Module 4: Risk Leadership: International Diploma in Risk Management

International Diploma in Risk Management
Module 4: Risk Leadership
Module Handbook
June 2012
Module Handbook: Risk Leadership
Module Four: Risk Leadership
Contents
1 The Diploma so far 3
2 Looking ahead 4
3 Module aims in summary 9
4 Module learning outcomes 9
5 Module syllabus 10
6 Module learning activities 11
7 Module learning materials 11

7.1 Reading materials 11
7.2 Important notes about reading materials and expectations 14
7.3 A note for students as they begin 15
8 Unit 1: Strategic management and risk leadership in overview 16

8.1 Unit 1 Reading 16
8.2 Unit 1 Self-assessment 17
9 Unit 2: The strategic management process 18

10 Unit 3: Understanding the strategic environment 19

11 Unit 4: Corporate governance 21

12 Unit 5: Strategic control systems 23

13 Unit 6: Strategic flexibility and responsiveness 25

14 Unit 7: Strategic risk management 27

15 Unit 8: Strategic risk management returns 29


© IRM Sept 2011 1
16 Unit 9: Strategic management challenges 31

17 Unit 10: Risk leadership and ethics 33

18 Appendix 34
Self-assessment answers, comments and suggestions 34

© IRM Sept 2011 2
1 The Diploma so far

Mastery of the material covered in Modules One, Two and Three places students in a strong
position to succeed in Module Four. Students should be sure they have either successfully
completed the Module One, Two and Three examinations or, if studying more than one module
at a time, have completed the work on Modules One, Two and Three before moving on to
Module Four.
Modules One through Five are intentionally designed to be studied in sequence, and
approaching the modules out of sequence can create many difficulties.
Module Four moves students to the second focus area of the Diploma – the development of
“managerial skilfulness” in the service of risk management. As mentioned elsewhere, Modules
One through Three serve mainly to support one of the three central goals of the Diploma
programme: that is, to enable students to advance some way toward becoming “risk experts”.
Risk expertise is a concept based upon the conviction that risk management mainly enhances
the quality of management practices by providing a distinct understanding of the impact of risk
on organisations and by enhancing a manager’s ability to think critically about the interplay of
organisational goals and risks and the widely varying influences of risk and uncertainty on the
attainment of those goals and purposes.
In successfully completing Modules one through to three, students should be able to confidently
demonstrate the following:
Knowledge of how organisations become exposed to risk and how this exposure provides
insights into managerial responses.
Understanding of the methods necessary to develop an overarching framework for

organising, sorting, ranking and evaluating risks.
Comprehension of the various perspectives of risk that dwell within organisations and
particularly how professional cultures (finance, the law, engineering) can combine with
national and corporate cultures to influence how organisations and managers look at risk.
Ability to use the proper language necessary to discuss the technical aspects of risk within
specific areas of an organisation.
Competence in the specific managerial challenge of “integrating and coordinating” risk

across an organisation and – specifically – insight into the challenge of leading organisations
toward cross-functional responses to key risks.
Awareness of the distinct and unique nature of an individual organisation’s risk profile and
providing insights into the challenges that arise in developing a risk management response
that is specific and relevant to each organisation.
Capabilities to compare and contrast methods used to generate risk information and risk
knowledge.
Knowledge of how to examine the basis on which decision maker characteristics may impact
risk decision making within the organisation.

© IRM Sept 2011 3
Ability to explain the role of technology in support of the risk information and knowledge
creation process, and a capability to understand how technology may support risk problem
solving and the risk decision making process.
Methods for identifying and understanding the different steps in the problem solving process
and to evaluate the role of risk information and risk knowledge in support of corporate risk
decisions.
Ability to demonstrate an understanding of concepts related to problem solving and decision

making and to distinguish the main business risk decisions made in contemporary
organisations, as well as knowledge of the challenges of employing risk information in formal
and informal managerial decision making settings.
At this point in the Diploma programme, students should have a high level of confidence that
they can communicate widely and knowledgeably about the nature of risks in organisations,
methods for analysing and studying risks, and the overall purposes and benefits of risk
management in organisational settings. While attainment of the status of an “expert” must be a
long-term goal, students should believe that they are certainly well down the road in developing
a sophisticated understanding of risk and its impact on organisations.
2 Looking ahead
By design, the Diploma thus far has not required students spend much time immersed in the
challenges of effectively managing risks. Indeed, some students may have a feeling that they
can talk extensively about the merits and value of risk management and yet not feel that they
have much of a sense how risk management actually looks in practice and what constitutes
effective risk management within organisations. Those issues are the matters to which the
Diploma now turns.
Module Four: Risk Leadership, provides insights into the issues important to organisational
leaders or to individuals who have a leadership role in advancing risk management practices. As
such, students will be exposed to a range of subjects intended to help them understand the
necessary aspects of organisational leadership relevant to the successful promotion and
integration of risk management into an organisation. In the service of that goal, a number of
topics are introduced and explored, including the following:
Treatment of the topic of managerial leadership – its attributes and component features, with
specific reference to leadership in a risk management setting.
The elements of the formal strategic management process and alternative perspectives on
corporate strategy formation.
The formal role of strategic controls and its relationship to the mission statement and
corporate governance issues, and the ultimate relationship with risk management.
The foundations for corporate governance and the range of current external expectations
and requirements for risk management practice.
The standards of risk management practice that influence modern thinking about the role
and nature of effective risk management.
The relationship of risk management to corporate social responsibility and modern business
ethics.
© IRM Sept 2011 4
The characteristics of organisational agility and strategic responsiveness, and the different
rationales for potential risk management benefits and associated risk-return relationships.
The dual needs for specialised risk management expertise and integrative strategic planning
approaches.
How different risk management capabilities can be incorporated into the complex strategy
making process.
Students who successfully complete Module Four will have a firm grasp of the goals and
purposes of risk management. They will understand the philosophical basis for risk management
and the interlocking relationship that exists between strategic management and risk
management, and they will have an understanding of the moral and ethical dimensions of risk
management and the legal and business requirements for risk management.
With respect to the last point, one of the most significant developments in risk management
since the mid-1990s is the emergence of what might be called the “environment of external
expectations” – a subject that has been discussed in each of the preceding modules.
In a largely independent fashion, a range of market and industry standards, best practice
guidance, audit rules, legal decisions and legislative actions have appeared around the world.
While the emergence of these various actions largely is due to independent factors, the
consequences are interconnected. The ultimate result is an environment in which:
1. Organisations are expected to practise risk management

2. They are expected to have risk management that is holistic and organisation-wide in nature,
and
3. There are tangible consequences for a failure to practise risk management in such a
manner.
Successful students will complete Module Four with a clear sense of “why” risk
management must be practised in organisations today, and with a firm idea of the technical
requirements for doing so. However, the specific activities that constitute effective risk
management and the administration of an effective risk management programme are not directly
addressed. Those subjects are the central focus of Module Five. In this module we will see how
important exposures may derive from strategic risk factors and consider how these influences
may be dealt with in effective strategic risk management processes.
Many organisations are faced with dynamic changes in highly competitive global market
environments and increasingly complex industrial contexts. This is equally true in the public
sector. Under these circumstances, it seems obvious that senior executives would consider how
the corporation can be positioned, structured and organised to avoid major downside losses
while taking advantage of new opportunities.
This is the crux of the risk management challenge addressed in Module Four. We observe that
some companies are unable to adapt in ways that meet the changing environmental
requirements while others excel from timely innovations. We see an exponential increase in
natural catastrophes and man-made disasters that are hard to forecast. The emergence of
enterprises with trans-national corporate structures increases international interdependence
where, for example, an earthquake in Taiwan can destroy communication lines, hamper the
transfer of information and thereby disrupt intertwined global sourcing systems.

© IRM Sept 2011 5
Human interferences in the form of incompetence, negligence, accidental error, fraud, wilful
harm, etc, can have severe adverse effects on corporate performance. Similarly, political crises
in one country can jeopardise the economic viability and stability of the most superbly
engineered supply chain.
Constructing efficient production platforms in tightly integrated systems may increase the
potential for operational disruptions. Hyper-competitive conditions characterised by ongoing
innovation, technology leaps and disruptive product developments augment the range of risks
that impact contemporary organisations and challenge their ability to deal with such hard-to-
quantify/hard-to-foresee exposures.
One might expect the story to be somewhat different in the public sector and, of course, details
do vary. However, the dynamism of the private sector does have an analogue in the public
sector. Privatisation, outsourcing, the expansion of EU membership, the rise of multilateral
organisations and NGOs, and restructuring of local government services – all these issues have
led to increasing pressure on public executives to understand better the forces at work on
governmental entities and on society at large.
So the central question for consideration is this: how should organisations deal with this diversity
of risks in the best way possible to improve organisational performance?
Some of the better defined and measurable market-based exposures are addressed by financial
risk management techniques that include considerations of longer-term economic exposures.
The exposures to insurable risks have for a long time been dealt with through engagement in
insurance policies, reinsurance contracts, self-insurance schemes, tax effective captives, etc.
There has also been an increasing emphasis on internal processing risks to avoid operational
disruptions and incidents of internal fraud and misreporting.
Process improvement programmes abound, including total quality management (TQM), process
reengineering, “lean organisations” emphasising resource efficiencies and operating agility,
alignment through balanced scorecards, process certifications (such as ISO), etc.
Many of these approaches attempt to reduce the likelihood that adverse events will arise within
the organisation and improve economic efficiencies.

