Professional Documents
Culture Documents
Fundamentals of
Risk Management
ii
Sixth Edition
Fundamentals of
Risk Management
Understanding, evaluating and implementing
effective enterprise risk management
Publisher’s note
Every possible effort has been made to ensure that the information contained in this book is accurate
at the time of going to press, and the publishers and author cannot accept responsibility for any errors
or omissions, however caused. No responsibility for loss or damage occasioned to any person acting,
or refraining from action, as a result of the material in this publication can be accepted by the editor, the
publisher or the author.
First published in Great Britain and the United States in 2010 by Kogan Page Limited
Sixth edition 2022
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted
under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or trans-
mitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of
reprographic reproduction in accordance with the terms and licences issued by the CLA. Enquiries concerning
reproduction outside these terms should be sent to the publishers at the undermentioned addresses:
2nd Floor, 45 Gee Street 122 W 27th St, 10th Floor 4737/23 Ansari Road
London New York, NY 10001 Daryaganj
EC1V 3RS USA New Delhi 110002
United Kingdom India
www.koganpage.com
© The Institute of Risk Management 2010, 2012, 2014, 2017, 2018, 2022
The right of The Institute of Risk Management to be identified as the author of this work has been asserted
by it in accordance with the Copyright, Designs and Patents Act 1988.
ISBNs
A CIP record for this book is available from the British Library.
2021949187
CONTENTS
Introduction 1
Risk management in context 1
Nature of risk 1
Risk management 2
Risk management terminology 3
Benefits of risk management 4
Features of risk management 5
Book structure 6
Risk management in practice 6
Future for risk management 7
Changes for the sixth edition 8
Learning outcomes 9
Further reading 10
Case studies 10
Attitudes to risk 27
Risk and triggers 28
Notes 30
Learning outcomes 79
Further reading 80
Case studies 80
LIST OF FIGURES
LIST OF TABLES
FOREWORD
Enterprise risk management in a digital age
Stephen Sidebottom
Chair, Institute of Risk Management
xxiv
ACKNOWLEDGEMENTS
The risk management profession and the expertise of risk professionals continues to
develop in line with the ever-increasing expectations placed on risk managers and
risk consultants. Many organizations have now appointed individuals with the job
title chief risk officer (CRO) which has increased the need for robust professional
qualifications and designations for risk management practitioners.
Given the ever-increasing complexity of the business environment, it is not sur-
prising that production of the sixth edition of Fundamentals of Risk Management
became necessary, three years after production of the fifth edition. The importance
and contribution of risk management continues to increase, and centres of risk man-
agement expertise and excellence continue to thrive in all business sectors, whether
private, public or third sector.
This edition is the first which Paul Hopkin has not authored directly. The text
remains largely based on Paul’s thoughts, ideas and expertise developed over the
course of his extensive career. In updating this book, it was clear that the fundamen-
tals he laid down back in 2010 remain. It has been my privilege to bring my own
experience of the lectures, seminars, special interest and other group meetings we
both attended over many years to bear. The process of enterprise risk management
will continue to be embedded in everyday activity: the UK government has produced
new guidance and financial regulation continues to advance in this direction.
This sixth edition remains closely aligned with the syllabus of the IRM qualifica-
tions in enterprise risk management. When undertaking this task, I have received
considerable help and support from colleagues at the Institute of Risk Management,
in particular my team of peer reviewers, particularly Kate Boothroyd and Doug
Smith, whose dedication was unwavering, but also Mark Turner, Simona Fionda,
Esme Pitasi, and Serrina Galleymore, all of whom volunteered their expertise to re-
view relevant sections and to make the text as up to date as possible. An editorial
role requires making choices as to interpretation, and at times I was unable to accept
every comment. As always, any mistakes remain my own.
Finally, I must acknowledge the unwavering support of, Laura, my partner of 40
years. In our early days together, her encouragement suggested more diligence in my
business studies would be appropriate, and the application she inspired has always
bolstered my career. I know students have everyday challenges to overcome in pursu-
Acknowledgements xxv
ing their studies and I hope this new edition helps them meet those challenges. I am
sure it will be worth the effort, and this book is testament to my patient wife’s
encouragement.
