 5 . 4
n o n co n fo rm i ti e s 8. 4 8. 2 4. 6 . 2
8. 5 8. 3
3 . 7 Re vi e w 5. 6 4. 6 . 4. 6 . 7 4. 7
3 . 7 M a n a g e m e n t re vi e w 5. 6. 1 4. 6 7.1 4. 7 . 1
– g e n e ra l
3 . 7 I n pu t 5. 6. 2 4. 6 7.2 4. 7 . 2
3 . 7 O u tp u t 5. 6. 3 4. 6 7.3 4. 7 . 3
3 . 7 Re p o rti n g 4. 4. 3
Note : th i s Ta b l e sh o u l d be ta ken a s a g u i d e on l y, si n ce correspo n d e n ce b e twee n th e cl a u se s co u l d b e i m preci se
41
Appendix C. References and further reading
Corporate governance codes from around the world:
http://www.ecgi.org/codes/all_codes.php
Association of British Insurers (ABI) (2008) ABI Research Paper 7 – Governance and
Performance in Corporate Britain , London: ABI
The Association of Insurance and Risk Managers (AIRMIC), The National Forum for Risk
Management in the Public Sector (ALARM) and The Institute of Risk Management (IRM)
(2002) A Risk Management Standard, London: AIRMIC/ALARM /IRM
Basel Committee on Banking Supervision (1 999) Enhancing Corporate Governance for
Banking Organisations, Basel: Basel Committee on Banking Supervision. See:
http://www.bis.org/bcbs/
Blair, A (2005) ‘Risk and the State’ speech delivered by Rt Hon A Blair at University College
London, 26 M ay 2005
BS 6079-3:2000, Project management — Part 3: Guide to the management of business
related project risk, London: British Standards Institution
BS 25999-1 :2006, Business continuity management – Part 1: Code of practice , London:
BS 25999-2:2007, Business continuity management — Part 2: Specifcation , London: British

Standards Institution
BS 31 1 00 (DPC) (2008) Code of practice for risk management, London: British Standards
Institution
BS EN ISO 9000:2005, Quality management systems — Fundamentals and vocabulary,
London: British Standards Institution
BS EN ISO 9001 :2000, Quality management systems — Requirements, London: British
Standards Institution
BS EN ISO 1 4001 :2004, Environmental management systems — Requirements with
guidance for use , London: British Standards Institution
BS EN ISO 22000:2005, Food safety management systems — Requirements for any
organization in the food chain , London: British Standards Institution
BS ISO/IEC 27001 :2005; BS 7799-2:2005, Information technology — Security techniques —
Information security management systems — Requirements, London: British Standards
Institution
BS OH SAS 1 8001 :2007, Occupational health and safety management systems —
Requirements, London: British Standards Institution
Cadbury, A et al. (1 992) Report of the Committee on the Financial Aspects of Corporate
Governance, London: Gee and Co Ltd
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004)
Enterprise Risk Management — Integrated Framework, Washington, DC: COSO
The Federal Reserve Board (2004) ‘Trends in Risk Management and Corporate Governance’
(‘Remarks by Governor Susan Schmidt Bies At the Financial M anagers Society Finance and
Accounting Forum for Financial Institutions, Washington, D.C., June 22, 2004’). See:
http://www.federalreserve.gov
Financial Reporting Council (FRC) (2005) Internal Control – Revised Guidance for Directors
on the Combined Code , London: FRC
42
Appendix C
Financial Reporting Council (FRC) (2008) The Combined Code on Corporate Governance ,
London: FRC
H illson, D (2007) The Risk Management Universe: A guided tour (2nd edition) (BIP 2036),
IMS Risk Solutions (2003a) IMS: Continual Improvement through Auditing (BIP 201 1 :2003),
IMS Risk Solutions (2003b) IMS: Risk Management for Good Governance (BIP 201 2:2003),
The Independent Commission on Good Governance in Public Services (2004) The Good
Governance Standard for Public Services, London: Off ce for Public Management Ltd and
The Chartered Institute of Public Finance and Accountancy
International Corporate Governance Network (ICGN) (1 999) ICGN Statement on Global
Corporate Governance Principles, London: ICGN. See:
http://www.icgn.org/documents/globalcorpgov.htm
Kelly, J M (2004) IMS: The Excellence Model (BIP 201 0:2004), London: British Standards
Institution
MORI (2003) Focus on the Future of Corporate Governance , London: MORI
Murray, R P (2003) IMS: Information Security (BIP 2008:2003), London: British Standards
Institution
Nowacki, G (2003) IMS: Customer Satisfaction (BIP 2005:2003), London: British Standards
Institution
Off ce for Public Management Ltd (OPM) (2007) Going Forward with Good Governance ,
London: OPM
Off ce of Government Commerce, Management of Risk. See:
http://www.ogc.gov.uk/guidance_management_of_risk.asp
Organisation for Economic Co-operation and Development (OECD) (2004a) OECD
Principles of Corporate Governance , Paris: OECD. See: http://www.oecd.org
Organisation for Economic Co-operation and Development (OECD) (2004b) Guidelines on
Corporate Governance of State-owned Enterprises – Draft Text, Paris: OECD. See:
http://www.oecd.org/dataoecd/46/51 /3480321 1 .pdf.
Organisation for Economic Co-operation and Development (OECD) (2004c) Comments
from Public Consultation on the Draft for Guidelines on Corporate Governance in State
Owned Enterprises, Paris: OECD. See: http://www.oecd.org
PAS 99:2006, Specifcation of common management system requirements as a framework
for integration , London: British Standards Institution
Robbins, M and Smith, D (2000) Managing Risk for Corporate Governance (PD 6668),
SA8000:2001 ,Social Accountability, New York: Social Accountability International
Smith, D and Politowski, R (2007a) IMS: A Framework for integrated management systems.
Background to PAS 99 and its application (BIP 21 1 9:2007), London: British Standards
Institution
Smith, D and Politowski, R (2007b) IMS: Implementing and operating using PAS 99
(BIP 21 38:2007), London: British Standards Institution
43
Appendix C
Tu rn b u l l , N et al
. (1 9 9 9 ) Internal Control – Guidance for Directors on the Combined Code ,
Lo n d o n : Th e I n sti tu te o f Ch a rte re d Acco u n ta n ts i n E n g l a n d & Wa l e s. Ava i l a b l e a t:
h ttp : //www. i ca e w. co m
U n i te d S ta te s o f Am e ri ca (2 0 02 ) S a rb a n e s-O xl e y Act o f 2 0 0 2 . Ava i l a b l e a t: h ttp : //www. se c.
g o v/a b o u t/l a ws/so a 2 0 02 . p d f. S e e a l so : h ttp : //www. se c. g o v/sp o tl i g h t/sa rb a n e s-o xl e y. h tm
44

