Professional Documents
Culture Documents
by
BSI
389 Chiswick H igh Road
London W4 4AL
All rights reserved. Except as permitted under the Copyright, Designs and Patents Act 1988, no
part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means – electronic, photocopying, recording or otherwise – without prior permission in
writing from the publisher.
Whilst every care has been taken in developing and compiling this publication, BSI accepts no
liability for any loss or damage caused, arising directly or indirectly in connection with reliance on
its contents, except to the extent that such liability may not be excluded in law.
The right of iMS Risk Solutions to be identi f ed as the authors of this Work has been asserted by
them in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
1 . I n tro d u cti o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2. S co p e a n d d e f n i ti o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3. Ri sk m a n a g e m e n t syste m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4. I m pl em en ta ti on of a ri sk m a n a g em en t system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5
5. O th e r m a n a g e m e n t p ro ce sse s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4
iii
Foreword
This is a guide to how organizations can identify and manage their risks for good governance.
Since the publication of PD 6668:2000, Managing Risk for Corporate Governance , upon which
this book is based, there is a greater appreciation of the importance of risk management in
organizations and society at large. All organizations take risks but as the ‘credit crunch’ of
2008 showed, these risks need to be balanced. They also need to recognize and manage those
risks which, if realized, could prejudice the sustainability of the organization. The principles
apply to organizations worldwide, in the private or public sectors, NGOs, as well as not-for-
pro f t organizations. This book outlines a management framework for identifying the risks
and opportunities, determining the extent of the risks, implementing and maintaining control
measures and reporting on the organization’s commitment to this process.
There have been a number of developments in the international and national management
standards f eld since PD 6668 was published in 2000. These developments, including those on
risk management (2008), occupational health and safety (2007), environmental management
(2004) and sustainable development (2006), can help organizations with internal control for
good governance. Although the principles in many of these documents are similar they do not
use the same approach. This is unfortunate as there is an increasing demand for an integrated
approach. An integrated approach that was developed in 2006 was PAS 99, Specifcation of
common management system requirements as a framework for integration . The framework used
in this book has elements in common with PAS 99 and helps support the holistic approach to risk
management for internal control and good governance.
Acknowledgements
The authors would like to thank Chris Millidge for his help in drafting this document and M ichael
Faber for reviewing it for us and his helpful suggestions.
iv
1 . Introduction
This book provides guidance for organizations that wish to develop a framework for
managing risk for good governance. Research by analysts demonstrates the positive
link between good governance and organizational performance. In a recent study, the
Association of British Insurers – major investors in public companies in the UK – found
that ‘well-governed companies will produce better returns for shareholders over time’
(Association of British Insurers, 2008).
It is clear that well-managed organizations generally, whether in the public or private
sector, are far more likely to satisfy stakeholders. The focus of this publication is about
managing those risks for the sustainable operation of organizations using a management
systems standard approach.
In this introductory chapter the background to governance and the organizations to
which the approach is applicable are brie f y reviewed. The chapter explains why the
approach adopted is generally applicable and consistent with international management
systems standards.
Background
The term ‘corporate governance’ came into general use following a number of major
scandals and corporate failures in the late 1 980s and early 1 990s, and in the UK became
enshrined in the report from the Committee on the Financial Aspects of Corporate
Governance (the Cadbury Committee): ‘Corporate governance is the system by which
companies are directed and controlled’ (Cadbury et al, 1 992).
Such failures have occurred throughout the world and continue to occur, such as the crisis
facing the global banking industry in 2008. The impact of these worldwide corporate
failures had the potential to be of such a magnitude that there was the danger that the
whole structure of the means of f nancing corporations might become threatened. The
essence of the limited liability company is that external investors are willing to become
shareholders, in the con f dence that their interests will be safeguarded. Shareholders
accept that not all investments will prove rewarding, but they are entitled to assume
that there will be no mismanagement on the part of the directors and managers who
are in day-to-day control of the corporation. If they cannot be con f dent that this is the
case they will be unwilling to invest, and the basis of modern commercial activity will
be under threat. Whilst an individual shareholder might have been willing to accept the
risk, major investors such as insurance companies or pension funds began to demand
that to safeguard the interests of their clients, there should be greater regulation of the
behaviour of joint stock companies.
In 1 999 the Organisation for Economic Co-operation and Development (OECD) produced a
de f nition of corporate governance and a set of principles. These principles were revised in
2004 and at a high level comprise the following requirements of a corporate governance
framework (Organisation for Economic Co-operation and Development, 2004a). It should:
1
Introduction
Th e re a re a n u m b e r o f su b -cl a u se s to e a ch o f th e m a i n p ri n ci p l e s th a t co ve r sp e ci f c a re a s.
Th e re h a ve b e e n fu rth e r d e f n i ti o n s o f g o ve rn a n ce a n d l e g i sl a ti ve p o we rs i n m a n y
2 00 2 ) – a re sp o n se fro m l e g i sl a to rs i n th e U S to h i g h -p ro f l e fa i l u re s su ch a s E n ro n a n d
Wo rl d Co m .
ru n n i n g o f a n y b u si n e ss a n d sh o u l d re m a i n re l e va n t o ve r ti m e i n th e co n ti n u a l l y
e vo l vi n g g l o b a l b u si n e ss e n vi ro n m e n t. Th e O E CD p ri n ci p l e s sp e ci f ca l l y h i g h l i g h t b o a rd
re sp o n si b i l i ty:
Th i s h a s l e d to th e fo rm a l co n si d e ra ti o n o f ri sk a n d th e i d e n ti f ca ti o n o f i t a s a ‘ se p a ra te ’
o rg a n i za ti o n s h a ve n o t p re vi o u sl y re co g n i z e d th e se ri sks, b u t si m p l y th a t a fo rm a l a n d
stru ctu re d a p p ro a ch h a d n o t b e e n a fe a tu re i n m a n y o rg a n i za ti o n s.
a p p ro p ri a te l y. Th e re a re u p si d e s a n d d o wn si d e s to th e ri sks th a t co m e wi th e ve ry
o p p o rtu n i ty a n d i t i s n e ce ssa ry to se l e ct th e ri g h t b a l a n ce . O rg a n i z a ti o n s th a t a re ri sk
a ve rse a re u n l i ke l y to th ri ve i n th e l o n g te rm b e ca u se o f co n ti n u a l ch a n g e i n th e m a rke t-
p l a ce a n d so ci a l e xp e cta ti o n s.
p ri va te e n ti ti e s, p u b l i c b o d i e s o r ch a ri ti e s.
ch a ra cte ri sti cs o f g o o d g o ve rn a n ce i n cl u d i n g p ro m o ti n g va l u e s i n th e o rg a n i z a ti o n ,
o f ri sk.
2
Introduction
The principles of good governance equally apply to public bodies, charities, voluntary
bodies, etc. There is a need for good governance of public bodies to re f ect the need to
ensure value for money, transparent decision making and reporting, proper codes of
conduct, accountability and so on.
Despite the difference between the public and private sectors it is essential that people
know for what they are responsible, and for what they are accountable.
There is also a drive for the public sector to be more creative and prepared to take more
calculated business risks in order to deliver the best possible services to the public. The
public and private sectors differ in this respect. The public sector needs good governance
to enable it to take certain calculated risks, whilst the private sector needs good
governance in order to manage the risks that are taken in everyday business. One way of
expressing the relationship between threat and opportunity can be seen in Figure 1 .1 .
Acceptabl e if
Desirabl e
worthwhil e
Insignificant/
Negl igibl e
broadl y acceptabl e
Source: BS 6079-3:2000
Public bodies need to direct and control their functions and nowhere can this be more
clearly demonstrated than in local government. Local government bodies have a real
need to relate to their communities in a similar manner to corporate bodies, and to
demonstrate continuous improvement and value for money through outward-looking,
accountable and responsive services.
3
Introduction
Risk management and internal control should be included in all dimensions of public
bodies such as:
All the above issues are equally applicable to charities, clubs, societies and associations.
Large charitable concerns rely heavily on public donations to support their activities
internationally.
There is clear recognition amongst boards of directors and investors – mostly those in the
professional investment market – that there is a link between good corporate governance
and organizational performance that is valued by stakeholders. There are a number of
international ratings organizations that focus research on the development of scoring
systems for ranking governance performance. This research is often used by professional
investors to assist in making informed decisions to formulate an overall investment
strategy, as a screening tool for analysts and portfolio managers and to adjust for
governance risk when assessing credit risk, etc.
Additionally, companies themselves are beginning to use similar ranking research to help
in their decision making, to reduce the chance of being targeted for shareholder action, to
increase market trust in reported earnings, as a support in seeking lower borrowing costs,
and in attracting highly quali f ed and experienced directors who can add value to the
organization and achieve a higher market capitalization.
4
Introduction
Chapters 4 and 5 contain a practical guide to delivering Failure to identify risk of data loss
business requirements with respect to risk management
for good governance. Chapter 6 provides a questionnaire A government department was seeking
to enable organizations to carry out a self-assessment of to transfer personal data to another
their systems for governance. department in a short space of time.
Effective procedures were in existence but
A good management system will enable identi f cation the time and cost of removing the sensitive
of risks, their management and help in any disclosure
elements of the data was considered too
great. As a result, when the data was lost
requirements for stakeholders. The aspect of disclosure in transit the personal details of many
is speci f cally highlighted in the OECD principles for millions of people were lost.
governance, which additionally call for inclusion of The loss of this information has had many
material information on ‘Foreseeable risk factors’ repercussions:
(Principle V.A.6). • loss of con fdence by the public in
government departments handling
con fdential personal information;
• individuals whose details have been
compromised;
• a possibility for fraudulent activity
ASSESSMENT OF through the use of this information
CORPORATE RISK remains for many years to come.
ENABLING EFFECTIVE
ORGANIZATIONAL MANAGEMENT
CULTURE SYSTEMS
5
Introduction
i n th e l i fe b l o o d o f th e o rg a n i za ti o n th a t p e rsu a d e s i ts
6
2. Scope and def nitions
Scope
Th e g u i d a n ce g i ve n i n th i s b o o k o u tl i n e s h o w a n o rg a n i za ti o n ca n i m p l e m e n t e ffe cti ve
a rra n g e m e n ts fo r m a n a g i n g ri sk, to e n su re th a t i t m e e ts i ts co rp o ra te g o ve rn a n ce n e e d s.
sta n d a rd s p ro d u ce d b y th e I n te rn a ti o n a l O rg a n i z a ti o n fo r S ta n d a rd i za ti o n (I S O ) .