Developments in risk management will continue apace. Technology will have a
greater role to play in helping risk managers not only to control risk, but also to
exploit opportunities. The scope of risk management will expand as it contributes to
the modifications necessary to cope with climate change. In that respect, some of the
processes described in this text will age but, as it says in Paul’s original title, the fun-
damentals of risk management will remain. There are some exciting developments
ahead, and the future for the new entrants to risk management will be bright if they
equip themselves with these fundamentals.
Clive Thompson
xxvi
1
Introduction
Risk management in context
This book is intended for all who want a comprehensive introduction to the theory
and application of risk management. It sets out an integrated introduction to the
management of risk in public and private organizations. Studying this book will
provide insight into the world of risk management and may also help readers decide
whether risk management is a suitable career option for them.
Many readers will wish to use this book in order to gain a better understanding of
risk and risk management and thereby fulfil the primary responsibilities of their jobs
with an enhanced understanding of risk. This book is designed to deliver the syllabus of
the International Certificate in Risk Management qualification of the Institute of Risk
Management. However, it also acts as an introduction to the discipline of risk manage-
ment for those interested in the subject but not (yet) undertaking a course of study.
We all face risks in our everyday lives. Risks arise from personal activities and
include those associated with health, personal financial decisions and domestic and
relationship issues, but these are outside the scope of this discussion. This book is
primarily concerned with risks that arise through business, government or charity/
third sector activities. And it is concerned with risk in its widest guise, to embrace
opportunities that come with ‘taking a risk’.
Nature of risk
Recent events have brought risk into higher profile. The Covid-19 pandemic, ex-
treme weather events and geopolitical upheavals represent the extreme risks that
society and commerce face. These extreme risks exist in addition to the daily, some-
what more mundane, risks mentioned above.
Evaluating the range of risk responses available and deciding on the most appro-
priate one in each case is at the heart of risk management. Responding to risks
should produce benefits for us as individuals, as well as for the organizations where
we work and/or are employed.
Within our personal and domestic lives, many of the responses to risk are automatic.
Our ways of avoiding fire and road traffic accidents are based on well-established and
automatic responses. Fire and accident are the types of risks that can only have n
egative
outcomes, and they are often referred to as hazard risks.
2 Introduction
Keeping your car in good mechanical order will reduce the chances of a break-
down. However, even vehicles that are fully serviced and maintained do occasionally
break down. These types of risks that have a large degree of uncertainty associated
with them are often referred to as control risks.
We all need to comply with rules and regulations to bring order to society, and a
failure to comply can only be negative. For businesses, achieving compliance is often
mandatory but can be advantageous and represent an additional benefit in its busi-
ness, representing the ‘upside of risk’.
As well as hazard, control and compliance risks, there are risks that we take be-
cause we desire (and probably expect) a positive return. For example, you invest
money in anticipation that you will make a profit from the investment. Likewise,
placing a bet or gambling on the outcome of a sporting event is undertaken in an-
ticipation of receiving positive payback. People participate out of choice in motor
sports and other potentially dangerous leisure activities. In these circumstances, the
return may not be financial, but can be measured in terms of pride, self-esteem or
peer group respect. Undertaking activities involving risks of this type, where a posi-
tive return is expected, can be referred to as taking opportunity risks.
Risk management
Organizations face a very wide range of risks that can impact the outcome of their
operations. The desired overall aim may be stated as a mission or a set of corporate
objectives. The events that can impact an organization may inhibit what it is seeking
to achieve (hazard risks), enhance that aim (opportunity risks) or create uncertainty
about the outcomes (control risks).
Risk management needs to offer an integrated approach to the evaluation, control
and monitoring of these three types of risk. This book examines the key components
of risk management and how it can be applied. Examples are provided that demon-
strate the benefits of risk management to organizations in both the public and pri-
vate sectors. Risk management also has an important part to play in the success of
not-for-profit organizations such as charities and (for example) clubs and other
membership bodies.
The risk management process is well established, although it is presented in a num-
ber of different ways and often in differing terminologies. The different terminologies
that are used by different risk management practitioners and in different business sec-
tors are explored in this book. In addition to a description of the established risk man-
agement standards, a simplified description of risk management that sets out the key
stages in the risk management process is also presented to help with understanding.