© IRM Sept 2011 6
While these developments have been occurring within organisations, we must also note the
presence of external forces and influences. Notably, over the past decade public policies have
responded to various corporate scandals around the world by imposing new regulatory
requirements to reduce the risk of executive wrongdoing, for example, the US Sarbanes-Oxley
Act, the UK’s Turnbull recommendations on corporate governance, etc.
Every developed country – more or less – has adopted its own take on these so-called corporate
governance issues, but do the imposed requirements get to the heart of the risk issues? Are the
regulatory frameworks becoming costly bureaucratic feel-good exercises to help build the
necessary documentation to keep executives and board members free of blame or do they truly
enhance corporate risk responsiveness?
While the corporate governance rule sets may serve to enforce awareness about corporate risks
and dealing with them more proactively, many executives seem burdened by the weight of
formalised requirements. From a regulatory perspective, the advantages of rules and
enforcement should be counted against the associated administrative and economic costs they
impose. Is it possible that an increased focus on bureaucratic processes and stringent controls
will limit our vision of what constitutes the most important risks in the firm?
If the most influential risk factors are increasingly unforeseeable, then stringent control systems
could become a straightjacket that could limit corporate manoeuvrability and responsiveness to
new environmental challenges.
These questions constitute central focal points in Module Four as it encourages the student to
think about current risk management challenges. The module will address these issues by
assessing how the corporate strategy process can alleviate some of the risk management
demands arising from contemporary competitive conditions in highly complex and dynamic
global business environments.
The module will relate formal strategic management, including mission statements, corporate
values, ethics and business policies, to risk management and corporate governance practices.
Consideration is given to what extent formal controls allow retention of ingenuity and initiative
within the corporate structure to ensure responsiveness to unexpected events. In this
exploratory context, questions abound and concrete answers are in short supply. In other words,
this module should represent an individual process of examination with the purpose of building
increased insights and further critical thinking necessary to improve current practices.
Underlying this investigation is the matter of “risk leadership”. As with the concept of “risk
expertise”, IRM does not expect students to be actual experts by the end of the programme any
more than it expects a student to emerge from the programme as a full-blown leader.
Nevertheless, both leadership and expertise are developmental aspirations, and the Diploma is
expressly designed to move students well down the road toward meeting both goals.
However, before beginning, a few further words about risk leadership – a term which has
sometimes been given a very narrow meaning.

© IRM Sept 2011 7
Within the Diploma, the term is employed to emphasise two key aspects of modern risk
management practices. First, present-day risk management practices reveal a kind of dual
nature. Risk management is both an aspect of general management (considering and
addressing risk and uncertainty as part of every managerial decision) and a technical field of
specialisation (risk management specialists performing the intricacies of, say, measuring and
managing an organisation’s credit risk exposure).
In this sense, all managers – whether technical specialists or not – find themselves in situations
where they have to make decisions and take actions in direct response to the risks they
encounter. Often, these decisions and actions occur in settings that do not fit into historical
models of risk management practice, and thus the broader term “risk leadership” permits us to
consider the full range of situations in which managers of all grades are managing risks within
the scope of their responsibilities.
Second, risk leadership highlights one of the most critical issues emerging within modern risk
management, and that is the relationship between risk management, corporate governance and
strategic management. The range of new requirements and external expectations places a great
deal of pressure on executives, directors and top managers to integrate risk management
adequately into their overall roles.
This has created a number of challenges for organisations. What are the characteristics of risks
that should capture the concern of organisational leaders? How do leaders come to develop a
reasonably comprehensive view of their organisations’ key risks? How do leaders effectively
advance risk management practices in their organisations? How do leaders provide risk
leadership?
A quest to understand risk leadership in both contexts weaves in and out of Module Four.
A final – but important – thing must be mentioned. One of the newer subjects to enter the larger
discussion of modern risk management is the inquiry into our understanding of ethics in
organisational settings and its influence on risk management. It is astonishing that literature on
risk management has been largely silent with respect to this issue, especially when one reflects
on how the major risk issues of the day (AIDS, terrorism, immigration, child labour, privacy, fair
trade) are weighted with moral implications. Risk leadership presumes that a leader can
articulate the ethical basis on which risk management decisions are taken and understand the
moral or ethical consequences of those decisions.
IRM wishes all students every success with Module Four.

© IRM Sept 2011 8
3 Module aims in summary

The overarching aim of this module is
To provide a thorough understanding of the complex strategy making process and the
relationships between corporate governance, management practice, moral / ethical
considerations and the risk management outcomes.
This will be accomplished by exposing the student to an organised series of readings that deal
with different aspects of the strategic management process and placing this in the context of
prevailing corporate governance frameworks and values-based management practices.
We will study the formal risk management requirements as expressed by various rules-based
and principles-based corporate governance frameworks and contrast them with alternative ways
of construing strategy formation in organisations. In particular, we want to consider the potential
interaction between formal, planned and controlled processes with responsive initiatives where
strategy emerges when opportunities and threats are dealt with on an ad hoc basis as and when
they arise.
We will consider different explanations for potential benefits from effective risk management
practices and relate these to alternative strategy making processes that eventually may
constitute more effective integrative risk management practices. We will study experiences and
lessons learned from high reliability organisations and thereby integrate different strategic,
organisational, and cultural characteristics into the analyses of risk management effectiveness.
4 Module learning outcomes

The course readings assigned for each of the 10 study sessions are diverse and cover different
aspects of strategy creation, corporate governance, management information systems and
controls, responsive organisational structures, behaviours, ethics and cultures. After completing
the module by reading the material and considering the associated study questions, the student
should be able to:
1. Outline the elements of the formal strategic management process and alternative
perspectives on corporate strategy formation.
2. Discuss the interacting roles of planning, management control and emerging opportunities in
creating adaptive strategic responses.
3. Describe the formal role of strategic control and its relationship to the mission statement and
corporate governance issues.
4. Assess dominant regulatory initiatives on corporate governance in the context of values-

based management approaches.
5. Explain different rationales for potential economic benefits from risk management and the
resulting risk-return relationships.
6. Discuss the characteristics of organisational agility and strategic responsiveness and outline
the potential risk-return effects.

© IRM Sept 2011 9
7. Discuss the dual needs for specialised risk management expertise and integrative strategic
planning approaches.
8. Discuss how different risk management capabilities can be incorporated into the complex
strategy making process.
9. Discuss in some detail the ethical bases or frameworks for risk management practices.
Student note
The module learning outcomes listed in each study guide should be seriously considered and
reviewed. The list goes a long way toward informing students what they are supposed to learn
and, importantly, what the basis of evaluation and examination will be.
5 Module syllabus
Unit 1: Overview of Strategic Management and Risk Management
Module Four begins with an introduction of the subject, looking at the strategic nature of
corporate risk management and the link between strategy and risk.
Unit 2: The Strategic Management Process

A review of the formal strategic management process comprising: mission statement, external
and internal analysis, strategy formulation and implementation, and strategic control.
Unit 3: Understanding the Strategic Environment

A review of analytical approaches to deal with and assess the potential effects of identified
environmental uncertainties.
Unit 4: Corporate Governance.

A review of the different approaches to Corporate Governance and the link between governance
and risk management.
Unit 5: Strategic Control Systems

A review of the strategic control processes that support the implementation of organisational
strategy
Unit 6: Strategic Flexibility and Responsiveness

A review of strategic flexibility and responsiveness examining real options perspectives and the
structures within organisations in strategic decision making processes.
Unit 7: Strategic Risk Management

An examination of various risk management frameworks and the rise of Enterprise Risk
Management within organisations.
Unit 8: Strategic Risk Management Returns

A review of various risk management rationales and the risk-return relationship.