Th i s g u i d a n ce i s a p p l i ca b l e to a n y o rg a n i za ti o n th a t wi sh e s to :
m i ti g a te ri sks;
— i m p l e m e n t, m a i n ta i n a n d co n ti n u a l l y i m p ro ve i ts m a n a g e m e n t o f ri sks i n a
m a n n e r wh i ch i s co n si ste n t wi th i ts p o l i cy;
a n n u a l b a si s.
Th e re a re a n u m b e r o f d o cu m e n ts a n o rg a n i z a ti o n m a y wi sh to re fe r to fo r fu rth e r
Def nitions
acceptable risk ri sk a t a l e ve l th a t ca n b e to l e ra te d b y th e o rg a n i za ti o n
audit syste m a ti c, i n d e p e n d e n t p ro ce ss fo r o b ta i n i n g a u d i t e vi d e n ce a n d e va l u a ti n g i t
management system p a rt o f th e o ve ra l l m a n a g e m e n t th a t i n cl u d e s o rg a n i za ti o n a l
re so u rce s fo r d e ve l o p i n g , i m p l e m e n ti n g , a ch i e vi n g , re vi e wi n g a n d m a i n ta i n i n g th e
o rg a n i za ti o n ’s p o l i cy
nonconformity n o n -fu l f l m e n t o f a re q u i re m e n t
organization co m p a n y, co rp o ra ti o n , f rm , e n te rp ri se , a u th o ri ty o r i n sti tu ti o n , o r p a rt
o r co m b i n a ti o n th e re o f, wh e th e r i n co rp o ra te d o r n o t, p u b l i c o r p ri va te , th a t h a s i ts o wn
fu n cti o n s a n d a d m i n i stra ti o n
N o te : fo r o rg a n i za ti o n s wi th m o re th a n o n e o p e ra ti n g u n i t, a si n g l e o p e ra ti n g u n i t m a y b e d e f n ed
a s a n o rg a n i za ti o n (se e B S E N I S O 1 40 01 : 2 00 4, 3 . 1 6 ) .
g o a l s, a n d ca n a p p l y a t d i ffe re n t l e ve l s, su ch a s stra te g i c, p ro g ra m m e , p ro j e ct a n d o p e ra ti o n a l .
7
Scope and def nitions
o f th e se a n d h o w th e y ca n a ffe ct th e a ch i e ve m e n t o f o b j e cti ve s.
N o te 4: ri sk i s o fte n e xp re sse d i n te rm s o f a co m b i n a ti o n o f th e co n se q u e n ce s o f a n e ve n t o r a
a t th e h i g h e st l e ve l (se e B S E N I S O 9 0 00 : 2 00 5 , 3 . 2 . 7 )
8
3. Risk management system
th a t o p e ra te s th ro u g h o u t th e o rg a n i za ti o n e n co m p a ssi n g a l l th e o rg a n i za ti o n ’s a cti vi ti e s.
S p e ci f ca l l y th e syste m sh o u l d :
— h a ve a d e f n e d sco p e ;
— b e d o cu m e n te d , i m p l e m e n te d , m a i n ta i n e d , re vi e we d p e ri o d i ca l l y fo r
e ffe cti ve n e ss a n d co n ti n u a l l y i m p ro ve d ;
— e n su re th e a va i l a b i l i ty o f a p p ro p ri a te re so u rce s a n d co m m u n i ca ti o n o f
i n fo rm a ti o n to su p p o rt i t.
3.2 Policy
Th e to p m a n a g e m e n t i n th e o rg a n i za ti o n sh o u l d d e m o n stra te co m m i tm e n t a n d d e ve l o p
a p o l i cy to fo cu s o n m a n a g i n g ri sk fo r co rp o ra te g o ve rn a n ce . Th i s sh o u l d l e a d to sp e ci f c
p o l i ci e s a n d a rra n g e m e n ts to d e a l wi th sp e ci f c ri sks. Th e co rp o ra te g o ve rn a n ce p o l i cy
sh o u l d re f e ct th e co m m i tm e n t o f th e o rg a n i za ti o n to i ts sta ke h o l d e rs. I t sh o u l d p ro m o te
a p o si ti ve cu l tu re wi th i n th e o rg a n i z a ti o n fo r m a n a g i n g ri sk fo r g o o d g o ve rn a n ce .
S p e ci f ca l l y th e p o l i cy sh o u l d :
— re f e ct th e n a tu re a n d si z e o f th e o rg a n i za ti o n , i ts a cti vi ti e s, p ro d u cts a n d
— co m m i t to d e ve l o p i n g a cu l tu re to co n tro l ri sk;
b e h a l f o f th e o rg a n i za ti o n ;
— co m m i t to co m p l y wi th a l l re l e va n t l e g a l re q u i re m e n ts, co d e s o f p ra cti ce a n d
o th e r re q u i re m e n ts to wh i ch th e o rg a n i za ti o n su b scri b e s;
— co m m i t to e n su ri n g th a t m a n a g e m e n t co m p e te n ce i s e sta b l i sh e d to m i ti g a te
ri sks;
m o st e ffe cti ve m e th o d s o f m a n a g e m e n t;
— co m m i t to re vi e wi n g re g u l a rl y th e b u si n e ss ri sks fa ce d b y th e o rg a n i za ti o n
i m p ro ve m e n t;
— co m m i t to re p o rti n g a t l e a st a n n u a l l y to sta ke h o l d e rs a s a p p ro p ri a te .
wh e re n e ce ssa ry.
9
Risk management system
Risk identifcation
Th e p ro ce ss sh o u l d co n si d e r, a m o n g st o th e r th i n g s, th e ri sks (i n cl u d i n g o p p o rtu n i ti e s) th a t
a ri se fro m :
— d a y-to -d a y o p e ra ti o n s;
— m a rke t d e ve l o p m e n ts;
— p o l i ti ca l ch a n g e s;
— n a tu ra l d i sa ste rs;
— so ci o -e co n o m i c ch a n g e s;
— te ch n i ca l d e ve l o p m e n ts.
— e xp o su re to th e ri sk (o n a sca l e o f ra re to co n ti n u o u s) ;
— i m p a ct, sh o u l d th e ri sk b e re a l i ze d .
— a cce p t – n o a cti o n ;
— a vo i d – a vo i d a cti vi ti e s th a t g i ve ri se to th e ri sk;
— a d o p t – a d o p t m e a su re s fo r co n ta i n m e n t a n d /o r m i ti g a ti o n ;
— ch a n g e – ch a n g e th e n a tu re , m a g n i tu d e o r co n se q u e n ce s;
— se e k – se a rch fo r wa ys o f e xp l o i ti n g th e ri sk;
Al th o u g h u l ti m a te re sp o n si b i l i ty fo r ri sk m a n a g e m e n t wi l l l i e wi th to p m a n a g e m e n t,
th o se ri sks i d e n ti f e d a s re q u i ri n g co n tro l , wh i ch m a y b e i n cl u d e d i n th e m a n a g e m e n t
p ro g ra m m e , sh o u l d b e ca sca d e d i n th e fo rm o f p o l i ci e s, o b j e cti ve s, ta rg e ts a n d o p e ra ti n g
p ro ce d u re s a s a p p ro p ri a te to th e re l e va n t l e ve l i n th e o rg a n i za ti o n .
m a n a g e m e n t p ro g ra m m e .
Th e o rg a n i za ti o n sh o u l d e sta b l i sh , i m p l e m e n t a n d m a i n ta i n a rra n g e m e n ts to d e te rm i n e
Contingency planning
re sp o n d i n g to a n y u n p l a n n e d e ve n t, p o te n ti a l e m e rg e n cy o r d i sa ste r. Th e a rra n g e m e n ts
sh o u l d se e k to p re ve n t o r m i ti g a te th e co n se q u e n ce s o f a n y su ch o ccu rre n ce a n d m a i n ta i n
b u si n e ss co n ti n u i ty.
10
Risk management system
— b u si n e ss o b j e cti ve s;
— b ra n d va l u e a n d re p u ta ti o n i ssu e s;
— co n ti n g e n cy a n d co n ti n u i ty p l a n s;
— f n a n ci a l re q u i re m e n ts;
— m a rke t o p p o rtu n i ti e s;
— th e su p p l y ch a i n .
Th e o rg a n i za ti o n sh o u l d e sta b l i sh , i m p l e m e n t a n d m a i n ta i n a p ro g ra m m e to a ch i e ve th e se
o b j e cti ve s a t th e a p p ro p ri a te fu n cti o n , l o ca ti o n a n d l e ve l wi th i n th e o rg a n i z a ti o n .
Th e u l ti m a te re sp o n si b i l i ty a n d a cco u n ta b i l i ty fo r m a n a g i n g ri sks fa ce d b y th e o rg a n i za ti o n
l i e s wi th to p m a n a g e m e n t. To p m a n a g e m e n t sh o u l d b e a cco u n ta b l e a n d sh o u l d e n su re
th a t i n d i vi d u a l ro l e s a n d re sp o n si b i l i ti e s a re d e f n e d a n d u n d e rsto o d a t e a ch l e ve l wh e re
th o se wi th m a n a g e m e n t re sp o n si b i l i ty sh o u l d d e m o n stra te th e i r co m m i tm e n t to th e
ri sk m a n a g e m e n t co n tro l m e a su re s, fo ste ri n g a p o si ti ve cu l tu re fo r ri sk m a n a g e m e n t
th ro u g h o u t th e o rg a n i za ti o n .
Th e o rg a n i za ti o n sh o u l d e n su re th a t th o se p e rso n s to wh o m re sp o n si b i l i ti e s a re a ssi g n e d
h a ve th e n e ce ssa ry a u th o ri ty to a ct wh e n re q u i re d , a n d th a t th e i r ro l e s a n d re sp o n si b i l i ti e s
a re d o cu m e n te d a n d co m m u n i ca te d b o th u p a n d d o wn th e o rg a n i z a ti o n a l stru ctu re .