The risk management process cannot take place in isolation. It needs to be sup-
ported by a framework within the organization. Once again, the risk management
Introduction 3
Safety Aspects: Guidelines for their inclusion in standards, and the definitions in
Guide 51 are not fully aligned with those in Guide 73.
To assist with the difficult area of terminology, Appendix B sets out the basic
terms and definitions that are used in risk management. It also provides cross-
reference between the different terms in use to describe the same concept. Where
appropriate and necessary, a table setting out a range of definitions for the same
concept is included within the relevant chapter of the book, and these tables are
cross-referenced in Appendix B.
Book structure
The book is presented in eight parts, together with two appendices. An introduction
to risk and risk management is provided in Part One. Part Two examines applying
these concepts across an enterprise as a whole. Parts Three and Four describe the
application of risk management in terms of risk assessment and risk response.
Analysis of the various risk control techniques is presented, together with examples
of options for the control of selected hazard risks. Part Four also considers the im-
portance of insurance and risk transfer, as well as business continuity planning.
The practical application of risk management is considered in Part Five. There is
also a consideration of reputation and the business model and the importance of the
risk management context. Part Six considers risk strategy and culture, and also re-
flects on the fact that the emergence of risk management as a profession has resulted
in more attention being paid to risk management competency frameworks and the
importance of people or soft skills.
Part Seven describes risk governance and the impact of risk on organizations. The
analysis of stakeholder expectations and the relationship between risk management
and a simple business model are considered. Finally, Part Eight considers risk assurance
and risk reporting. The role of the internal audit function, together with the importance
of corporate social responsibility and the options for reporting on risk management are
all considered. Appendix A is a full list of the main acronyms and abbreviations used
in the book. Appendix B provides a glossary of terms and cross-references the different
terminologies used by different risk management practitioners.
In order to bring the subject of risk management to life and provide context to the
ideas and concepts that are described, short illustrative examples are used through-
out the text. In addition to these general examples, real-life situations and examples
are also used, where a case study is helpful. Each part of the book commences with
case studies taken from the websites of high-profile organizations or from published
annual reports and accounts, to illustrate the main risk management topics covered
in that part. These examples have been taken from around the world and from dif-
ferent sectors.
Throughout the book, boxes are included within the text. These boxes either pro-
vide practical examples of the application of the theory being discussed, or they
provide opinions and commentary on real situations that have arisen.
also forced us to show resilience and accelerate the trend towards the use of
technology in everyday activity. The need for physical presence has lessened as more
activity has migrated online. Sectors like tourism and transport have suffered but
others, especially in the technology sector, have reaped rewards. Efficiencies have
been revealed in how we conduct business, be that commercial or otherwise, that
will be difficult to turn down in future.
However the world of work changes in future, it is undeniable that it will involve
greater use of technology and the creation and analysis of more and more data. This
trend towards data management will also help society as it shifts towards a carbon-
neutral and more sustainable system to counter the effects of climate change. Both of
these drivers will impact on the risks we face and the ways we manage risk. Both of
these drivers are considered throughout this book where it is felt they will have spe-
cific impact.
Achieving benefits from risk management requires carefully planned implementa-
tion of the risk management process in the organization, as well as the design and
successful embedding of a suitable and sufficient risk management framework. By
setting out an integrated approach to risk management, this book provides a descrip-
tion of the fundamental components of successful management of business/corporate
risks. It describes a wealth of risk management tools and techniques and provides
information on the successful delivery of an integrated and enterprise-wide approach
to risk management.
assess both and ensure competence. All of these point to risk management taking on
professional status. The future risk manager will have a firm grasp of the fundamen-
tals described in this book, but will also find that this remains a young profession
where there is scope for developing more and better ways to manage risk. They will
find there is room to develop the use of digital analysis to exploit opportunities
better and use risk management techniques to increase the chances of success.