© IRM Sept 2011 10
Unit 9: Strategic Management Challenges

A review of the challenges associated with integrating risk management and strategic
management.
Unit 10: Risk Leadership and Ethics

A review of the challenges ethics presents in the dimensions of strategy, governance and risk
management.
6 Module learning activities

The student will learn through private study of assigned articles and book chapters organised
around 10 study sessions. After studying the related readings, the student will reflect over the
contents supported by consideration of open-ended study questions attached to each of the
session guides.
To some extent, this process can serve for self-testing purposes even though there are few
clearly right and wrong answers where a yes/no response will suffice. It is important to keep in
mind that this module does not provide simple model answers and it makes little sense to
develop questions that require simple responses. The entire module is meant to encourage
thinking about effective risk management processes and stimulate individual development.
7 Module learning materials

7.1 Reading materials
Unit 1: Strategic management and risk management in overview
Andersen, T J, and PW SchrØder, (2010) “The Strategic Nature of Risk Management” Chapter 1
in Strategic Risk Management Practice: How to Deal Effectively with Major Corporate
Exposures, Cambridge University Press. pp 1-32.
Ernst & Young, (2010) “Risk appetite - The strategic balancing act”, EYGM Limited, pp 1-12
European Institute of Risk Management, (2009) “Risk Leadership, Searching for Core
Competencies”
National Association of Corporate Directors, (2009) “Understanding the Critical Link between
Strategy and Risk” Chapter 2 in Risk Governance: Balancing Risk and Reward, NACD. pp 6-7
Slywotzky, A J, and Drzik, J, (2005) “Countering the Biggest Risk of All”, Harvard Business
Review, 82, pp 78-88

© IRM Sept 2011 11
Unit 2: The strategic management process
Hill, C W L, and Jones, G R, (2001) “Stakeholders and the Corporate Mission”,

Chapter 2 in Strategic Management Theory 5th Edition, Houghton Mifflin, New York,
pp 41-70
Hitt, M A, Ireland, R D, and Hoskisson, R E, (2001) “Strategic Management and Strategic

Competitiveness”, Chapter 1 in Strategic Management:
Competitiveness and Globalization 4th Edition, South-Western College Publishing,
Cincinnati, Ohio, pp 2-38
Unit 3: Understanding the strategic environment
Andersen, T J, and PW SchrØder, (2010) “Strategic Risk Analyses” Chapter 7 in Strategic Risk
Management Practice: How to Deal Effectively with Major Corporate Exposures, Cambridge
University Press. pp 146-177.
Johnson, G, Scholes, K, and Whittington, R, (2005) “The Environment”, Chapter 2 in Exploring

Corporate Strategy, Pearson Education, pp 64-87
McGee, J, Thomas, H, and Wilson, D, (2005) “Risk, Uncertainty and Strategy”,

Chapter 14 in Strategy Analysis & Practice, McGraw-Hill, pp 529-552
OECD Principles of Corporate Governance

http://www.oecd.org/document/49/0,2340,en_2649_34813_31530865_1_1_1_1,00.html
Unit 4: Corporate governance.
Anderson, C, (1997) “Values-Based Management”, Academy of Management

Executive, 11(4), pp 25-46
FERMA / ECIIA, (2010) “Guidance on the 8th EU Company Law Directive

Article 41”
Guide to Sarbanes-Oxley http://soxlaw.com/index.htm
The June 2010 UK Corporate Governance Code http://www.frc.org.uk/
Turnbull Guidance http://www.frc.org.uk/corporate/internalcontrol.cfm
Unit 5: Strategic control systems
Kaplan, R S, and Norton, D P, (1996) “Using Balanced Scorecard as a Strategic

Management System”, Harvard Business Review, 74 (1), pp 75-85
Simons, R, (2000) “Managing Strategic Risk”, Chapter 13 in Performance

Measurement & Control Systems for Implementing Strategy, Prentice-Hall, pp
275-300
Simons, R, (1990) “The Role of Management Control Systems in Creating

Competitive Advantage: New Perspectives”, Accounting, Organisations and
Society, 15, pp 127-143

© IRM Sept 2011 12
Woods, M, (2008) “Linking risk management to strategic controls: a case study of Tesco plc”
International Journal of Risk Assessment & Management, Vol.7 (8), 2008.
Unit 6: Strategic flexibility and responsiveness
Andersen, T J, (2006) “Strategic Exposures and Real Options”, Chapter 10 in

Global Derivatives: A Strategic Risk Management Perspective, Pearson
Education, pp 357-396
Andersen, T J, (2006) “Managing Strategic Risk”, Chapter 11 in Global

Derivatives: A Strategic Risk Management Perspective, Pearson Education, pp
397-427
Andersen, T J, (Editor) (2006) “Options Reasoning and Strategic Responsiveness: Discussion

and Empirical Assessment”, Chapter 10 in Perspectives on Strategic Risk Management, CBS
Press, pp 179-205
Lindgren, M and Bandhold, H (2003) “Why Is Scenario Planning Needed? Some Reasons from
the Field of Strategy Research” Chapter 1 in Scenario Planning
The link between future and strategy, Palgrave MacMillan, pp 4-20
Shimizu, K and Hitt, MA (2004) “Strategic flexibility: Organizational preparedness to reverse

ineffective strategic decisions”, Academy of Management Executive, 2004, Vol. 18, No. 4
Unit 7: Strategic risk management
Andersen, T J, (Editor) (2006) “An Integrative Framework for Multinational Risk Management”,
Chapter 7 in Perspectives on Strategic Risk Management, CBS Press, pp 131-146
Andersen, T J, (Editor) (2006) “Contemporary Enterprise-Wide Risk Management Frameworks:

A Comparative Analysis in a Strategic Perspective”, Chapter 6 in Perspectives on Strategic Risk
Management, CBS Press, pp 107-129
Andersen, T J, and PW SchrØder, (2010) “Strategic Risk Management – Amendments to the

ERM Framework” Chapter 8 in Strategic Risk Management Practice: How to Deal Effectively
with Major Corporate Exposures, Cambridge University Press. pp 146-177.
Bettis, R A, and Hitt, M A, (1995) “The New Competitive Landscape”, Special

Issue: “Technological Transformation and the New Competitive Landscape”,
Strategic Management Journal, 16, pp 7-19

© IRM Sept 2011 13
Unit 8: Strategic risk management returns
Andersen, T J, (Editor) (2006) “The Risk-Return Effects of

Strategic Responsiveness: A Simulation Analysis”, Chapter 3 in Perspectives on Strategic Risk
Management, CBS Press, pp 47-64
Andersen, T. J. (2008). The Performance Relationship of Effective Risk Management: Exploring

the Firm-Specific Investment Rationale, Long Range Planning, 41: 155-176
Froot, K A, Scharfstein, D S, and Stein, J C, (1994) “A Framework for Risk

Management”, Harvard Business Review, 72 (6), pp 91-102
Unit 9: Strategic management challenges
Husted, B. W. (2005). Risk Management, Real Options and Corporate Social Responsibility,
Journal of Business Ethics, 60: 175-183
Kytle, B. & Rugie, J. G. (2005). Corporate Social Responsibility as Risk Management: A Model
for Multinationals, Working Paper, Harvard University, John F Kennedy School of Government
Marsh (2011) “Excellence in Risk Management VIII - Greater Expectations, Greater

Opportunities”, Marsh, RIMS
Roberto, M A, Bohmer, R M J, and Edmondson, A C, (2006) “Facing

Ambiguous Threats”, Harvard Business Review, 84 (11), pp 106-113
Weick, K E, and Sutcliffe, K M, (2001) “What Business can learn from High
Reliability Organisations”, Chapter 1 in Managing the Unexpected, Jossey-Bass, pp 1-23
Unit 10: Risk leadership and ethics
Goodpaster, K, and Matthews, J, (1982) “Can a Corporation Have a Conscience?”, Harvard

Business Review, 60 (19), pp 132-141
Young, P C, (2004) “Ethics and Risk Management: Building a Framework”,

International Journal of Risk Management, vol 6, no 3, August, pp 23-34
7.2 An important note about reading materials and reading expectations
“What am I required to read?” This is a question commonly asked by Diploma students, and it is
important that they understand IRM’s position on this matter.
Students will immediately notice that the study guides list only “required reading” and do not
include “recommended reading” lists. The intention is self-evident: the readings that are listed
must be read. Failure to do so virtually guarantees that a student will not have a successful
result.

© IRM Sept 2011 14
However, IRM does expect students to read and study beyond the required reading list. As the
Diploma represents a higher order learning experience, it is appropriate that students should
undertake some self-directed learning. How does IRM enforce its expectation? The structure of
the examinations and the marking scheme includes recognition of additional reading and
research. In other words, part of the mark a student obtains will be based upon evidence that the
student has gone beyond the required readings and has brought other perspectives and material
into his/her exam responses. It is difficult to imagine that a student could receive the highest
marks without including evidence of additional study.
7.3 A note for students as they begin
Students learned at the start of the Diploma that several subject specific and educational
outcome objectives are woven throughout the programme. Since a student beginning Module
Four has travelled some distance from the outset, the matter of Diploma objectives is worth a
brief reminder.
Broadly speaking, Modules One, Two and Three focus on the development of risk knowledge,
all in the service of moving students toward the goal of risk expertise.
Module Four, while building on the preceding subject matter, shifts the focus toward the
development of managerial skilfulness. In doing so, students will see some clear changes in the
substance and nature of the module.
Notably, the subject of risk leadership draws upon a wide range of management fields and thus
the individual readings are:
a) Slightly more numerous, and

b) Come from many different subject areas.
Simply put, this must happen as issues of managerial skilfulness require risk managers to be
conversant with a wide range of management perspectives.
From the perspective of educational goals and objectives, there is, however, an equally
important purpose to the changes. Students should recognise that there is an intended “learning
curve” to the overall structure of the Diploma. So implicit in the design of Module Four is the
assumption that students are carrying forward knowledge from the previous modules (that is, the
learning is cumulative) and that there should be a corresponding elevation of the challenge. The
reading material should be more diverse and should require more effort to digest.
IRM has taken care to assure that the increased challenge is not unnecessarily dramatic and
should not be disorienting to students – but the change will be noticeable.
Module Five continues the move upwards, though in a different manner. In Module Five the
increased effort is directed toward practical problem solving, as compared to the challenge of
absorbing new material as in Module Four.
IRM is confident that students who have successfully navigated the first three modules will have
no difficulty in meeting the different challenges in the remaining two core modules.