Bip 2154-2008

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bip 2154-2008

Uploaded by

Copyright:

Available Formats

Good Governance

A risk-based management systems approach

DAVID SMITH and ROBERT POLITOWSKI

David Smith and Robert Politowski, iMS Risk Solutions Ltd

© British Standards Institution 2000, 2008

Typeset in Frutiger by M onolith – http://www.monolith.uk.com

British Library Cataloguing in Publication Data

ISBN 978-0-580-6431 3-2

6. S e l f-a sse ssm e n t q u e sti o n n a i re . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 5

Appendix A. Summary of risk management tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

A risk-averse business culture is no business culture at all.

1. ‘… promote transparent and effcient markets, be consistent with the rule

4. ‘… recognise the rights of stakeholders established by law or through mutual

co u n tri e s a ro u n d th e wo rl d . Th e se ra n g e fro m th e vo l u n ta ry co d e o f p ra cti ce a p p ro a ch

a s se e n i n th e U K to th e m o re p re scri p ti ve S a rb a n e s-O xl e y Act (U n i te d S ta te s o f Am e ri ca ,

O rg a n i z a ti o n -wi d e ri sk m a n a g e m e n t a n d i n te rn a l co n tro l a re i m p o rta n t fo r th e su cce ssfu l

Ensuring the integrity of the corporation’s accounting and fnancial reporting

a sp e ct th a t ca n b e n e f t fro m sp e ci f c m a n a g e m e n t a rra n g e m e n ts. Th a t i s n o t to sa y th a t

Th e ch a ra cte ri sti cs o f m a n y su cce ssfu l o rg a n i z a ti o n s te n d to re f e ct a n a tti tu d e a n d

cu l tu re o f i d e n ti fyi n g o p p o rtu n i ti e s, re co g n i zi n g th e ri sks a n d m a n a g i n g th e m

Application of this approach

I n a n i n cre a si n g l y co m p l e x wo rl d wh e re sta ke h o l d e rs p l a y a n e ve r m o re i m p o rta n t ro l e

th e re i s th e e xp e cta ti o n o f g o o d g o ve rn a n ce a n d tra n sp a re n cy. Th e re a re a va ri e ty o f

fo cu si n g o n th e p u rp o se o f th e o rg a n i z a ti o n , e ffe cti ve p e rfo rm a n ce , e n g a g e m e n t wi th

sta ke h o l d e rs a n d , m o st si g n i f ca n tl y fro m th e p e rsp e cti ve o f th i s b o o k, th e m a n a g e m e n t