Th e o rg a n i za ti o n sh o u l d i d e n ti fy th e sp e ci f c o p e ra ti o n a l co n tro l a rra n g e m e n ts th a t a re
n e ce ssa ry to m e e t th e o rg a n i za ti o n ’s ri sk m a n a g e m e n t p o l i cy a n d o b j e cti ve s a s we l l a s
co m p l i a n ce a n d sta ke h o l d e r re q u i re m e n ts.
— sti p u l a te th e o p e ra ti n g co n tro l s a n d co n d i ti o n s;
— e sta b l i sh a n d m a i n ta i n d o cu m e n te d p ro ce d u re s fo r u se i n si tu a ti o n s wh e re
th e i r a b se n ce co u l d l e a d to d e vi a ti o n s fro m th e p o l i cy a n d o b j e cti ve s;
Managing resources
Th e o rg a n i za ti o n sh o u l d e n su re th a t p e rso n n e l a re co m p e te n t o n th e b a si s o f a p p ro p ri a te
At e ve ry l e ve l wi th i n th e o rg a n i z a ti o n m a n a g e rs sh o u l d re g u l a rl y e va l u a te th e
11
Risk management system
Th e o rg a n i za ti o n sh o u l d e n su re th a t i ts p e rso n n e l a re a wa re o f th e re l e va n ce a n d
o b j e cti ve s.
Th e o rg a n i za ti o n sh o u l d e n su re th a t a d e q u a te re so u rce s (i n cl u d i n g f n a n ce ) a re a va i l a b l e .
a n d a sso ci a te d d o cu m e n ta ti o n .
Documentation
I t i s i m p o rta n t th a t th e o rg a n i z a ti o n h a s so m e wa y o f d o cu m e n ti n g o r re co rd i n g i ts
m a i n ta i n i n fo rm a ti o n i n a su i ta b l e m e d i u m , wh i ch d e scri b e s th e co re a rra n g e m e n ts a n d
g i ve s d i re cti o n o n re l a te d d o cu m e n ta ti o n .
Th e d o cu m e n ta ti o n sh o u l d i n cl u d e :
— a d e scri p ti o n o f th e syste m ;
— a sta te m e n t o f p o l i ci e s a n d o b j e cti ve s;
o p e ra ti o n a l co n tro l .
Re co rd s sh o u l d b e e sta b l i sh e d , d o cu m e n te d a n d m a i n ta i n e d to p ro vi d e e vi d e n ce o f
co n fo rm i ty to re q u i re m e n ts. Re co rd s sh o u l d b e m a i n ta i n e d o f:
— e a ch ri sk i d e n ti f e d a n d co n si d e re d ;
— th e d e ci si o n s ta ke n o n a n y co n tro l m e a su re s;
— th e n a m e s o f th e p e rso n n e l wh o i d e n ti f e d a n d co n si d e re d th e ri sk a n d wh o
a u th o ri z e d th e d e ci si o n o n th e a p p ro p ri a te m a n a g e m e n t a cti o n ;
— th e n a m e o f th e p e rso n a ssi g n e d a s th e ri sk o wn e r.
Communication
Th e o rg a n i za ti o n sh o u l d e sta b l i sh a p p ro p ri a te p ro ce d u re s a n d /o r syste m s fo r e n su ri n g th a t
p e rti n e n t i n fo rm a ti o n i s co m m u n i ca te d a n d re co rd e d :
— to a n d fro m e m p l o ye e s;
i m p l e m e n t a m o n i to ri n g a n d m e a su ri n g re g i m e o f re l e va n t o p e ra ti o n a l co n tro l s. Th e
p ro ce ss sh o u l d b e p ro a cti ve a n d sh o u l d :
12
Risk management system
— d e te rm i n e th e e xte n t to wh i ch a p p l i ca b l e re q u i re m e n ts a re b e i n g m e t;
— i n cl u d e th e re co rd i n g o f i n fo rm a ti o n to tra ck p e rfo rm a n ce ;
— e va l u a te co n fo rm a n ce wi th th e o rg a n i z a ti o n ’s o b j e cti ve s.
Evaluation o f compliance
Th e o rg a n i za ti o n sh o u l d ca rry o u t p e ri o d i c e va l u a ti o n s o f co m p l i a n ce wi th l e g a l
re q u i re m e n ts, re g u l a ti o n s, co d e s o f p ra cti ce a n d o th e r re q u i re m e n ts to wh i ch th e
o rg a n i za ti o n su b scri b e s.
Internal audit
Th e o rg a n i za ti o n sh o u l d e sta b l i sh a n d m a i n ta i n a n a u d i t p ro g ra m m e a n d p ro ce d u re s
fo r p e ri o d i c syste m a u d i ts to b e ca rri e d o u t. Th e b a si s o f th e a u d i t p ro g ra m m e sh o u l d
b e d e te rm i n e d b y th e si g n i f ca n ce o f th e ri sk a n d th e o rg a n i z a ti o n ’s p e rfo rm a n ce i n th e
m a n a g e m e n t o f i ts ri sks, i n o rd e r to :
— d e te rm i n e wh e th e r o r n o t th e ri sk m a n a g e m e n t syste m :
– co n fo rm s to p l a n n e d a rra n g e m e n ts;
– h a s b e e n p ro p e rl y i m p l e m e n te d a n d m a i n ta i n e d ; a n d
— re vi e w th e re su l ts o f p re vi o u s a u d i ts;
— p ro vi d e i n fo rm a ti o n o n p e rfo rm a n ce to to p m a n a g e m e n t.
co n d u cte d b y p e rso n n e l i n d e p e n d e n t o f th o se h a vi n g d i re ct re sp o n si b i l i ty fo r th e
a cti vi ty b e i n g e xa m i n e d .
3.6 Improvement
General
To p m a n a g e m e n t sh o u l d stri ve co n ti n u a l l y to i m p ro ve th e m a n a g e m e n t o f ri sk i n th e
o rg a n i za ti o n . I t sh o u l d ta ke i n to a cco u n t:
— a u d i t re su l ts;
— a n a l ysi s o f p e rfo rm a n ce d a ta ;
— l o ss e ve n ts a n d n e a r m i sse s;
— m a n a g e m e n t re vi e w;
— l e sso n s l e a rn t.
Th e re sp o n si b i l i ti e s fo r h a n d l i n g n o n co n fo rm i ti e s a n d re p o rti n g sh o u l d b e d e f n ed by
to p m a n a g e m e n t.
Th e o rg a n i za ti o n sh o u l d e sta b l i sh a rra n g e m e n ts fo r:
13
Risk management system
— re vi e wi n g a ctu a l o r p o te n ti a l n o n co n fo rm i ti e s;
— d e te rm i n i n g th e ro o t ca u se ;
— e va l u a ti n g th e n e e d fo r a p p ro p ri a te a cti o n to b e ta ke n .
An y su b se q u e n t ch a n g e s th a t co u l d h a ve a m a j o r i m p a ct sh o u l d b e re vi e we d b y to p
m a n a g e m en t b e fo re i m p l e m e n ta ti o n to e n su re th a t th e y d o n o t i n tro d u ce a n e w ri sk o r
co m p ro m i se e xi sti n g i n te rn a l co n tro l m e a su re s.
3.7 Review
Management review
Th e o rg a n i za ti o n ’s to p m a n a g e m e n t sh o u l d , a t p l a n n e d i n te rva l s, re vi e w th e ri sk
i n fo rm a ti o n i s co l l e cte d to a l l o w m a n a g e m e n t to ca rry o u t th i s e va l u a ti o n . Re co rd s o f th e
m a n a g e m e n t re vi e w sh o u l d b e re ta i n e d .
N o te : i n so m e o rg a n i z a ti o n s th e m a n a g e m e n t te a m m a y re p o rt to a n e xe cu ti ve b o a rd , co m m i tte e
o r i n d i vi d u a l .
Input
Th e i n p u t to th e m a n a g e m e n t re vi e w sh o u l d i n cl u d e :
— re su l ts o f a u d i ts;
— sta tu s o f a n y re m e d i a l a cti o n s;
— re co m m e n d a ti o n s fo r i m p ro ve m e n t;
— d a ta a n d i n fo rm a ti o n o n th e o rg a n i z a ti o n ’s p e rfo rm a n ce ;
Output
Th e o u tp u t fro m th e m a n a g e m e n t re vi e w sh o u l d i n cl u d e a n y d e ci si o n s a n d a cti o n s
re l a te d to :
— i m p ro ve m e n t re l a te d to sta ke h o l d e r re q u i re m e n ts;
— re so u rce n e e d s to e n a b l e i m p ro ve m e n t.
Reporting
To p m a n a g e m e n t sh o u l d re p o rt to sh a re h o l d e rs a n d /o r sta ke h o l d e rs. Th i s sh o u l d i n cl u d e
m e a su re s fo r re a so n s o f co m m e rci a l se n si ti vi ty u n l e ss th e re i s a re g u l a to ry re q u i re m e n t to
d o so .
14
4. Implementation of a risk
management system
General
This chapter is provided to give guidance on
Trading losses
implementing an effective risk management system for
meeting corporate governance requirements. Guidance A large multinational bank, Bank A,
is given only in those areas where it is thought additional with a substantial investment banking
explanation is necessary and would be helpful to arm allowed traders to make substantial
trades over which there was ineffective
the reader. control. The discovery of large losses that
a trader had sought to hide led to some
of the largest losses ever recorded with
Establishing a risk management strategy repercussions around the global fnancial
markets. This situation had occurred before
Reference is often made to ‘strategic’ risks, implying that when the actions of a single trader led to
there is only one category of risks that could have a major the collapse of Bank B. Although Bank A
was aware of the previous history it failed
impact on the organization and, by implication, that there to implement adequate controls to prevent
are other classes of risk of less signi f cance. This distinction suffering a similar problem.
is erroneous. There are numerous cases where operational
errors at the lowest level have produced catastrophic
consequences that threaten the whole organization. The
management of risks at all levels is equally important. It is
certainly true that a board of directors may take decisions
which have associated risks that are certainly strategic.
If, for example, the board decided to close all its UK
operations and operate from offshore call centres, that
would certainly be a strategic decision that involved risks,
which may accordingly be categorized as strategic risks. If,
on the other hand, a junior employee made a mistake at
operating level which resulted in the whole plant being
burned down, the consequences would clearly involve
strategic decisions even though the original risk would not
have been classi f ed as strategic.