© IRM Sept 2011 15
8 Unit 1: Strategic management and risk leadership in

overview
Module Four begins with an introductory tour of the subject, looking at the strategic nature of
corporate risk management and the link between strategy and risk.
Students are reminded of the dual nature of risk management at a strategic level, that is that
managing risks is not just about the protection of physical and financial assets to avoid downside
loss events, which is of course important, but, perhaps more so, is the use of risk management
to exploit upside business potential of strategic decisions.
Students should also reflect on how a company’s strategy is essentially a balance of the
opportunities and expected rewards against related risks and are introduced to the concept of
risk appetite and why a discussion of risk appetite should form part of the strategic management
review.
All of this, of course, should enable students to begin to see the possible fundamentals of “risk
leadership”, but only in rough form. Risk leadership will ultimately require an individual to
understand risk (as covered in the first three Diploma modules) and to be able to use that
knowledge to inform the development of strategic purposes within an organisation – and
ultimately to be able to engage an organisation in active pursuit of those strategic purposes. IRM
refers to these last two activities (that is, setting strategy and executing that strategy) as
demonstrations of managerial skilfulness. Thus, Unit One begins the student’s journey down the
pathway towards the development of appropriate managerial knowledge and capability.
8.1 Unit 1 Reading
Students begin with a brief introduction to the concept of risk leadership and risk governance
(European Institute for Risk Management)
Students will then be introduced to the diverse nature of the corporate risk landscape and
different approaches to risk management that may enable organisations to respond more
effectively to the challenges they face (Andersen and SchrØder)
Students should look into the link between strategy and risk and the role that board members
and senior directors play (Blue Ribbon Commission).
Students should also consider whether fundamental, “strategic” exposures have any
importance in risk management (Slywotzky and Drzik).
Finally the concept of risk appetite and its relevance to the strategic risk management
process is introduced (Ernst and Young)

© IRM Sept 2011 16
8.2 Unit 1 Self-Assessment
Students will be ready to move to Unit Two when they can confidently answer the following
study questions.
1. What is the role of the “board” in strategic risk management?
2. Explain the link between strategy and risk.
3. Explain the importance of risk appetite in relation to strategic goals.

© IRM Sept 2011 17
9 Unit 2: The strategic management process

In Unit one students have been introduced to the strategic nature of corporate risk management
in Unit two students will be examine formal strategic management processes and how they are
used for developing and enacting plans to reach long-term organisational goals.
Students will consider how an organization's mission, vision and objectives are used to support
the achievement of these goals. Students will find it extremely useful to reflect on strategic
management both in the context of organisational leaders and their overall role in setting
strategy and managing the organisation toward success, and in the context of individual
managers, particularly risk specialists, and their challenges in setting goals and strategies for
more focused risk management activities.
9.1 Unit 2 Reading
Students are required to familiarise themselves with the formal strategic management
process comprising development of mission statement, conducting external industry analysis
and internal company analysis, formulating strategy, devising an implementation plan and
controlling strategic developments (Hitt, Ireland and Hoskisson).
Students should look into the basic components of the mission statement, including strategic
intent and long-term aspirations as well as core values and behavioural guidelines (Hill and
Jones).
9.2 Unit 2 Self-assessment
Students will be ready to move to Unit Three when they can confidently answer the following
study questions.
1. What are the different elements of the mission statement?
2. How could value statements be useful to the organisation?
3. What is the rationale behind macro environment, industry and competitor analyses?
4. What is the rationale behind the internal company analysis?
5. How does corporate governance fit into the picture – that is, how does it affect/influence the
mission statement?
6. How does the firm reconcile the external and internal analyses?
7. Why is it important to monitor performance against plans?

© IRM Sept 2011 18
10 Unit 3: Understanding the strategic environment

In Unit 2, students will have developed some appreciation of the need to understand an
organisation’s environment as one of the important bases for ultimately setting strategy.
“Environment” is a term broadly employed here to refer to factors as divergent as the physical,
economic, the competitive industry-specific and political environments.
One of the key challenges for managers is the integration of environmental information in an
effort to make sense of the great complexities that swirl around and within organisations. How
do we come to appreciate our organisation’s opportunities, threats, sources of risk and
uncertainties? In light of such information, how do we decide which issues are important? Also,
given an understanding of our organisation’s critical environmental issues, can we begin to think
in rough terms about what is the appropriate response?
Unit 3 also begins an introduction to the critical issue of corporate governance. What is meant by
that term, and what is its relationship to strategy setting? It will be helpful for students to
appreciate that those corporate governance expectations and requirements are not merely
aspects of organisational leadership. The rising tide of corporate governance rules and
requirements around the world today are:
1. A new source of risk for organisations, and

2. Increasingly frequently a responsibility area for risk managers and those with risk
responsibilities.
Thus, it will be important for students to approach this unit with the understanding that the
introduction to corporate governance not only fulfils the purpose of the unit (to give students an
appreciation of the overall environment), but also signals to students that governance
requirements and criteria are extremely influential in setting risk management expectations.
10.1 Unit 3 Reading
Consider the various elements that can go into a thorough analysis of the external conditions
that circumscribe corporate activities (Johnson, Scholes and Whittington).
Given this understanding of the complex environmental context, consider various

approaches developed to deal with and assess the potential effects of identified
environmental uncertainties (McGee, Thomas and Wilson).
Then consider how the different strategic management tools can be complemented by tools
from the risk management field and applied to perform extended analysis of the corporate
environment (Andersen and SchrØder)
Finally, familiarise yourself with the OECD principles of corporate governance as they relate to
various institutional conditions and governance frameworks for sustainable economic
development (Read the OECD online report).

© IRM Sept 2011 19
Students will be ready to move to Unit Four when they can confidently answer the following
study questions.
1. How does environmental analysis relate to risk analysis?
2. How can we incorporate environmental analysis into the risk management process?
3. How can we deal with environmental risks that display high uncertainties?
4. What are the major corporate governance concerns?
5. What are the risk management implications of this?
6. How does good corporate governance enhance the ability to respond to environmental
changes?
7. Are the corporate governance and strategic management perspectives consistent?

© IRM Sept 2011 20
11 Unit 4: Corporate governance

Students will have been introduced to the subject of corporate governance in Unit 3 (and indeed,
it has made featured appearances in Modules One, Two and Three), but the goal there was
mainly to provide a basic foundation of understanding. Unit 4 gives a more textured examination
of the subject and offers students an opportunity to appreciate some of the philosophical
concerns that underlie approaches to corporate governance.
First, students are asked to consider the interplay between general corporate governance
frames and concepts and the actual mission and value statements that organisations develop to
translate governance expectations into practice. At the end of the day, organisations have to
customise general governance requirements/expectations to meet their specific culture, needs
and purposes. The actions by which this translation occurs are reflected in the efforts to
establish broad policy positions: statements of strategic intent, mission statements, value
statements and statements of specific policies, such as risk management policy.
Second, owing to the complex relationship of corporate governance to risk management

(corporate governance is not just an environmental factor, but serves to influence and frame risk
management), students will explore representative documents that influence modern risk
management practices. As they will come to learn, almost all developed nations have a
standard, policy, legal requirement or other such document that sets general terms and
conditions of corporate governance and – notably – of risk management.
Students who successfully complete the Diploma programme are expected to be generally
conversant on this subject and have a broad knowledge of the current relevant standards.
11.1 Unit 4 reading
Students should extend their focus on the corporate mission and value statements as
guiding principles for corporate managerial actions (C Anderson, 1997).
Students should be able to contrast the values-based perspectives on strategic management

with the basic focus of the Turnbull guidelines and the fundamental guidelines expressed in
the Sarbanes-Oxley legislation (C Anderson, 1997, and Turnbull and Sarbanes-Oxley
documents).
Students [from outside the UK and US] should also compare the Turnbull and Sarbanes-
Oxley guidelines to comparable corporate governance and risk management frameworks
that may be relevant in their own country. Most developed nations have guidance either
influenced by or similar to Turnbull and Sarbanes-Oxley.
Finally, students should consider as part of corporate governance the role that company
directors play in ensuring the effectiveness of risk management and internal controls.
(Guidance on the 8th EU Company Law Directive)
Students should be aware that the Turnbull Guidance 2005 that forms part of the core reading
relates to the 2004 UK Corporate Governance Code. The Financial Reporting Council issued an
updated version of the UK Corporate Governance Code in June 2010. The Turnbull Guidance
has not yet been updated to reflect the new code.
The June 2010 UK Corporate Governance Code can be obtained from: http://www.frc.org.uk

© IRM Sept 2011 21
Students will be ready to move to Unit Five when they can confidently answer the following
study questions.
1. What is the main focus of the Turnbull report?
2. What is the main focus of the Sarbanes-Oxley legislation?
3. What caused these political and regulatory initiatives?
4. How do they relate to the risk management process?
5. How do they relate to the strategic management process?
6. How does values-based management relate to the formal strategic management process?
7. Does good corporate governance enhance values-based management principles?
Student note
It is highly advisable for students to investigate standards or guidelines and rules that apply in
their own countries. A suggestion is to compare these standards with those covered in the
readings, [where they differ]. The online Diploma Reading Room provides links to a wide range
of relevant documents.