PART ONE
Introduction to risk
management
LEARNING OUTCOMES
Having studied this section readers will be able to:
Further reading
Bernstein, P (1998) Against the Gods: The remarkable story of risk, Wiley,
Hoboken, NJ
Grenfell Tower Inquiry (2019) Phase 1 report, www.grenfelltowerinquiry.org.uk/
phase-1-report
Institute of Risk Management (2010) A Structured Approach to Enterprise Risk
Management (ERM) and the Requirements of ISO 31000, IRM, London
ISO (2009) ISO Guide 73:2009 Risk Management – Vocabulary, www.iso.org/
standard/44651.html
ISO (2018) International Standard ISO 31000:2018 Risk Management – Guidelines,
www.iso.org/standard/65694.html
Kloman, F (2009) A short history of risk management, Risk Journal, https://
riskjournal.blogspot.com/2009/02/short-history-of-risk-management.html
Pullan, P and Murray-Webster, R (2011) A Short Guide to Facilitating Risk Management,
Gower Publishing, Aldershot
CASE STUDIES
The reader can review the following examples to illustrate further the areas discussed in
Part One and throughout this book.
Ocado is a delivery only internet-based grocery company based in the UK which also
sells the intellectual property it has derived from its innovative software to other grocery
companies, predominantly outside the UK. The Group’s annual report and accounts
discuss risks, strategy, stakeholders, ethics and compliance, all of which form part of the
Introduction to risk management 11
discussion in this book. It provides a clear discussion of how their world of grocery retail
is changing with digital enhancements.
The outline of their risk management framework states:
They further clarify that ‘The Board is responsible for the review and approval of the risk
management framework and for the identification of Ocado’s key strategic and emerging
risks.’
They explain that their risk management process:
is designed to identify key risks and to provide assurance that these risks are understood
and managed in line with the agreed risk appetite. The risk appetite is reviewed by the
Board as part of its annual strategy review. The risk management process is aligned to
our strategy and each principal risk and uncertainty is considered in the context of how
it relates to the achievement of the Group’s strategic objectives.
●● technology;
●● emerging risk such as climate change and the impact of this on our business.
Edited extracts from: Ocado Group plc (2020) Reimagining Shopping: Annual Report and
Accounts for the 52 weeks ended 29 November 2020, www.ocadogroup.com/investors/
annual-report
Lenovo Group is a Chinese multinational company with global headquarters in Beijing and
operational headquarters in the USA. It is listed on the Hong Kong Stock Exchange, and has
63,000 employees. It delivers technology solutions and is worth studying in light of the fast-
moving applications it is developing and the environment in which it operates.
The following table is an edited extract of how they communicate through the annual
report to discuss the key risks that they consider to be of significance, with some illustrations
of the mitigation or controls that they apply.
12 Introduction to risk management
Table 1.1
Business risk
‘The Group may be impacted negatively if it They discuss investment in a ‘robust cyber
sustains cyber-attacks and other data security culture, enhanced security
security breaches that disrupt its operations controls, compliance with mandatory
or damage its reputation.’ privacy and security standards imposed by
law, regulation, industry standards, or
contractual obligations’.
Supply risk
They have identified that some ‘products may They utilize ‘cost and operational analysis to
be reliant on a few component suppliers and understand potential impacts. Ensure broad
the suppliers’ locations may be concentrated supplier sourcing and ensure adaptation
in one country or region within the country’. plans in place’.
Edited extracts from: Lenovo Group Limited (2020) Smarter Technology for All: Lenovo Group
Limited 2019/20 annual report, https://doc.irasia.com/listco/hk/lenovo/annual/2020/ar2020.pdf
The Cabinet Office is the central ministry that brings a unifying focus to UK government
activity. They say that ‘Risk management is an essential tool used to minimize levels of
uncertainty and to maximize the Department’s chances of successfully delivering its
objectives, helping to inform both operational decision making and strategic planning.’
The publicly available report outlines their ‘quarterly performance reporting routine,
[where] all business units are required to fill in a Leadership Team Risk Register. This then
feeds into a Strategic Risk Register.’
Introduction to risk management 13
The document states that ‘although significant improvements have been recognized
across a number of areas, there remains areas for improvement, including:
●● Putting in place arrangements for the management of risks with partners, including
suppliers, Arms Length Bodies or other Government Departments,
●● Increased clarity and governance around key charging models and income recovery,
●● Development of a comprehensive Cyber Security Governance structure that covers the
entire Cabinet Office’.
Edited extracts from: Cabinet Office (2020) Cabinet Office Annual Report and Account 2019–20,
www.gov.uk/government/collections/cabinet-office-annual-reports-and-accounts#annual-
report-and-accounts
14