It is important to understand that, although different
risks may be managed at different levels within the
organization, there should be an overall strategy for
risk management. This should be established by top
management in the organization, whether it is in the
private or public domain. The strategy for managing
risk within the organization cannot be developed in
isolation. It should be developed along with, and support,
overall organizational strategy. Furthermore, the strategy
should recognize that the organization does not exist
in a vacuum and for the risk management strategy to
be effective account should be taken of both internal
and external forces and stakeholders. When formulating
strategy, top management should ensure it is aware of
stakeholder expectations and, where appropriate, should
either include representation for the stakeholders or have
access to their input.
15
Implementation of a risk management system
— fo re se e n ri sks a re b e i n g m a n a g e d ; a n d
— u n fo re se e n ri sks a re p re p a re d fo r.
Th e su cce ssfu l m a n a g e m e n t o f ch a n g e – a n d ri sk – i n a n o rg a n i za ti o n d e p e n d s u p o n th e
va l u e s a n d b e h a vi o u r p a tte rn s th a t fo rm th e cu l tu re o f th e o rg a n i z a ti o n .
Policy
To p m a n a g e m e n t s h o u l d d e m o n s tra te th e l e a d e rsh i p a n d co m m i tm e n t n e ce s sa ry fo r th e
th e i r co n ti n u i n g o p e ra ti o n a n d i m p ro ve m e n t. Th e d e ve l o p m e n t o f a h i g h - l e ve l p o l i cy
s h o u l d a s s i st i n a ch i e vi n g a co n si s te n t a p p ro a ch th ro u g h o u t th e o rg a n i z a ti o n . A we l l -
s h o u l d re f e ct th e n a tu re a n d s ca l e o f th e o rg a n i z a ti o n a n d i ts ri s ks .
Al th o u g h th e re n e e d s to b e a ri sk p o l i cy i n l i n e wi th th a t se t o u t i n Ch a p te r 3 (se e p . 9 ) ,
th e re wi l l a l m o st ce rta i n l y n e e d to b e p o l i ci e s a n d a rra n g e m e n ts to d e a l wi th sp e ci f c
th e va ri o u s p o l i ci e s i s i m p o rta n t.
As a g e n e ra l ru l e th e ri sk p o l i cy wi l l e sta b l i sh a n o ve ra l l se n se o f d i re cti o n a n d p ri n ci p l e s
fo r ri sk m a n a g e m e n t wi th i n th e o rg a n i z a ti o n . Th e p o l i cy sh o u l d b e ‘ o wn e d ’ b y a m e m b e r
o f to p m a n a g e m e n t a l th o u g h th e to p m a n a g e m e n t te a m b e a rs co l l e cti ve re sp o n si b i l i ty
fo r o ve ra l l p o l i cy, a n d th e re m a y b e i n d i vi d u a l re sp o n si b i l i ty fo r m a n a g e m e n t o f sp e ci f c
g o ve rn a n ce ri sks. Wh e re a p p ro p ri a te th e p o l i cy sh o u l d b e d e ve l o p e d i n co n j u n cti o n wi th
re l e va n t sta ke h o l d e rs a n d re vi e we d a t l e a st a n n u a l l y.
a p p ro p ri a te to th e b o a rd ’s p o l i cy a n d o b j e cti ve s. I n si m p l e te rm s th e fo l l o wi n g n e e d to b e
a d d re sse d :
— Wh a t co u l d g o wro n g (o r ri g h t; ri sks ca n b e p o si ti ve a s we l l a s n e g a ti ve ) ?
— H o w l i ke l y i s th i s to h a p p e n ?
— Wh a t wo u l d b e th e co n se q u e n ce s i f th i s d i d a ri se ?
— Are th e se co n se q u e n ce s su f f ci e n tl y si g n i f ca n t to ca l l fo r a cti o n to re d u ce o r
e xp l o i t th e ri sk?
— Wh a t a cti o n sh o u l d b e ta ke n to re d u ce th e ri sk to a n a cce p ta b l e l e ve l ?
— I s th e re th e a u th o ri ty to ta ke th i s a cti o n , o r d o e s i t n e e d to b e so u g h t a t a
h i g h e r l e ve l ?
16
Implementation of a risk management system
In organizations that have not previously carried out a process of risk identi f cation and
management, this will be a new requirement involving training so that every manager
regards it as part of the routine business of managing his or her department.
Develop
Methodology
Identify
Hazards
Determine
Controls
Figure 4.1 A process for risk management
The organization should establish a methodology for identifying risks to the organization
that have the potential to affect the achievement of objectives. This process should ensure
that these risks are fully understood, assessed, prioritized and controlled.
Develop methodology
There is no single methodology for identi f cation of risks that will suit all organizations
and it is important that organizations choose something that is appropriate to their
nature and size and also meets expectations in terms of the detail of output, complexity,
time and costs.
17
Implementation of a risk management system
S o u rce s o f i n fo rm a ti o n ca n i n cl u d e :
— p ro fe ssi o n a l /tra d e b o d i e s;
— g o ve rn m e n t;
— re g u l a to rs;
— i n su re rs;
— p u b l i c i n fo rm a ti o n /m e d i a o n p ro b l e m s e xp e ri e n ce d b y si m i l a r o rg a n i za ti o n s.
Th e re a re m a n y a cti vi ti e s th a t ca n g i ve ri se to si g n i f ca n t ri sk. S o m e e xa m p l e s a re g i ve n
b e l o w; th e l i st i s n o t i n te n d e d to b e e xh a u sti ve .
— fra u d ;
— u n e th i ca l d e a l i n g s;
— p ro d u ct a n d /o r se rvi ce fa i l u re ;
— p u b l i c p e rce p ti o n ;
— l a ck o f b u si n e ss fo cu s;
— e xp l o i ta ti o n o f wo rke rs a n d /o r su p p l i e rs;
— e n vi ro n m e n ta l m i sm a n a g e m e n t;
— o ccu p a ti o n a l h e a l th a n d sa fe ty m i sm a n a g e m e n t a n d /o r l i a b i l i ty;
— re g u l a to ry a cti o n ;
— ci vi l a cti o n ;
— fa i l u re to re sp o n d to m a rke t ch a n g e s;
— fa i l u re to co n tro l i n d u stri a l e sp i o n a g e ;
— fa i l u re to co m p e te ;
— fa i l u re to a d o p t n e w te ch n o l o g y;
— fa i l u re to i n ve st;
— fa i l u re to e sta b l i sh a p o si ti ve cu l tu re ;
— vu l n e ra b i l i ty o f re so u rce s (m a te ri a l a n d h u m a n ) ;
p ro d u ct a n d /o r se rvi ce fa i l u re ;
— i n a d e q u a te i n su ra n ce p ro vi si o n .
An y o n e o f th e a b o ve ca n d a m a g e a n o rg a n i za ti o n ’s re p u ta ti o n . Lo ss o f re p u ta ti o n i s o n e
i n th e sh o rt-te rm , a n d l o n g -te rm co n se q u e n ce s.
I t i s i m p o rta n t to re m e m b e r th a t wh e re a n o rg a n i za ti o n o p e ra te s i n m a n y d i ffe re n t
co u n tri e s a n d cu l tu re s th e i d e n ti f ca ti o n p ro ce ss sh o u l d ta ke o n b o a rd a n y re l e va n t
re q u i re m e n ts th a t a re sp e ci f c to th e l o ca ti o n .
th e co n se q u e n ce o f su ch a n e ve n t, so th a t th e ri sks ca n b e p ri o ri ti ze d . Th e p ro ce ss o f
i d e n ti fyi n g th re a ts m a y g i ve ri se to a l o n g l i st o f p o ssi b i l i ti e s. Cl e a rl y i t i s n o t se n si b l e to
ta ckl e a l l th e se a t o n e ti m e e ve n i f th e y co u l d b e re a l i ze d a s ri sks. Th e o rg a n i za ti o n sh o u l d
e sta b l i sh wh a t th e co n se q u e n ce wo u l d b e i f th e ri sk wa s re a l i z e d . I f th e o u tco m e i s m i n o r
th e n th e e va l u a ti o n p ro ce ss sh o u l d b e d e fe rre d i n fa vo u r o f th o se th re a ts wi th m o re
p o te n ti a l l y d i sa stro u s o u tco m e s.
18
Implementation of a risk management system
Th o se ri sks th a t h a ve co n ti n u o u s e xp o su re sh o u l d b e vi e we d a s h a vi n g a h i g h e r p ri o ri ty
o n e wa y o f ra n ki n g th e se two d i m e n si o n s i s to u se a si m p l e m a tri x a s sh o wn i n Ta b l e 4. 1 .
I n fre q u e n t Co n ti n u o u s
e xp o su re e xp o su re
1 2 3
M i n or Tolerable
1
co n se q u e n ce s threat (1 )
D i sa stro u s Intolerable
3
co n se q u e n ce s threat (9)
Th e o rg a n i za ti o n sh o u l d i d e n ti fy th e l i ke l i h o o d o f th e ri sk b e i n g re a l i z e d , b e a ri n g i n m i n d
th e i n te rn a l co n tro l s i n p l a ce a n d th e a p p e ti te a n d cu l tu re o f th e o rg a n i za ti o n wi th re g a rd
to th e m a n a g e m e n t o f ri sks.
Th e o rg a n i za ti o n sh o u l d e va l u a te i ts p ri o ri ti z e d ri sks a n d th e l i ke l i h o o d o f th e i r b e i n g
re a l i ze d i n two wa ys:
1. wi th th e n e ce ssa ry m a n a g e m e n t a n d i n te rn a l co n tro l s e m b e d d e d i n th e cu l tu re
o f th e o rg a n i za ti o n ; a n d
2. i n th e a b se n ce o f i n te rn a l co n tro l s e m b e d d e d i n th e o rg a n i za ti o n .
Th e ri sks ca n b e e va l u a te d a s sh o wn i n Ta b l e 4. 2 .
Ri sks i d e n ti f e d a s u n a cce p ta b l e a n d wh i ch m a y h a ve a si g n i f ca n t i m p a ct u p o n
d e m o n stra te g o o d g o ve rn a n ce .