Many organizations need to manage a whole host of risks, for example:

— corporate organizations operate in an increasingly complex world with global

EFFECT OF TH REAT I M PORTANCE OF

Combined or individual risk

Figure 1 .1 — Relationship between threat and opportunity

— making public statements to stakeholders on the risk management strategy,

A management systems approach

Charity and aid

Figure 1 .2 — Three key components for Charity A was challenged by a government

Financial turmoil d e l i ve ri n g th e i r o b j e cti ve s – ‘ th e re h a s to b e so m e th i n g

The turmoil in the fnancial markets in 2007 p e o p l e to d o e xtra o rd i n a ry th i n g s fo r i t a s we l l a s fo r

was a good example of the consequences th e m se l ve s’ (H i l l so n , 2 00 7 ) .

of failing to recognize and manage risks.

A PD CA fra m e wo rk i s u se d , wh i ch i s co n si ste n t wi th th e a p p ro a ch i n m a n a g e m e n t syste m s

— e sta b l i sh a rra n g e m e n ts a t to p m a n a g e m e n t l e ve l to i d e n ti fy, m a n a g e a n d

— a ssu re i tse l f o f co n fo rm a n ce wi th th i s p o l i cy;

— m a ke a se l f-d e te rm i n a ti o n a n d se l f-d e cl a ra ti o n o f i ts p e rfo rm a n ce o n a n

g u i d a n ce wi th i n i ts p a rti cu l a r co u n try, se cto rs, e tc; so m e a re i n cl u d e d i n Ap p e n d i x B .

o b j e cti ve l y to d e te rm i n e th e e xte n t to wh i ch th e a u d i t cri te ri a a re fu l f l l ed

stru ctu re , p l a n n i n g a cti vi ti e s, re sp o n si b i l i ti e s, p ra cti ce s, p ro ce d u re s, p ro ce sse s a n d

N o te : a n o n co n fo rm i ty ca n b e a n y d e vi a ti o n fro m re l e va n t wo rk sta n d a rd s, p ra cti ce s, p ro ce d u re s,

l e g a l re q u i re m e n ts, e tc. (se e B S E N I S O 9 00 0: 2 0 05 , 3 . 6 . 2 a n d B S E N I S O 1 400 1 : 2 0 04, 3 . 1 5 ) .

risk e ffe ct o f u n ce rta i n ty o n o b j e cti ve s

N o te 1 : a n e ffe ct i s a d e vi a ti o n fro m th e e xp e cte d – p o si ti ve a n d /o r n e g a ti ve .

N o te 2 : o b j e cti ve s ca n h a ve d i ffe re n t a sp e cts, su ch a s f n a n ci a l , h e a l th a n d sa fe ty, a n d e n vi ro n m e n ta l

N o te 3 : ri sk i s o fte n ch a ra cte ri z e d b y re fe re n ce to p o te n ti a l e ve n ts, co n se q u e n ce s o r a co m b i n a ti o n

ch a n g e i n ci rcu m sta n ce s, a n d th e a sso ci a te d l i ke l i h o o d o f o ccu rre n ce (se e B S 3 1 1 00 (D PC) 2 0 08) .

top management p e rso n o r g ro u p o f p e o p l e wh o d i re cts a n d co n tro l s a n o rg a n i z a ti o n

3.1 General requirements

e n su re th a t i ts ri sks a re i d e n ti f e d a n d e ffe cti ve l y m a n a g e d . I t sh o u l d e sta b l i sh a syste m

se rvi ce s, i ts p o si ti o n i n th e m a rke tp l a ce a n d th e ri sks th a t i t fa ce s;

— b e co m m u n i ca te d to a l l a p p ro p ri a te p e rso n s/o rg a n i z a ti o n s wo rki n g fo r o r o n

— co m m i t to i n vo l vi n g e m p l o ye e s i n i d e n ti fyi n g ri sks a n d th e i r su g g e sti o n s o n th e

— co m m i t to i n te rn a l co n tro l a u d i ts to ve ri fy th e a rra n g e m e n ts;

to e n su re th a t th e a rra n g e m e n ts a re e ffe cti ve wi th a vi e w to co n ti n u a l

3.3 Planning for risk management

m a y i m p a ct u p o n o rg a n i za ti o n a l o b j e cti ve s, a sse ssi n g th e i r i m p a ct a n d a p p l yi n g co n tro l s

Risk analysis and evaluation