© IRM Sept 2011 22
12 Unit 5: Strategic control systems

Students who have progressed to Unit 5 will have a reasonably good foundation of basic
principles of strategic management, and will, of course, have developed some specific
competencies in the assessment of the business environment and matters related to corporate
governance.
Unit 5 leads students into an examination of the strategic control processes that support the
implementation of organisational strategy. In this way, students should begin to develop a firmer
understanding of some of the technical support activities related to strategy implementation and
development, and they also should at least begin to see some of the organisational challenges
that lie ahead for risk leaders.
Students will want to reflect on their own situation or that of their organisation situation with
respect to strategic control processes. Processes on paper can suggest an elegance that is not
always or not easily achievable in living organisations. Culture, structure, leadership, complexity,
uncertainty and the availability of information can all facilitate or block strategic processes.
Therefore, it will serve a student well in Unit 5 to not only absorb the technical information about
strategic control processes, but also to think about the application of those processes in real
organisations – in other words, to look at the implementation of strategic management
processes as the first “move” in a multiple stage game.
The nature of an existing organisation may preclude certain moves, or constrain the opening
gambit. Also, the organisation and its individuals will respond to a process, so a series of moves
and countermoves may influence the ultimate value or meaning of the initial move.
The insight referenced in the preceding paragraphs might be called a “game theory” insight. In
other words, management does not consist of taking an action with the expectation of an
automatic or predictable result. Organisations and the individuals within them react to a
management “move” and these reactions can change the game itself, or the details. This is
sometimes called “reflexivity”.
If this insight sounds vaguely familiar, it should. Adams (introduced in Module One) emphasises
the dynamic environment as a source of risk in its own right. Traditional risk management
assumed that if a risk management measure was taken an automatically good result would
ensue, but Adams cautions us to remember that a behavioural change may produce an
unintended negative result. For example, requiring seat belt use in motor vehicles may prompt
people to drive faster and so endanger other road users more.
Reflection on the material in Unit 5 should encourage students to realise that good managers
have to think several moves ahead.

© IRM Sept 2011 23
12.1 Unit 5 Reading
Students will take a closer look at the more formalised approaches to the strategic
management processes. First, they will study a popular strategic management system
referred to as the “balanced scorecard”, thus indicating a framework that tries systematically
to measure strategic outcomes and follow up on achievements (Kaplan and Norton).
Students will study how management control systems may be used to monitor environmental
uncertainties and thereby inform corrective corporate actions (Simons, 1990).
Students will investigate how control systems eventually can be seen as a central element of
a strategic risk management framework (Simons 2000)
Students will learn about strategic controls in the context of internal management information
and communication systems (See the articles cited above).
Finally, students will see, by way of a case study how one of the UK's largest retailers, Tesco
plc, has introduced ERM as part of an existing strategic control system. (Woods)
Students will be ready to move to Unit 6 when they can confidently answer the following study
questions.
1. What are the underlying ideas behind the balanced scorecard?
2. How does the balanced scorecard relate to the strategic management process?
3. How does the balanced scorecard relate to risk management?
4. What role do management controls systems play?
5. How do management control systems deal with strategic risks?
6. Are management control systems and strategic controls compatible?
7. Do extensive controls enhance strategic responsiveness?

© IRM Sept 2011 24
13 Unit 6: Strategic flexibility and responsiveness

Within the preceding units students should have developed a good understanding of the need
for organisations to have a well defined and developed strategy. In Unit Six students will gain
some insights into the need for organisations to ensure that flexibility and responsiveness is built
into their strategy. In other words, strategic management must include careful planning informed
by the prospects of alternative outcomes and also allow for maintaining responsiveness, agility
and resiliency in dealing with the dynamic environment once a strategy has been implemented.
In this context students will be given a particularly important introduction to the concept of real
options. The “real options” concept has been academic for some time, but in recent years its
application has broadened and deepened, and it is now one of the key concepts emerging in the
strategic risk management field. This is not to say that the real options concept is an
unblemished answer to the risk manager’s prayers. Indeed, students should expect to have a
critical view of the strengths and weaknesses of real options thinking.
A student might reflect on the possibility here that flexibility and responsiveness might prove to
be an important way of framing one of risk management’s critical roles and purposes. If the
world is filled with uncertainty, our ability to develop an airtight strategy, execute against that
strategy and get exactly the result we intend, is virtually nil. Therefore, risk management seems
partly to involve those activities necessary to keep organisations alert and agile to changing
conditions and, while still informed by the original strategy, ingenious enough to make critical
changes when necessary.
Furthermore, students will examine the role of that centralized strategy planning and
decentralized decision making structures has in improving the flexibility and performance of
organisations in dynamic environments.
13.1 Unit 6 Reading
Students begin by understanding why strategic flexibility is important to modern

organisations and some of the barriers that are present (Shimizu and Hitt)
Students also examine the real options perspective as a way to deal with strategic
uncertainties (Andersen (2006) Chapter 10 in core required book Perspectives on Strategic
Risk Management and (Andersen (2006) Chapter 10 of Global Derivatives: A Strategic Risk
Management Perspective).
Students will also examine scenario planning as an effective method to improve flexibility
and performance in organizations (Lindgren and Bandhold).
Students will be introduced to risk management in the context of the strategic management
process and consider the effects of various organisational characteristics (Andersen (2006)
Chapter 11 of Global Derivatives: A Strategic Risk Management Perspective).
Students should reflect on whether effective risk management entails more complex
combinations of dispersed decision making, information processing and communication
capabilities, formal control systems and informal coordination by mutual adjustment
(Andersen (2004) and Andersen (2010) as well as above cited article).
Students should understand the reading materials that essentially integrate the risk
management and strategic management processes as the means to enhance flexibility and
corporate responsiveness (See material cited above).
© IRM Sept 2011 25
Students will be ready to move to Unit Seven when they can confidently answer the following
study questions.
1. What are the key elements of the risk management process?
2. Can a real options perspective improve strategic flexibility and responsiveness?
3. To what extent can real options facilitate the management of strategic risks?
4. What are the elements of effective strategic risk management practices?
5. What is needed to deal with harder to quantify strategic risks?

© IRM Sept 2011 26
14 Unit 7: Strategic risk management

Students now turn their attention to the specific subject of risk management, but with a distinct
reference to the materials covered in the first four units. Module One presented a broad
introduction to risk management, and it should be no surprise that some familiar terms,
concepts, names and references have already reappeared in Module Four. Unit Seven should
take students even further onto familiar ground.
Within Unit Seven, students are expected to deepen their understanding of the existing risk
management frameworks. This means that they can move beyond basic awareness of these
frameworks and an ability to provide a general description. They should be able to provide some
level of critical analysis in comparing the basis of these frameworks and understanding the
relative advantages.
Furthermore in Unit Seven, students will explore the emergence of the various new risk
management frameworks in the context of the changing competitive landscape, and there is a
specific opportunity to reflect on risk management as a ”strategic response” tool, which is an
idea first brought to light in Unit Six. How, precisely, does the introduction of risk management in
an organisation enable/enhance/facilitate the accomplishment of strategic goals?
In the process of closely examining risk management frameworks, the specific concept of
enterprise risk management (ERM) receives fuller treatment. While there are many existing
frameworks that embody an organisation-wide approach, ERM is the framework that currently
garners most of the attention. As students will see, the ERM concept is not without its
controversies and limitations. Indeed, there is even controversy as to whether the name –
enterprise risk management – is the best we can do in capturing the essence of the concept.
Nevertheless, students today must have a reasonably comprehensive awareness of ERM and
the ERM movement, as it informs and influences much of the current thinking and practice in the
field.
14.1 Unit 7 Reading
Students should start by considering a somewhat conventional risk management framework

(Andersen (2006) Chapter 7 in core required book Perspectives on Strategic Risk
Management).
Students will then examine some of the main drivers behind the rise of ERM and how these
developments help support organisations in increasingly dynamic business environments
(Andersen and SchrØder)
Students will also revisit major characteristics of the changing competitive landscape that
urges a need for strategic response capabilities (Bettis and Hitt).
Students should then investigate the major risk management frameworks developed among
other things to deal with the new competitive reality, and consider how they accomplish the
development of responsive organisations (Henriksen and Uhlenfeldt, Chapter 6 of core
required book Perspectives on Strategic Risk Management)
Students should investigate the specific characteristics of ERM and the ERM movement, and
their ability to embrace strategic risks (Readings: above cited articles).