19
Implementation of a risk management system
Excellent
control Negligible
measures control
embedded measures
in culture
Minor
consequences
and infrequent
1 -3 Tolerable
exposure etc.
4-6
Disastrous
consequences
9
Intolerable
and continual risk
exposure
Management Policy
Review
Strategic
Assess
& improve Planning
Implementation
&
Operation
Management Policy
Review
Management
Assess
& improve Planning
Implementation
&
Operation
Management Policy
Review
Operational
Assess
& improve Planning
Implementation
&
Operation
20
Implementation of a risk management system
Many countries have now introduced a variety of regulations and/or guidance outlining
the requirements for corporate governance within their jurisdiction. All organizations will
have to take into account any relevant territory-based requirements when developing
arrangements for controlling risk, in addition to possible sector-based regulations or
expectations. This is an area that is of even greater importance to an organization that has
operations in more than one country as there may be speci f c control arrangements for a
particular country or, in some cases, particular stakeholders.
There needs to be a process in place for identifying what requirements, legal, guidance
or otherwise, apply in the sphere of operation of the organization as well as any new or
forthcoming requirements.
Contingency planning
In order to mitigate the effects on all stakeholders it is essential that the board sets in
place procedures and plans that anticipate that things can go wrong so that it can take
planned and rehearsed steps to protect the business.
A guide on business continuity has been published by BSI: BS 25999-1 :2006, Business
continuity management – Part 1 : Code of practice .
21
Implementation of a risk management system
Establishing the appropriate structure and accountability is essential if the policy and
objectives are to be achieved and a climate for good governance created. The organization
should establish the owners of particular risks and have a structure in place for managing
those risks it has identi f ed as needing control.
Organizational structure
Structure is closely related to leadership and decision making. The extent to which the
organization is decentralized and managers are held accountable and rewarded for
success (and sanctioned for failure) affects the culture. The willingness to take risks is an
example. The organization should recognize this and ensure that the structure and the
accountabilities, the freedom to act and resources are appropriate for effective operation,
and develop policies, guidance and frameworks that support this.
The structure should re f ect how individual risks are managed within the operation of the
organization; see Figure 4.3.
Strategic management
22
Implementation of a risk management system
Although a certain part of the organization (divisions, functions, etc.) may be assigned
ownership of a risk it may well be necessary for other parts of the organization to be
involved for a pan-organizational risk governance system to be effective.
There may be a need for speci f c arrangements for dealing with certain areas/disciplines
of risk, e.g. health and safety and information security. One way of managing this
requirement is to have supportive management systems to the overall risk management
framework. Despite the fact that the organization has sought input from experts in
these individual areas the board should recognize that it has overall accountability for
the management of the speci f c risk area. Where necessary, additional training/guidance
should be provided at board level to ensure the management of the risk is effective and
meets organizational accountability and policy objectives. Where risks are managed by
specialists in an independent manner, it is important that the board recognizes the danger
that there is the possibility that a coherent organizational strategy for dealing with risk
will be undermined.
For example, the organization may have determined that not maintaining security of its
site during non-operational hours is a signi f cant risk. The control is the employment of a
subcontracted security company. Top management has identi f ed this risk and allocated
accountability within the organization, but day-to-day responsibility will have been
assigned at a more junior level, where control of the outsourced function is managed.
In contrast, health and safety management will have to be controlled throughout the
organization. Some market risks will be handled at a senior level and will not be cascaded.
23
Implementation of a risk management system
Risk is something that might happen which could have either negative (threats) or
positive (opportunities) effects on the achievement of objectives.
Culture is, therefore, a vital element in both strategy creation and strategy
implementation. The model in Figure 4.4 demonstrates the in f uence that culture and
values have within organizations.
When creating a climate for a culture that values people for the contribution they
can make to the business, it is necessary to ensure that effective mechanisms exist for
involvement of the workforce. In many areas of ‘risk management’ there is much evidence
24
Implementation of a risk management system
to su g g e st th a t th e i n vo l ve m e n t o f th e wo rkfo rce i n a m e a n i n g fu l wa y ca n h a ve a
p o si ti ve i m p a ct u p o n ri sk e ve n a t th e l o we st l e ve l s i n a n o rg a n i z a ti o n . E a ch o rg a n i za ti o n
H o we ve r, so m e g e n e ra l p ri n ci p l e s th a t ca n b e a d o p te d a re o u tl i n e d b e l o w.
o b j e cti ve s a n d g o a l s.
— Provision of information – sh a ri n g i n fo rm a ti o n wi th e m p l o ye e s. Th e p ro vi si o n
to fu n cti o n e f f ci e n tl y a n d e m p l o ye e s to b e p ro p e rl y i n fo rm e d a b o u t
d e ve l o p m e n ts a n d tra i n i n g .
— Consultation – m a n a g e m e n t a n d wo rke rs o r th e i r re p re se n ta ti ve s j o i n tl y
a cce p ta b l e so l u ti o n s to p ro b l e m s th ro u g h a g e n u i n e e xch a n g e o f vi e ws a n d
i n fo rm a ti o n .
co n su l ta ti o n a n d ca n l e a d to j o i n t p ro b l e m so l vi n g , wh i ch o ffe rs e m p l o ye rs
a n d wo rke rs a n e ve n g re a te r l e ve l o f i n vo l ve m e n t.
Style of
Decision Making
Information Objectives
Systems
Culture Competitive
Functional Strategies
and Policies and Advantage
Values
Management of Organizational
People Structure
Management
Systems
Figure 4.4 The in f uence that culture and values have within organizations
Co n su l ta ti o n wi th th e wo rkfo rce wi l l e n a b l e th e o rg a n i za ti o n to co n si d e r so m e a re a s
e m b e d a p o si ti ve a tti tu d e to wa rd s ri sk m a n a g e m e n t i n th e o rg a n i za ti o n b y i n co rp o ra ti n g
i t i n to e a ch i n d i vi d u a l ’s j o b d e scri p ti o n . Th i s wi l l e n a b l e i n d i vi d u a l s a t a l l l e ve l s wi th i n
th e m a n a g e m e n t o f th e m ca n co n tri b u te b o th i n d i vi d u a l a n d o rg a n i za ti o n a l g o a l s a n d
o b j e cti ve s. I t wi l l fu rth e r th e d e ve l o p m e n t o f a n a p p ro p ri a te ri sk m a n a g e m e n t cu l tu re
co n ti n u o u s i m p ro ve m e n t o f ri sk m a n a g e m e n t. Pro vi si o n sh o u l d b e m a d e fo r p ro te cti n g
th o se wh o ra i se i ssu e s o f co n ce rn wh e re th e i n d i vi d u a l fe e l s th e o rg a n i z a ti o n i s n o t ta ki n g
a d e q u a te p re ca u ti o n s to m i ti g a te th e ri sk.
25
Implementation of a risk management system
Contractor problems
H owever, the involvement of the workforce at all
levels in the organization can in no way diminish the
Small- and medium-sized enterprises accountability of top management for the management
(SMEs) have an equal need to apply of risk. In addition to using the ‘eyes’ of the workforce
governance principles to their organization, in improving risk management throughout the
particularly when this is a requirement or
expectation of contract tendering. organization, management should ensure that there
are strong and effective processes for internal control
A local contractor working in a school
failed to control the activities of an and the management of risk. These controls need to be
apprentice working under inadequate embedded within the organization.
supervision. Whilst unsupervised the
apprentice was able to access the school IT
network and used it to access the internet, Managing resources
communicating with indiscrete outside
parties. When the matter came to light
the contractor was suspended from the Identifying resources
approved contractors’ list and the member
of staff responsible dismissed. The organization should clearly identify and commit the
resources necessary to deliver the policies, objectives and
targets it has established, including:
— people;
— infrastructure, machinery, plant, etc;
— f nance, investment, etc.
People
The organization should establish whether people are
committed and capable of managing the risks that have
been identi f ed and where individual personnel are
expected to enforce controls.
H owever, it should be recognized that an organization
may be vulnerable to the inappropriate actions of an
individual employee who can do untold damage –
consider the collapse of Barings Bank. For this reason,
there needs to be recognition of the importance of
individuals and the vulnerability of the organization to
those individuals.
26
Implementation of a risk management system
a p p ro p ri a te b e h a vi o u r. O rg a n i z a ti o n s sh o u l d e n su re
Safety and environmental incidents
th a t th o se re sp o n si b l e fo r e sta b l i sh i n g , i m p l e m e n ti n g
— co n ti n u o u s i m p ro ve m e n t a n d /o r a n a l yti ca l
te ch n i q u e s;
— e va l u a ti o n a n d m o n i to ri n g ;
— d e l e g a ti o n a n d /o r e q u a l o p p o rtu n i ti e s;
— re so u rce m a n a g e m e n t.
O rg a n i z a ti o n s sh o u l d p ro vi d e d e ta i l e d sp e ci f ca ti o n s o f
th e p e rfo rm a n ce th a t e m p l o ye e s a re e xp e cte d to a ch i e ve ,
b a se d o n th e kn o wl e d g e a n d u n d e rsta n d i n g re q u i re d to
d e l i ve r p o si ti ve ta sk o u tco m e s.
O rg a n i z a ti o n s sh o u l d a l so e sta b l i sh b e h a vi o u ra l sta n d a rd s
to u n d e rp i n th e i r co m p e te n cy fra m e wo rk. An e xa m p l e o f
m a n a g e m e n t co m p e te n cy i s sh o wn i n Ta b l e 4. 4.
1 . Acti n g i n a n e th i ca l S h o ws i n te g ri ty a n d fa i rn e ss
m a n n er i n d e ci si o n m a ki n g
2 . An a l ysi n g i n fo rm a ti o n De f n e s p ro ce sse s b y ta sk
a n d ta ki n g d e ci si o n s a n d a cti vi ty
Ta ke s re a l i sti c d e ci si o n s fo r a
g i ve n si tu a ti o n
D e m o n stra te s a n a b i l i ty to
i d e n ti fy p a tte rn s fro m e ve n ts
a n d d a ta wh e re th e re i s n o
o b vi o u s re l a ti o n sh i p
ch a l l e n g i n g . Th e sp e e d o f ch a n g e i s a cce l e ra ti n g , th e re i s
a co n se q u e n t l a ck o f o rg a n i z a ti o n a l h i sto ry a s a re fe re n ce
p o i n t a n d th e b o u n d a ri e s b e twe e n o rg a n i za ti o n s a re
27
Implementation of a risk management system
28
Implementation of a risk management system
o r p o o r m a i n te n a n ce .