© IRM Sept 2011 27
questions.
1. What are the particular features of the contemporary environment that extend the need for
strategic risk management?
2. What are the main characteristics of the new competitive landscape?
3. How should we cope with the emerging risks in today’s competitive environment?
4. Are executives and managers generally aware of the new strategic risks?
5. What are some of the impediments to engaging in integrative risk management practices?
6. How do formal enterprise risk management (ERM) approaches deal with strategic risks?

© IRM Sept 2011 28
15 Unit 8: Strategic risk management returns

Unit 8 provides students with important foundation information about modern risk management
practices and their contribution to organisational success.
This unit comes as close to a theory-based course of study as will be found in the entire
Diploma. The reading material here has been chosen with care to avoid the dense and
sometimes impenetrable language of the academic. Nevertheless, students should develop
some understanding of the conceptual arguments that underlie the practice of risk management
today.
There are at least three reasons why this is important for a practising risk manager.
First, the case for introducing risk management into organisations is not always easily made to
non-experts. The old saying that “nothing sells risk management like a disaster” suggests that
making the business case for allocating resources to risk management is hard to accomplish
prospectively. The reduction of possible risk or loss and the pursuit of an opportunity are often
seen as intangibles that are difficult to articulate. Only in retrospect, and not terribly strategically,
do most organisations address critical risk management needs. Therefore, students need to
consider concepts and theories for the purpose of making the best possible prospective case.
Second, the modern approach to risk management is cross-functional, inter-disciplinary and

integrative, and so the business case for risk management must be made in a way that auditors,
financial managers, marketing managers, operations managers and a host of others understand
it. The search for a common language of risk is enhanced by recognition of the underlying
principles.
Third, the development of an understanding of the principles (and, yes, even theories) provides
an important tool in advancing the student’s critical thinking skills. Exposure to current
conceptual frameworks enhances the student’s ability to ask “why?” and to have a basis for
answering that question.
15.1 Unit 8 Reading
Students will investigate the different rationales for potentially positive risk management
effects. They will examine a model that demonstrates conditions where strategic
responsiveness to changing environmental conditions can lead to favourable risk-return
outcomes (Andersen & Bettis, Chapter 3 of core required book Perspectives on Strategic
Risk Management).
Students will read about how stable earnings may enhance availability of capital in support of
viable business opportunities (Andersen (2008) and Froot, Scharfstein & Stein (1994)).
Students will study a set of readings that span conventional financial arguments to more
managerial considerations of risk management, which illustrate that potential risk
management benefits can go well beyond simple cost of capital arguments (Readings:
articles cited above).

© IRM Sept 2011 29
questions.
1. Why does it possibly pay to hedge exposures and management risks when investors can
diversify their firm-specific risks?
2. How can risk management lead to reduced funding costs and provide capital for new
investment propositions?
3. How can risk management lead to excess liquidity and why is that possibly good?
4. Why might it pay to shield the firm’s major stakeholders and encourage firm-specific
investment?
5. Why might it be good to respond in ways that match the market and what is the
consequence for the risk-return relationship?
6. What kind of risk management approaches do we need to enhance these potential

advantages?

© IRM Sept 2011 30
16 Unit 9: Strategic management challenges

Unit 9 directs students to examine a set of issues that frequently arise in strategic management.
It asks them to reflect on the implications that may be relevant to risk management.
In particular, Unit 9 focuses the student’s attention on several practical issues that arise when
strategies are implemented and managed within live organisations. After all, organisations have
cultures, values and behaviours, structures and relationships, and many other characteristics
that can strongly influence whether risk management programmes succeed or fail.
Risk leadership requires an appreciation not just of the technical substance of risk management,
but also of the organisation in which risk management is to be applied. Although frameworks
abound (and are quite useful), organisations are unique and the approach to risk management
programme implementation will also have to be unique. It is sometimes said that the form risk
management takes is a reflection of a cultural value system (is the organisation risk taking, risk
averse, attentive to stakeholder exposure, careful, aggressive or opportunistic?) If that is true,
then the development of risk management in an organisation requires that a risk leader is highly
knowledgeable about his or her organisation.
16.1 Unit 9 Reading
Students are initial directed to review the findings in the latest Marsh Excellence in Risk
Management Survey and form a view about how the role, value and direction of risk
management has changed in recent times as well insight into some of the further challenges
faced by risk managers in organisations. (Marsh)
Students should consider various organisational experiences and behavioural perspectives

on strategic risk management. In particular, they are directed to read an article that argues
how organisational learning and readiness for change can enhance needed responsiveness
(Roberto, Bohmer & Edmonson).
Students should study how effective risk management depends on combinations of

integrative controls and autonomous actions (Weick & Sutcliffe).
Students should investigate the relevant organisational features in effective risk

management processes (Readings: articles cited above).
Furthermore students should examine how global organisation can manage the emerging
social risks that they encounter and how corporate social responsibility support management
of such risks Husted (2005) and Kytle and Ruggie (2005)

© IRM Sept 2011 31
questions.
1. What are some of the important organisational ingredients of effective risk management?
2. What are some potential downsides to hierarchical decision structure and tight controls?
3. How can some decentralisation enhance learning and feedback in management processes?
4. What elements of corporate culture should be enhanced to accomplish this?
5. What can we learn from past experiences in high reliability organisations?
6. What can cause increased risk pressures and what does it take to inflate these pressures?

© IRM Sept 2011 32
17 Unit 10: Risk leadership and ethics

The introduction of ethics as a stand-alone subject of study is a relatively new phenomenon in
management education. Certainly, the subject has been embedded in a very wide array of
learning and training programmes, and probably, even if informally, moral and ethical dilemmas
and challenges have been addressed in the past.
Nevertheless, there is a decided movement toward highlighting the subject of ethics in

organisational (business and government) settings and emphasising the importance of ethical
awareness. Students should observe how culture sets values and how, in a leadership context,
individual values can influence cultures. This circular relationship is useful for students to
contemplate because measures that are introduced to address risks typically are not embraced
if there is no clear evidence that top management supports those measures and the intended
outcomes. More specifically, top managers’ moral and ethical behaviour sets the tone for the
entire organisation. Equally, an existing corporate culture that, perhaps, allows unethical
behaviour can be very difficult to change. Leaders can influence what is possible in terms of
ethical management, but the culture itself also plays a part.
Organisational strategy and management are imbued with the values of the managers and the
organisation’s culture. This frequently happens with little conscious effort, so deeply embedded
are values and beliefs. The intention of most programmes of study in ethics is not – at least not
fundamentally – to “teach people to be good” but rather to help individuals become aware of and
articulate their values, all in the service of providing a basis for evaluating the numerous grey
area situations encountered in work settings.
Further, in modern business, brand and reputation management are frequently cited as critical
challenges, and are often mentioned as the most important risks to be managed. Perhaps it is
stating the obvious, but it is worth emphasising here that the basis of an organisation’s brand or
reputation is significantly related to how stakeholders and others perceive the organisation’s
values and behaviour.
The relationship of ethics to risk management is intuitively obvious, but is nevertheless a largely
unexplored topic. Intuitively, one would assume that, since risk management involves choices,
values and moral considerations, ethics would be central to risk management decision making.
However, as a subject of study, ethics and risk management is still largely unploughed ground.
But the ploughing has begun in earnest, and it is likely that students will encounter many new
developments in the coming years regarding our understanding of ethics and risk management
and, indeed, the management of ethical risks.
17.1 Unit 10 Reading
Students will investigate the general frameworks through which are studied ethics in
organisational settings (Goodpaster & Matthews).
Students will look at a specific attempt to translate current thinking on organisational ethics
into a risk management frame of reference (Young).
Students should reflect on the relationship of ethics to mission statement (Unit Three
readings) and corporate culture (Unit Nine readings).

© IRM Sept 2011 33
A student should only proceed to preparations for the exam when he or she has confidently
answered the following study questions.
1. What are the predominant ethical frameworks used in an analysis or discussion of

organisational ethics?
2. What is the central organising idea behind corporate social responsibility?
3. What would be the argument for corporate social responsibility as a risk management tool?
4. How might we frame a discussion of ethical risks that could become part of an organisation’s
overall risk profile?

© IRM Sept 2011 34
18 Appendix 1: Self-assessment answers, comments and

suggestions
Unit 1: Strategic Management and Risk Management in Overview
1. What is the role of the “board” in strategic risk management?
Whilst the exact role of the board may vary from company to company they should all have risk
oversight objectives that include ensuring:
a. An appropriate risk appetite is set for the organisation;
b. Strategic risks are taken that are commensurate with the expected rewards
c. A risk management system is in place to manage, monitor, and mitigate risk;
d. The risk management system informs the board of the major risks facing the company;
e. An appropriate culture of risk-awareness exists throughout the organization;
f. There is recognition that management of risk is essential to the successful execution of
the company’s strategy.
2. Explain the link between strategy and risk.
Every business model, business strategy, and business decision involves risk; without risk, there
is no reward. At a strategic level risk is not merely something to be avoided, mitigated, and
minimized; risk is integral to a successful business strategy and essential for a business to
succeed. Organisations, therefore, should begin with assessing the appropriateness of the
company’s strategy and the risk that is inherent in that strategy.
3. Explain the importance of risk appetite in relation to strategic goals.
Risk appetite refers to the amount of risk that an organisation is willing to take on. Therefore an
integral part of the strategy formation process should be agreeing on the amount of risk the
organization is willing to accept or retain the risk appetite. Higher strategic risk can mean higher
return, but can also lead to higher volatility of earnings and perhaps even a threat to the survival
of the organisation. Importantly, the failure to set an appropriate risk appetite and to monitor the
actions relative to that appetite can also pose a risk.
Unit 2: The Strategic Management Process
1. What are the different elements of the mission statement?
The formal elements of the mission statement are: business rationale, long-term goals, and
value statements. The underlying idea is to give organisational members general direction for
their corporate activities.
2. How may value statements be useful to the organisation?
Value statements provide general guidance to organisational members on how they should
prioritise their activities in relation to major stakeholders and how they show behave in general.
This may be important if unforeseen situations require actions that conform to the general
direction of the corporation.
3. What is the rationale behind macro environment, industry and competitor analyses?
To understand how the external environment that conditions corporate activities is evolving and
to understand the key factors that affect business conditions for the corporation.

© IRM Sept 2011 35
4. What is the rationale behind the internal company analysis?
To understand what resources and competencies the corporation has possession of and access
to, that might furnish valuable strategic initiatives that correspond to identified strategic
opportunities. To understand what resources and competencies the corporation possesses or
has access to that might be valuable for initiatives to exploit strategic opportunities.
5. How does corporate governance fit into the picture – that is, how does it
affect/influence the mission statement?
Corporate governance lays out the ground rules for corporate activities in relation to
stakeholders, corporate values and risk propensity while ensuring that appropriate and reliable
management structures and processes are in place.
6. How does the firm reconcile the external and internal analyses?
The internal analysis is often summarised in terms of strengths (S) and weaknesses (W) and the
external analysis in opportunities (O) and threats (T). The idea is to examine internal strengths in
relation to identified opportunities (SWOT analysis). In many ways, the SWOT assessment
constitutes a comprehensive risk analysis of internal vulnerabilities and external risk factors.
7. Why is it important to monitor performance against plans?
Strategic controls which compare realised results to planned outcomes provide an opportunity to
assess whether assumptions hold true or whether environmental conditions have changed and
call for corrective actions.
Unit 3: Understanding the Strategic Environment
1. How does environmental analysis relate to risk analysis?
Consideration of opportunities and threats within the PESTEL framework, dynamic industry
analysis and competitor analysis all serve to identify essential risk factors that may affect
corporate performance.
2. How can we incorporate environmental analysis into the risk management process?
Essential risk factors identified in the environmental analyses can be adopted directly into the
initial stages of the risk management process.
3. How can we deal with environmental risks that display high uncertainties?
Scenario planning makes it possible to consider the potential consequences of unlikely, but
realistic, scenarios and thereby create awareness among decision makers about how to act in
case of such events.
4. What are the major corporate governance concerns?
According to the OECD, these are: market transparency, shareholder protection and equitability,
stakeholder concerns, accurate disclosure, and appropriate guidelines and monitoring
processes.

© IRM Sept 2011 36
5. What are the risk management implications of this?
The main concerns relate to correct and timely information as well as managerial controls.
6. How does good corporate governance enhance the ability to respond to

environmental changes?
The formal guidelines do not really relate to the ability to respond to exogenous changes, but
appear more concerned with transparency and control issues.
7. Are corporate governance and strategic management perspectives consistent?
Strategy comes to the fore under board responsibilities that also entail reviews of corporate
strategy, actions plans and risk policies.
Unit 4: Corporate Governance
1. What is the main focus of the Turnbull report?
The main concern seems to be the efficacy of the corporation’s internal reporting and control
systems.
2. What is the main focus of the Sarbanes-Oxley legislation?
Sarbanes-Oxley has a quite comparable perspective to Turnbull but additionally holds the CEO
personally responsible for reporting accuracy and the quality of internal control processes.
3. What caused these political and regulatory initiatives?
Spectacular corporate fraud cases, for example, Enron, WorldCom and Adelphia, drove political
action.
4. How do they relate to the risk management process?
These regulatory frameworks appear mostly concerned with safeguarding processes to identify
major risks, ensure information accuracy, and enforce internal control and monitoring processes.
5. How do they relate to the strategic management process?
The regulatory or voluntary frameworks do not appear to be anchored directly in the strategic
management process but touch on elements of the formal strategy process, for example,
mission statement, environmental analyses and strategic controls.
6. How does values-based management relate to the formal strategic management

process?
Values-based management assumes that the guiding principles for corporate decision makers
are anchored within the overall corporate mission and value statements.
7. Does good corporate governance enhance values-based management principles?
A focus on information transparency and internal controls does not guarantee a values-based
management approach as it is anchored within the corporate mission statement.

© IRM Sept 2011 37
Unit 5: Strategic Control Systems
1. What are the underlying ideas behind the balanced scorecard?
To identify essential strategic value drivers and develop appropriate metrics for monitoring them
on a regular basis. The analytical framework links overall financial goals to customer aspirations,
the quality of internal processes and the need to develop internal competencies.
2. How does the balanced scorecard relate to the strategic management process?
The balanced scorecard in many ways embodies the elements of the formal strategic
management process from mission, strategy formulation and planning, to follow-up and strategic
leaning.
3. Does the balanced scorecard approach emphasise particular elements of the strategy
process?
The balanced scorecard in essence constitutes a refined strategic control system that links
different organisational levels to the formal corporate strategy.
4. What role do management controls systems play?
Typically, they account for aggregate corporate performance and report on organisational
efficiency measures – and thereby monitor external market and internal processing outcomes.
5. How do management control systems deal with strategic risks?
They may relate to monitoring of internal processing failures, but can also be geared to follow up
on predefined environmental factors.
6. Are management control systems and strategic controls compatible?
Well developed management control systems, for example, balanced scorecards, may serve as
strategic control frameworks.
7. Do extensive controls enhance strategic responsiveness?
Controls imply some previous consideration of potential risks. General risk awareness is a vast
improvement on ignorance. However, controls may not necessarily help the corporation to deal
with unforeseeable risks.
Unit 6: Strategic Flexibility and Responsiveness
1. What are the key elements of the risk management process?
It is a cyclical process involving risk identification, risk measurement, risk mitigation and
management of retained risk.
2. Can a real options perspective improve strategic flexibility and responsiveness?

© IRM Sept 2011 38
The identification of alternative strategic actions (real options) and ongoing monitoring of the
viability of these alternatives may increase the corporation’s ability to put into force relevant
strategic responses to changing conditions.
3. How can we ensure that risk management and strategic management processes
reduce downside risks and enhance upside potentials?
Combined awareness of downside risks and upside business opportunities (real options) may
improve the ability to avoid both downside losses while taking advantage of upside potentials.
4. What are the elements of effective strategic risk management practices?
A combination of management control processes and a decentralised ability to respond quickly

and effectively to emerging threats and opportunities are likely to have the best risk
management outcomes.
5. What is needed to deal with harder to quantify strategic risks?
Management controls do not suffice in dealing with unforeseeable risks. There is also a need for
strategic response capabilities that enable fast and effective actions.
Unit 7: Strategic Risk Management
1. What are the particular features of the contemporary environment that extend the
need for strategic risk management?
Globalisation increases competitive pressures and adds complexity to business models while
technology and process and product innovation increase the rate of change.
2. What are the main characteristics of the new competitive landscape?
Uncertainty is increasing to the extent that many potentially disruptive events are difficult to
foresee and, therefore, escape the conventional risk management loop.
3. How should we cope with the emerging risks in today’s competitive environment?
There is a need to develop the organisation’s strategic response capabilities which extend
conventional risk management and control approaches.
4. Are executives and managers generally aware of the new strategic risks?
Some are, some are not, but in any event, nobody can know what is unforeseeable. However,
executives and managers must be able to react when risks emerge or happen.
5. What are some of the impediments to engaging in integrative risk management

practices?
A common impediment is an absence of commitment from top management and the board of
directors. However, there is a clear difference in their attention across types of risk with much
focus on financial and insurable risk, and limited treatment of strategic risk, even though it is
recognised as an important concern.