Documentation
I t i s i m p o rta n t th a t th e o rg a n i z a ti o n h a s so m e wa y o f d o cu m e n ti n g o r re co rd i n g i ts
m a i n ta i n i n fo rm a ti o n i n a su i ta b l e m e d i u m , wh i ch d e scri b e s th e ca re a rra n g e m e n ts a n d
g i ve s d i re cti o n o n re l a te d d o cu m e n ta ti o n .
An y d o cu m e n ta ti o n o r e l e ctro n i c m e d i a sh o u l d b e so m a n a g e d th a t:
— i t ca n b e l o ca te d ;
— i t i s p e ri o d i ca l l y re vi e we d , re vi se d a s n e ce ssa ry a n d a p p ro ve d fo r a d e q u a cy b y
a u th o ri z e d p e rso n n e l ;
— cu rre n t ve rsi o n s o f re l e va n t d o cu m e n ts a n d d a ta a re a va i l a b l e a t a l l l o ca ti o n s
p e rfo rm e d ;
— o b so l e te d o cu m e n ts a n d d a ta a re p ro m p tl y re m o ve d fro m a l l p o i n ts o f i ssu e
a n d p o i n ts o f u se o r o th e rwi se a ssu re d a g a i n st u n i n te n d e d u se ; a n d
— a rch i va l d o cu m e n ts a n d d a ta re ta i n e d fo r l e g a l p u rp o se s o r kn o wl e d g e
p re se rva ti o n , o r b o th , a re su i ta b l y i d e n ti f ed .
Communication
co u l d a d ve rse l y a ffe ct th e re p u ta ti o n o f th e o rg a n i za ti o n . Re p u ta ti o n s a re b u i l t u p o n
fe e d b a ck o n a re a s o f co n ce rn .
a n a p p o i n te d p e rso n wh o i s ta ske d wi th co o rd i n a ti n g a n d d e a l i n g wi th m e d i a e n q u i ri e s.
O rg a n i z a ti o n s sh o u l d co n si d e r th e fo l l o wi n g .
— I s i n te rn a l co m m u n i ca ti o n se e n a s e sse n ti a l to th e o rg a n i z a ti o n ’s stra te g i c
su cce ss?
— I s th e o rg a n i z a ti o n wi l l i n g to ch a n g e th i n g s wh e n th i s i s n e ce ssa ry to i m p ro ve
i n te rn a l co m m u n i ca ti o n ?
— I s th e o rg a n i z a ti o n p re p a re d to i n ve st i n re so u rce s fo r i n te rn a l co m m u n i ca ti o n ,
fo r e xa m p l e , i n tra i n i n g p e o p l e i n th e u se o f n e w te ch n o l o g y?
— D o e s th e o rg a n i z a ti o n m a ke su re th a t th o se re sp o n si b l e fo r i n te rn a l
co m m u n i ca ti o n h a ve a cce ss to a l l th e ri g h t i n fo rm a ti o n , a t th e ri g h t ti m e , to
e n a b l e th e m to p l a y th e i r p a rt i n i m p l e m e n ti n g th e b u si n e ss stra te g y?
— D o e s th e o rg a n i z a ti o n va l u e a n d sh o w th a t i t va l u e s th e vi e ws a n d i d e a s o f
p e o p l e a t a l l l e ve l s th ro u g h o u t th e o rg a n i za ti o n ?
— I s th e o rg a n i z a ti o n ’s co l l e cti ve co m m i tm e n t to p o si ti ve co m m u n i ca ti o n se l f-
g e n e ra te d su ch th a t p e rso n n e l a ct o n i t co n si ste n tl y e ve n wh e n u n p ro m p te d ?
29
Implementation of a risk management system
Performance assessment
Monitoring and measuring
— corporate health;
— education;
— Social Services;
— housing and homelessness;
— Housing Bene f t and Council Tax;
— waste;
— transport;
— planning;
— environment/environmental health and trading standards;
— cultural services/libraries and museums;
— community service and well-being;
— f re;
— quality of services.
In a commercial organization these could re f ect differing objectives and might include:
— return to shareholders;
— dividend per share and dividend cover;
— operating pro f t before tax;
— customer satisfaction;
— waste management;
— emissions and pollution;
— transport;
— health and safety performance;
— employee satisfaction;
— quality.
The selection of indicators will depend entirely upon the organization, its sector and its
stakeholders, and both of the above lists comprise high-level strategic objectives for the
organizations that will require monitoring. There will also be many lower-level monitoring
activities that feed into the organizational objectives. These might include the following:
30
Implementation of a risk management system
— M a n a g e rs d e m o n stra ti n g g e n u i n e i n te re st i n ‘ sh o p f o o r’ a cti vi ti e s wi l l
e n co u ra g e b u y-i n b y e m p l o ye e s a n d h e l p e n co u ra g e fe e d b a ck o n p o te n ti a l
p ro b l e m s a n d o p p o rtu n i ti e s fo r i m p ro ve m e n t.
— Re g u l a r ch e cks to e n su re wa ste i s d i sp o se d o f a p p ro p ri a te l y.
— E va l u a ti n g th e e f f ci e n cy a n d co st o f d e a l i n g wi th p l a n n i n g a p p l i ca ti o n s.
I n a n y e ve n t, th e m e th o d s u se d sh o u l d b e p ro a cti ve , th a t i s, se e ki n g i n fo rm a ti o n o n wh a t
Evaluation o f compliance
At va ri o u s ti m e s th e o rg a n i za ti o n n e e d s to d e te rm i n e wh e th e r i t i s co m p l i a n t wi th a n y
re g u l a to ry co n tro l s o r re q u i re m e n ts th a t a p p l y to i ts o p e ra ti o n s. Th i s e va l u a ti o n m a y n e e d
to b e a g a i n st th e re q u i re m e n ts sp e ci f e d i n o th e r co u n tri e s i f th e o rg a n i za ti o n p ro vi d e s
d e p e n d i n g o n th e ri sk a n d th e co n tro l s th a t a re a p p l i e d .
Internal audit
M a n y p e o p l e a re fa m i l i a r wi th th e co n ce p t o f a u d i ti n g fo r f n a n ci a l p u rp o se s. Th e
o f ri sk m a n a g e m e n t fo r co rp o ra te g o ve rn a n ce , th e i n te rn a l a u d i t sh o u l d b e fo cu se d o n
th e ri sk m a n a g e m e n t syste m s a n d th e i r a b i l i ty to d e l i ve r th e o rg a n i z a ti o n ’s p o l i ci e s a n d
o b j e cti ve s. Th e a u d i to r h a s a re sp o n si b i l i ty to m a ke su re th a t th e d e f n e d syste m i s i n fa ct
b e i n g fo l l o we d .
Au d i t co n si d e ra ti o n s a t a h i g h l e ve l sh o u l d i n cl u d e :
— b o a rd p o l i cy o b j e cti ve s a n d p ri o ri ti e s;
— sta ke h o l d e r re q u i re m e n ts;
— sta tu to ry a n d re g u l a to ry re q u i re m e n ts;
— ri sks to th e o rg a n i z a ti o n ;
Th e a u d i t sh o u l d e sta b l i sh th a t th e fo l l o wi n g re q u i re m e n ts h a ve b e e n m e t:
— p l a n s p re p a re d , d o cu m e n te d a n d co m m u n i ca te d ;
— re sp o n si b i l i ti e s d e si g n a te d ;
— ti m e -sca l e s se t to a ch i e ve o b j e cti ve s;
— p l a n s re vi e we d a t p l a n n e d re g u l a r i n te rva l s;
— d o cu m e n ta ti o n o f ro l e s, re sp o n si b i l i ti e s, a n d a u th o ri ti e s;
— a m a n a g e m e n t re p re se n ta ti ve h a s b e e n a p p o i n te d a s a ri sk o wn e r;
f n a n ci a l re so u rce s) ;
— ro l e s, re sp o n si b i l i ti e s a n d a u th o ri ti e s d e f n e d a n d d o cu m e n te d ;
th e i r d e si g n a te d fu n cti o n s.
Al l i n te rn a l a u d i t a cti vi ti e s sh o u l d re su l t i n a fo rm a l re p o rt d e a l i n g wi th th e sp e ci f c a re a s
th a t h a ve b e e n a u d i te d . Th i s re p o rt sh o u l d b e co n f d e n ti a l a n d , wh i l st a sp e cts o f th e
31
Implementation of a risk management system
f n d i n g s m a y h a ve b e e n d i scu sse d wi th a p p ro p ri a te l e ve l s o f m a n a g e m e n t, i t sh o u l d b e
p ro vi d e d d i re ctl y to th e to p m a n a g e m e n t re sp o n si b l e fo r ri sk m a n a g e m e n t.
Improvement
General
ti m e . M o re o ve r, th e a b i l i ty to m a n a g e ri sk m a y we l l i m p ro ve , a n d th e syste m n e e d s to ta ke
a cco u n t o f e m e rg i n g ri sks.
Th e p ro ce sse s o f m o n i to ri n g , m e a su re m e n t a n d a u d i t p ro vi d e va l u a b l e i n fo rm a ti o n o n
wh e re i m p ro ve m e n ts to th e syste m a re n e ce ssa ry o r ca n b e m a d e .
I f th e syste m i s fa i l i n g i n so m e wa y, th i s i s o fte n te rm e d a s a n o n co n fo rm i ty a n d
th e n o n co n fo rm i ty sh a l l b e d e te rm i n e d a n d th e fa i l i n g a d d re sse d .