© IRM Sept 2011 39
6. How do the formal enterprise risk management (ERM) approaches deal with strategic
risks?
The ERM frameworks typically do not integrate risk associated with the corporate strategy
formation process.
Unit 8: Strategic Risk Management Returns
1. Why does it possibly pay to hedge exposures and management risks when investors
can diversify their firm-specific risks?
It is true that investors can diversify a portfolio of publicly traded stocks. However, this is not so
easy for small and illiquid stock, and it is impossible if the firm is privately owned.
Furthermore, many other stakeholders who have limited possibilities to diversify their
relationships may also have an interest in the firm’s stability.
2. How can risk management lead to reduced funding costs and provide capital for new
investment propositions?
Lower earnings volatility reduces the firm’s bankruptcy risk and thereby should increase
availability of financial capital from the market and reduce the cost of capital accordingly.
3. How can risk management lead to excess liquidity and why is that possibly good?
A lower volatility in the earnings development, and hence in cash flows, reduces the need for
treasury to maintain a certain level of liquidity to serve as buffer for unforeseen liquidity needs.
This can free cash for other more productive purposes.
4. Why might it pay to shield the firm’s major stakeholders and encourage firm-specific
investment?
Important stakeholders often engage in highly specialised relationships with the firm that will
have little value in other corporate relationships. These types of firm-specific and unique
engagements are arguably advantageous to the firm but are also risky for the stakeholders that
commit to them. Hence, it would pay to reduce the stakeholder risk to induce these closer
cooperative relationships.
5. Why might it be good to respond in ways that match the market and what is the
consequence for the risk-return relationship?
If firms are rewarded by being close to fulfilling current market requirements through effectively
adapting from period to period to a changing environmental context, then a good adaptor will
display high average performance and low variability in earnings.
6. What kind of risk management approaches do we need to enhance these potential

advantages?
They seem to require an ability to observe emerging change and take initiatives that will
reposition the organisation so it is in better harmony with current environmental requirements.
Unit 9: Strategic Management Challenges

© IRM Sept 2011 40
1. What are some of the important organisational ingredients of effective risk

management?
A common understanding of purpose, some autonomy to act, communication systems to

facilitate coordination, central control systems to monitor and control, and an ability to learn from
the reported feedback.
2. What are some potential downsides to hierarchical decision structure and tight
controls?
They may limit the ability to consider alternative actions and even inhibit the ability to interpret
environmental events in any other way than that which has already been formalised as the “true”
way to see and understand things.
3. How can some decentralisation enhance learning and feedback in management

processes?
It can allow alternative interpretations of events and inspire new exploratory responses that may
turn out to be highly beneficial to the firm.
4. What elements of “corporate culture” should be enhanced to accomplish this?
The ability to be critical and creative in trying out new ways of doing things.
5. What can we learn from past experiences in high reliability organisations?
That, while central integrative and controlled procedures are essential, in a crisis there should be
an ability to put aside the established order and respond according to the immediate needs on
the spot.
6. What can cause increased risk pressures and what does it take to inflate these
pressures?
Tightly coupled systems and integrated processes have a larger likelihood of breaking down
when one conditional element changes. Engaging in more loosely coupled systems where the
interdependence between parts is less rigid can reduce these pressures.
Unit 10: Risk Leadership and Ethics
1. What are the predominant ethical frameworks used in an analysis or discussion of

organisational ethics?
The Goodpaster & Matthews material does a straightforward job in setting out the most widely
recognised frameworks employed in the study of organisational ethics. Students should be sure
they can articulate these views and offer some perspective on the differences.
2. What is the central organising idea behind corporate social responsibility?
The concept of corporate social responsibility (CSR) is still highly debated even today and thus
reasonable people might have quite different definitions as to what CSR is and its implications
for organisations. In general, however, we can observe that CSR addresses that set of issues
that relate to an organisation’s responsibilities to its stakeholders, both within and outside the
organisation.

© IRM Sept 2011 41
Since the concept of “responsibility” is imbued with ethical or moral implications, the subject of
organisational ethics is commonly seen as highly related to CSR. However, depending upon
frames of reference, such issues as corporate governance, safeguarding the environment,
participatory decision making, community citizenship and an array of other subjects may be
seen as part of CSR’s “organising” idea.
3. What would be the argument for corporate social responsibility as a risk management
tool?
Even though there are competing views about the merits of CSR and, indeed, some observers
would argue that corporations have no obligation other than increasing shareholder wealth, one
could argue that stakeholder management (which rests at the heart of much CSR thinking),
would be necessary even in situations where the decision criteria is financial wealth
maximisation. This is because even finance theorists note that stakeholders’ demands and risks
must be managed in the larger service of wealth maximisation.
Thus, it could be said that CSR provides a basis for addressing a wide range of risks that might
otherwise not be identified and addressed. And, of course, conscientious CSR might be seen by
others as evidence of “good management” and this might enhance the organisation’s reputation.
This final point, it should be noted, is controversial and some might see CSR as superfluous to
good management.
4. How might we frame a discussion of ethical risks that could become part of an
organisation’s overall risk profile?
The Young article speculates on one frame of reference and students should be aware of the
general idea proposed therein. The main point of the reading is to emphasise the need for
organisations to have a language for including consideration of ethical and moral risks in the
overall structure of their risk profile.

© IRM Sept 2011 42

Module 4: Risk Leadership: International Diploma in Risk Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 4: Risk Leadership: International Diploma in Risk Management

Uploaded by

Copyright:

Available Formats

International Diploma in Risk Management

Module 4: Risk Leadership

Module Four: Risk Leadership

1 The Diploma so far 3

3 Module aims in summary 9

4 Module learning outcomes 9

6 Module learning activities 11

7 Module learning materials 11

8 Unit 1: Strategic management and risk leadership in overview 16

9 Unit 2: The strategic management process 18

10 Unit 3: Understanding the strategic environment 19

11 Unit 4: Corporate governance 21

12 Unit 5: Strategic control systems 23

13 Unit 6: Strategic flexibility and responsiveness 25

14 Unit 7: Strategic risk management 27

15 Unit 8: Strategic risk management returns 29

Module 4: Risk Leadership

16 Unit 9: Strategic management challenges 31

17 Unit 10: Risk leadership and ethics 33

Module 4: Risk Leadership

1 The Diploma so far

Understanding of the methods necessary to develop an overarching framework for

Competence in the specific managerial challenge of “integrating and coordinating” risk

Module 4: Risk Leadership

Ability to demonstrate an understanding of concepts related to problem solving and decision

1. Organisations are expected to practise risk management

Module 4: Risk Leadership

Module 4: Risk Leadership

Module 4: Risk Leadership

IRM wishes all students every success with Module Four.

Module 4: Risk Leadership

3 Module aims in summary

4 Module learning outcomes

4. Assess dominant regulatory initiatives on corporate governance in the context of values-

Module 4: Risk Leadership

Unit 2: The Strategic Management Process

Unit 3: Understanding the Strategic Environment

Unit 4: Corporate Governance.

Unit 5: Strategic Control Systems

Unit 6: Strategic Flexibility and Responsiveness

Unit 7: Strategic Risk Management

Unit 8: Strategic Risk Management Returns

Module 4: Risk Leadership

Unit 9: Strategic Management Challenges

Unit 10: Risk Leadership and Ethics

6 Module learning activities

7 Module learning materials

Unit 1: Strategic management and risk management in overview

Module 4: Risk Leadership

Unit 2: The strategic management process

Hill, C W L, and Jones, G R, (2001) “Stakeholders and the Corporate Mission”,

Hitt, M A, Ireland, R D, and Hoskisson, R E, (2001) “Strategic Management and Strategic

Unit 3: Understanding the strategic environment

Johnson, G, Scholes, K, and Whittington, R, (2005) “The Environment”, Chapter 2 in Exploring

McGee, J, Thomas, H, and Wilson, D, (2005) “Risk, Uncertainty and Strategy”,

OECD Principles of Corporate Governance

Unit 4: Corporate governance.

Anderson, C, (1997) “Values-Based Management”, Academy of Management

FERMA / ECIIA, (2010) “Guidance on the 8th EU Company Law Directive

Guide to Sarbanes-Oxley http://soxlaw.com/index.htm

The June 2010 UK Corporate Governance Code http://www.frc.org.uk/

Turnbull Guidance http://www.frc.org.uk/corporate/internalcontrol.cfm

Unit 5: Strategic control systems