Th e l e ve l a t wh i ch re sp o n si b i l i ty a n d a u th o ri ty fo r a n y sp e ci f c a cti o n to d e a l wi th
p re ve n ti n g n o n co n fo rm a n ce wi l l o b vi o u sl y d e p e n d u p o n th e n a tu re o f th e ri sk. Th i s
sh o u l d b e d e a l t wi th a t a su f f ci e n tl y se n i o r l e ve l to d e m o n stra te co m m i tm e n t to th e
a n d th a t i t h a s b e e n e ffe cti ve i n d e a l i n g wi th th e ro o t ca u se o f th e n o n co n fo rm a n ce . An y
n e w a rra n g e m e n ts p u t i n p l a ce sh o u l d b e e va l u a te d b e fo re i m p l e m e n ta ti o n to d e te rm i n e
Management review
Re vi e wi n g ri sk m a n a g e m e n t g o ve rn a n ce syste m s i s a fu n d a m e n ta l re q u i re m e n t i n a n y
i n te n d e d , a n d d e l i ve r o rg a n i z a ti o n a l o b j e cti ve s. M o st i m p o rta n tl y, re vi e ws p ro vi d e th e
m e ch a n i sm to d ri ve th e co n ti n u a l i m p ro ve m e n t re q u i re d o f a n y m a n a g e m e n t syste m .
Th e re a re sp e ci f c i n p u ts to th e m a n a g e m e n t re vi e w a n d wh a t i s e xp e cte d i n th e
fo rm o f o u tp u ts. Th i s re i n fo rce s th e vi ta l ro l e o f th e se re vi e ws i n d ri vi n g th e co n ti n u a l
i m p ro ve m e n t cycl e .
— Results of audits
Th e a u d i t p ro ce ss sh o u l d b e e m b ra ce d a s a n e sse n ti a l a cti vi ty a n d to p
m a n a g e m e n t sh o u l d vi e w th e o u tp u ts i n a p o si ti ve m a n n e r, wh e th e r th e
re su l ts a re p o si ti ve o r n e g a ti ve . Th e re su l ts a re o n e o f th e m o st i m p o rta n t
i n p u ts to th e re vi e w p ro ce ss. Th e y sh o u l d h e l p to i d e n ti fy wh e th e r th e e xi sti n g
f
a rra n g e m e n ts a re su f ci e n t fo r d e l i ve ri n g th e p o l i cy a n d o b j e cti ve s.
e xte rn a l so u rce s sh o u l d b e d e a l t wi th a s th e y a ri se th ro u g h o u t th e ye a r.
Th e m a n a g e m e n t re vi e w n e e d s to co n si d e r wh e th e r th e re i s a n e e d fo r n e w
32
Implementation of a risk management system
For the system to be effective there is a need to involve the workforce and
encourage its contribution. Its concerns should be considered with a view to
identifying opportunities for continuing and/or improved commitment to the
organization in its management of the risks for good governance.
— Status of remedial actions
The organization should review any actions it has taken or is taking following
any incidents.
— Follow-up actions from previous management reviews
The follow-up actions should be presented and an indication given where
possible of the timeliness of the implementation of new measures and their
effectiveness.
— Changing circumstances, including developments in legal and other
requirements
This includes both internal and external factors, such as takeovers or mergers,
reorganizations, new technology, new projects and any new legal or regulatory
impacts.
— Data and information on organizational performance
This is where the overall performance of the organization is reviewed to see
how well it has been managing its risks for governance and whether the
objectives have been delivered within the de f ned schedule.
— Recommendations for improvement
A frequent misconception is that the management review should just
be carried out annually. In reality, the frequency should be determined
by circumstances. To be truly effective, the management review of the
organization’s processes should be structured around areas of delivery where
uncertainty and risk matter most.
The management review differs from the audit in that it is more strategic
in its focus. For example, the audit may conclude that everything is in place
to meet the policy and objectives, but the management review may show, for
example, that internal or external considerations justify a change.
As well as seeking to remedy de f ciencies, the management review
offers the opportunity for a more proactive approach: to consider where
the organization wishes to be in the governance of its risks and how it can
maximize the resulting bene f ts.
33
5. Other management processes
Th e re a re m a n y i n te rn a ti o n a l a n d n a ti o n a l m a n a g e m e n t syste m p ro ce sse s th a t ca n
h e l p a n o rg a n i z a ti o n i n th e i m p l e m e n ta ti o n , o p e ra ti o n a n d m a i n te n a n ce o f i n te rn a l
i n d i vi d u a l a rra n g e m e n ts m a y b e u se fu l a s a fra m e wo rk fo r d e ve l o p i n g o ve ra l l i n te rn a l
a re so u n d a n d ca n m e e t re p o rti n g re q u i re m e n ts e xp e cte d u n d e r co rp o ra te g o ve rn a n ce
Th e l i st b e l o w i n cl u d e s sta n d a rd s th a t re l a te to so m e a re a s th a t m i g h t b e co n si d e re d :
34
6. Self-assessment questionnaire
Th e si m p l e q u e sti o n s se t o u t b e l o w wi l l e n a b l e yo u to e sta b l i sh wh e re yo u r o rg a n i za ti o n i s
p o si ti o n e d wi th re sp e ct to th e b a si c e l e m e n ts i t n e e d s fo r co n tro l l i n g i ts ri sks.
0 1 2
m a n a g e m e n t fo r g o o d g o ve rn a n ce ?
I s th e ri sk m a n a g e m e n t syste m b a se d o n th e b e st
a va i l a b l e i n fo rm a ti o n ?
I s ri sk m a n a g e m e n t p a rt o f th e p ro ce ss o f
d e ci si o n m a ki n g i n yo u r o p e ra ti o n s?
Are yo u r ri sk m a n a g e m e n t syste m s a n d p o l i ci e s
a p p ro p ri a te fo r th e si ze , co m p l e xi ty a n d n a tu re
o f yo u r o rg a n i z a ti o n ?
Are yo u r ri sk m a n a g e m e n t syste m a n d p o l i ci e s
a p p ro p ri a te fo r th e n a tu re o f th e ri sks yo u r
o rg a n i z a ti o n fa ce s, re f e cti n g b e st p ra cti ce i n
yo u r se cto r?
D o e s th e o rg a n i z a ti o n h a ve a p ro ce ss fo r
i d e n ti f ca ti o n o f ri sks?
H a ve yo u i d e n ti f e d th e ri sks to th e
o rg a n i z a ti o n ?
H a ve yo u a sse sse d th e l i ke l i h o o d a n d
co n se q u e n ce s o f th e si g n i f ca n t ri sks b e i n g
re a l i ze d ?
I s th e ri sk m a n a g e m e n t syste m syste m a ti c a n d
stru ctu re d ?
D o e s th e ri sk i d e n ti f ca ti o n p ro ce ss ta ke i n to
a cco u n t o rg a n i z a ti o n a l cu l tu re , h u m a n fa cto rs
a n d b e h a vi o u r?
I s yo u r ri sk m a n a g e m e n t syste m d yn a m i c a n d
re sp o n si ve to ch a n g e ?
yo u r o rg a n i z a ti o n ’s re p u ta ti o n ?
p ro d u cti o n l o ss o r se rvi ce fa i l i n g ?
35
Self-assessment questionnaire
0 1 2
a ffe ct yo u r m a rke t p o si ti o n ?
D o yo u h a ve a m e ch a n i sm to i d e n ti fy a n d a sse ss
ri sks o n a n o n g o i n g b a si s?
H a ve yo u e sta b l i sh e d i n te rn a l co n tro l
a rra n g e m e n ts to d e a l wi th th e i d e n ti f e d ri sks?
I s to p m a n a g e m e n t u p to d a te wi th
d e ve l o p m e n ts i n re g u l a to ry fra m e wo rks,
te ch n o l o g i ca l i ssu e s a n d p o l i ti ca l i ssu e s, wh i ch
m a y a ffe ct th e o rg a n i za ti o n ’s m a rke t?
I s th e re a p ro ce ss i n p l a ce to i d e n ti fy l e g a l a n d
o th e r re q u i re m e n ts th a t th e o rg a n i za ti o n n e e d s
to a d d re ss?
H a ve yo u i d e n ti f e d yo u r o rg a n i za ti o n ’s
sta ke h o l d e rs a n d th e i r e xp e cta ti o n s?
H a ve yo u e sta b l i sh e d a co n ti n g e n cy p l a n a n d
H a ve yo u e sta b l i sh e d co n ti n u i ty a rra n g e m e n ts i n
th e e ve n t o f a d i sa ste r o r e m e rg e n cy?
D o e s to p m a n a g e m e n t h a ve cl e a r o b j e cti ve s fo r
th e o rg a n i za ti o n th a t h a ve b e e n co m m u n i ca te d
to e m p l o ye e s a s a p p ro p ri a te ?
D o e s m a n a g e m e n t d e m o n stra te th e n e ce ssa ry
co m p e te n ce a n d i n te g ri ty to cre a te a cl i m a te o f
tru st?
Are th e a rra n g e m e n ts e m b e d d e d i n th e cu l tu re
o f th e o rg a n i za ti o n ?
i m p l e m e n te d e ffe cti ve l y th ro u g h o u t th e
o rg a n i z a ti o n ?
D o e s m a n a g e m e n t e n su re th a t p e o p l e a re
a d e q u a te l y tra i n e d to m a n a g e th e ri sks th e y a re
a ssi g n e d to co n tro l ?
D o th e p e o p l e i n th e o rg a n i za ti o n h a ve th e
kn o wl e d g e , ski l l s, to o l s a n d re so u rce s to su p p o rt
th e a ch i e ve m e n t o f th e co m p a n y’s o b j e cti ve s?
Are a rra n g e m e n ts i n p l a ce fo r d o cu m e n ti n g
36
Self-assessment questionnaire
0 1 2
m a n a g e m e n t a n d th e m a n a g e m e n t te a m , o th e r
e m p l o ye e s a n d o th e rs to e n su re th a t a l l p a rti e s
Are th e re e sta b l i sh e d ch a n n e l s o f co m m u n i ca ti o n
fo r i n d i vi d u a l s to re p o rt su sp e cte d b re a ch e s
ch a rte r’ ?
Are o p e ra ti o n a l co n tro l s m o n i to re d o n a re g u l a r
D o yo u re g u l a rl y re vi e w a rra n g e m e n ts fo r
co m p l yi n g wi th cu sto m e r, sta ke h o l d e r a n d
re g u l a to ry re q u i re m e n ts?
D o yo u re g u l a rl y a u d i t th e ri sk m a n a g e m e n t
D o yo u re g u l a rl y se e k to i m p ro ve yo u r
a rra n g e m e n ts?
D o th e re su l ts o f a u d i ts, i n ci d e n ts a n d
p e rfo rm a n ce re p o rts re g u l a rl y fo rm p a rt o f th e
re vi e w p ro ce ss?
D o yo u re p o rt re g u l a rl y u p o n yo u r ri sk
m a n a g e m e n t p ro ce sse s?
31 to 60: yo u r o rg a n i za ti o n h a s m a d e a sta rt b u t n e e d s to d o m o re
37
Appendix A. Summary of risk management tools
Ri sk q u e sti o n n a i re s
✓
Ri sk ch e ckl i sts/Pro m p t l i sts
✓
Ri sk i d e n ti f ca ti o n wo rksh o p
✓ ✓
N o m i n a l g ro u p te ch n i q u e
✓ ✓
Ri sk b re a kd o wn stru ctu re
✓ ✓
D e l p h i te ch n i q u e
✓ ✓
Pro ce ss m a p p i n g
✓ ✓
Ca u se -a n d -E ffe ct d i a g ra m s
✓ ✓
Ri sk m a p p i n g /Ri sk p ro f ling
✓ ✓
Ri sk I n d i ca to rs
✓
B ra i n sto rm i n g / ‘ th o u g h t sh o we r’ e ve n ts
✓
I n te rvi e ws a n d fo cu s g ro u p s
✓
‘ Wh a t i f? ’ wo rksh o p s
✓
S ce n a ri o a n a l ysi s/sce n a ri o p l a n n i n g /h o ri z o n
✓ ✓ ✓
sca n n i n g
H a za rd a n d o p e ra b i l i ty stu d y (H AZ O Ps)
✓ ✓
PE S T (Po l i ti ca l , E co n o m i c, S o ci o l o g i ca l ,
✓ ✓
Te ch n o l o g i ca l ) a n a l ysi s
S ta ke h o l d e r e n g a g e m e n t/M a tri ce s
✓
Ri sk re g i ste r/D a ta b a se
✓ ✓ ✓
Pro j e ct p ro f l e m o d e l (PPM )
✓
Ri sk ta xo n o m y
✓
G a p a n a l ysi s: Pa re to a n a l ysi s
✓ ✓
38
Appendix A
CRAMM ✓ ✓ ✓
Probability trees ✓
Expected value method ✓
Risk modelling/Risk simulation ✓
(Monte Carlo/Latin Hypercube):
Stress testing ✓ ✓
Critical path analysis (CPA) or Critical path ✓
method (CPM )
Sensitivity analysis ✓
Cash f ow analysis ✓
Portfolio analysis ✓
Cost-Bene f t analysis ✓ ✓
Utility theory ✓
Visualization techniques ✓ ✓
H eat maps, RAG status reports, Waterfall
charts, Pro f le graphs, 3D Graphs, Radar charts,
Scatter diagrams
39
Appendix B. Comparative table – common
elements of quality, environmental and OH&S
Systems with PAS 99
5. 5 4. 2
3.2 Policy 5. 1 4. 2 4. 2 5. 1 4. 2
5. 3
management
3 . 3 Ri sk i d en ti f ca ti o n , 5. 2 4. 3 . 1 4. 3 . 1 4. 2 4. 3 . 1
7.2
3 . 3 I d e n ti f ca ti o n o f 5. 3 4. 3 . 2 4. 3 . 2 4. 2 . 1 (b 2 ) 4. 3 . 2
sta ke h o l d e r re q u i re m e n ts 7. 2. 1
7. 2. 1
3 . 3 Co n ti n g e n cy p l a n n i n g 5. 4 4. 4. 7 4. 4. 7 4. 3 . 3
8. 3
3 . 3 O b j e cti ve s a n d 5 . 4. 1 4. 3 . 3 4. 3 . 3 4. 2 . 2 4. 3 . 4
m a n a g e m e n t p ro g ra m m e 5 . 4. 2
8. 5 . 1
3 . 3 O rg a n i za ti o n a l stru ctu re , 5. 1 4. 4. 1 4. 4. 1 4. 2 . 2 4. 3 . 5
ro l e s, re sp o n si b i l i ti e s, 5. 5
a cco u n ta b i l i ty a n d a u th o ri ty
operation
3 . 4 O p e ra ti o n a l Co n tro l 7 4. 4. 6 4. 4. 6 4. 2 . 2 4. 4. 1
3 . 4 M a n a g i n g re so u rce s 5. 1 4. 4. 1 4. 4. 1 5. 2. 1 4. 4. 2
5. 5. 1 4. 4. 2 4. 4. 2 5. 2. 2
40
Appendix B
4. 4. 5 4. 4. 5
4. 5 . 4 4. 5 . 4
3 . 4 Co m m u n i ca ti o n 5. 3 4. 4. 3 4. 4. 3 4. 2 . 4(c) 4. 4. 4
5. 5. 1
5. 5. 3
7.2.3
3 . 5 M o n i to ri n g a n d 8 4. 5 . 1 4. 5 . 1 4. 2 . 3 4. 5 . 1
m e a su ri n g 7.6
3 . 5 E va l u a ti o n o f co m p l i a n ce 8. 2 4. 5 . 2 4. 5 . 1 4. 2 . 3 4. 5 . 2
4. 5 . 2
3 . 5 I n te rn a l Au d i t 8. 2 . 2 4. 5 . 5 4. 5 . 5 6 4. 5 . 3
3.6 Improvement 8. 5 4. 5 . 3 4. 6 . 8 4. 6 . 1
4. 6
3 . 6 G e n e ra l 8. 5 4. 5 . 3 4. 6 4. 2 . 4 4. 6 . 1
4. 6 8. 1
3 . 6 An a l ysi s a n d h a n d l i n g o f 8. 3 4. 5 . 3 4. 5 . 3 4. 2 . 4 4. 5 . 4
n o n co n fo rm i ti e s 8. 4 8. 2 4. 6 . 2
8. 5 8. 3
3 . 7 Re vi e w 5. 6 4. 6 . 4. 6 . 7 4. 7
3 . 7 M a n a g e m e n t re vi e w 5. 6. 1 4. 6 7.1 4. 7 . 1
– g e n e ra l
3 . 7 I n pu t 5. 6. 2 4. 6 7.2 4. 7 . 2
3 . 7 O u tp u t 5. 6. 3 4. 6 7.3 4. 7 . 3
3 . 7 Re p o rti n g 4. 4. 3
41
Appendix C. References and further reading
Corporate governance codes from around the world:
http://www.ecgi.org/codes/all_codes.php
Association of British Insurers (ABI) (2008) ABI Research Paper 7 – Governance and
Performance in Corporate Britain , London: ABI
The Association of Insurance and Risk Managers (AIRMIC), The National Forum for Risk
Management in the Public Sector (ALARM) and The Institute of Risk Management (IRM)
(2002) A Risk Management Standard, London: AIRMIC/ALARM /IRM
Basel Committee on Banking Supervision (1 999) Enhancing Corporate Governance for
Banking Organisations, Basel: Basel Committee on Banking Supervision. See:
http://www.bis.org/bcbs/
Blair, A (2005) ‘Risk and the State’ speech delivered by Rt Hon A Blair at University College
London, 26 M ay 2005
BS 6079-3:2000, Project management — Part 3: Guide to the management of business
related project risk, London: British Standards Institution
BS 25999-1 :2006, Business continuity management – Part 1: Code of practice , London:
42
Appendix C
Financial Reporting Council (FRC) (2008) The Combined Code on Corporate Governance ,
London: FRC
H illson, D (2007) The Risk Management Universe: A guided tour (2nd edition) (BIP 2036),
London: British Standards Institution
IMS Risk Solutions (2003a) IMS: Continual Improvement through Auditing (BIP 201 1 :2003),
London: British Standards Institution
IMS Risk Solutions (2003b) IMS: Risk Management for Good Governance (BIP 201 2:2003),
London: British Standards Institution
The Independent Commission on Good Governance in Public Services (2004) The Good
Governance Standard for Public Services, London: Off ce for Public Management Ltd and
The Chartered Institute of Public Finance and Accountancy
International Corporate Governance Network (ICGN) (1 999) ICGN Statement on Global
Corporate Governance Principles, London: ICGN. See:
http://www.icgn.org/documents/globalcorpgov.htm
Kelly, J M (2004) IMS: The Excellence Model (BIP 201 0:2004), London: British Standards
Institution
MORI (2003) Focus on the Future of Corporate Governance , London: MORI
Murray, R P (2003) IMS: Information Security (BIP 2008:2003), London: British Standards
Institution
Nowacki, G (2003) IMS: Customer Satisfaction (BIP 2005:2003), London: British Standards
Institution
Off ce for Public Management Ltd (OPM) (2007) Going Forward with Good Governance ,
London: OPM
Off ce of Government Commerce, Management of Risk. See:
http://www.ogc.gov.uk/guidance_management_of_risk.asp
Organisation for Economic Co-operation and Development (OECD) (2004a) OECD
Principles of Corporate Governance , Paris: OECD. See: http://www.oecd.org
Organisation for Economic Co-operation and Development (OECD) (2004b) Guidelines on
Corporate Governance of State-owned Enterprises – Draft Text, Paris: OECD. See:
http://www.oecd.org/dataoecd/46/51 /3480321 1 .pdf.
Organisation for Economic Co-operation and Development (OECD) (2004c) Comments
from Public Consultation on the Draft for Guidelines on Corporate Governance in State
Owned Enterprises, Paris: OECD. See: http://www.oecd.org
PAS 99:2006, Specifcation of common management system requirements as a framework
for integration , London: British Standards Institution
Robbins, M and Smith, D (2000) Managing Risk for Corporate Governance (PD 6668),
London: British Standards Institution
SA8000:2001 ,Social Accountability, New York: Social Accountability International
Smith, D and Politowski, R (2007a) IMS: A Framework for integrated management systems.
Background to PAS 99 and its application (BIP 21 1 9:2007), London: British Standards
Institution
Smith, D and Politowski, R (2007b) IMS: Implementing and operating using PAS 99
(BIP 21 38:2007), London: British Standards Institution
43
Appendix C
Tu rn b u l l , N et al
. (1 9 9 9 ) Internal Control – Guidance for Directors on the Combined Code ,
h ttp : //www. i ca e w. co m
44