Risk and Organisations: International Diploma in Risk Management

International Diploma in Risk Management
Module 2:
Risk and Organisations
Module Handbook
June 2012
Module Handbook: Risk and Organisations
International Diploma in Risk Management

Module Two: Risk and Organisations
Contents
1 Introduction 2
2 The Diploma so far 2
3 Looking ahead to Module Two: Risk and Organisations 4
4 Module aims in summary 7
5 Module learning outcomes 7
6 Module syllabus 8
Unit 1: Understanding the risk environment
Unit 2: Organisational structures and their impact on risk management
Unit 3: Risk governance
Unit 4: Acceptance of risk in organisations
7 Module learning activities 9

7.1 Required reading list 9
7.2 Reading materials and reading expectations 10
8 Unit 1: Understanding the risk environment 11

8.1 Unit 1 Readings 14
8.2 Unit 1 Reading materials 16
8.3 Unit 1 Self-assessment 16
9 Unit 2: Organisational structures and their impact on risk management 17

10 Unit 3: Risk governance 20

11 Unit 4: Acceptance of risk in organisations 24

Appendix: 27
Self-assessed answers, comments and suggestions
Module Two: Risk and Organisations 1

© IRM Sept 2011
1 Introduction
Module Two of the International Diploma explores how risk management is carried out across the
different sectors. It will give Students a broad understanding of the spectrum of approaches to risk
management and what influences these approaches.
2 The Diploma so far

Mastery of the material covered in Module One places students in a strong position to succeed in
Module Two. Students should be sure to have either successfully completed the Module One
examination or, if studying more than one module at a time, to have completed the work on Module
One before moving on to Module Two.
Modules one through to five are intentionally designed to be studied in sequence, and many difficulties
may arise in approaching the modules out of sequence.
Students will recall that Module One serves two broad purposes:
1. To help students develop an understanding of the important concepts, ideas and principles
that underlie both the study of risk and the practice of risk management, and
2. To provide students with a broad and overarching understanding of the subject matter of the
Diploma – and specifically the subject of risk management.
With respect to underlying concepts, principles and ideas, students should be comfortable and
confident that they can discuss, apply, and think critically about:
The varying facets of the concept of risk. Risk is a surprisingly complex concept and
requires risk experts to understand that it is:
a) A social/cultural construct
b) A concept largely framed and conceptualised by psychological and perceptual
influences
c) A relatively modern mathematical concept tied to probability theory, and
d) A concept that has both relaxed, informal meanings and rigorous, formalistic
definitions.
The fact that understanding the complexity of risk can aid individuals in knowing what to do
about it. Notably significant in Module One is recognition that judgments and decisions are
influenced or driven by perceptions as much as by objective facts. Therefore, managing
and addressing psychological and perceptual aspects of risk may be as important as
dealing with the tangible, “objective” nature of risks.
The challenge of managing uncertainty (a state of mind). Uncertainty management is a

critical aspect of risk management.
Risk communication, that is, effective communication of risk related information, must be
significantly informed by an understanding of how people perceive risks and process
information about risk.

© IRM Sept 2011
Also, at least implicitly, students should conclude that an understanding of the principles and concepts
of risk should lead to recognition that the challenges of managing risk are not limited to historically
narrower definitions of risk (insurable or financial risks). Risks are pervasive and from an
organisation‟s perspective, traditional categorisations may be more harmful than helpful.
Regarding the introductory role of Module One, students should be confident that they can discuss,
apply and think critically about:
The historical development of risk management, and particularly, the forces and factors
that have driven the development of the field.
Recent developments that have led to a view of risk management as a broad and
integrative approach to managing all key organisational risks.
The rising tide of “external expectations” impacting organisations and the practice of risk
management within those organisations. Particularly important here is an understanding of
the various standards, guidance, rules, audit requirements, best-practice statements and
legal rules that now impose risk management expectations on public and private
organisations.
The general structure and practice of risk management in organisations. Students should
be confident in their ability to discuss the general look and feel of risk management as it is
practised in modern public and private sector organisations.
The broad conceptual and managerial arguments for the role of risk management in overall
organisational management.

© IRM Sept 2011
3 Looking ahead to Module 2: Risk and Organisations
While a student may have a firm grasp of the material referred to above, he/she may nevertheless
have the feeling that risk is such a pervasive phenomenon it will be impossible to:
1. Make sense of its impact on an organisation, and
2. Begin to develop a rational managerial response to it.
Developing an understanding of risk as it impacts organisations, comprehending its various guises, as

perceived by different management specialisations, and developing a general framework for thinking
about and communicating information on organisational risks are specifically the purposes of Module
Two.
Module Two, Risk and Organisations, provides students with the broadest possible treatment of the
relationship of risk to organisations. Traditionally, risk management has tended to focus on narrower
representations of the role of the risk manager. Either, risk management was interpreted as “the
management of insurable risks” or it was often seen as a purely financial management activity geared
toward the identification and management of financial risks like credit, interest rate, price, currency
exchange, and inflation. Even in more recent times, as the view of risk management has broadened,
the reinterpretations have tended to assimilate historical influences.
Thus, auditors who approach the subject of Enterprise Risk Management tend to shape their
treatment to accord with internal controls and reporting concepts. Operational managers tend to bring
concepts like total quality management or Six Sigma to bear on risk management. Those interested in
legal dimensions of management, mergers and acquisitions, safety and health or engineering, all bring
a distinct point of view to their modern interpretations of risk management.
Therefore, the Diploma addresses a very important challenge in Module Two, which is to provide
students with a balanced and broad understanding of risk in organisational settings – an
understanding that accepts the importance of traditional and historic perspectives, but an
understanding that is also imbued with an appreciation that historical or technical views of risk
management are but a part of a broader organisation-wide concept of risk management.
Thematically, Module Two is designed to help students develop the best possible understanding of
risk in organisational settings. In doing so, this module will be particularly attentive to the challenges
of:
Enabling students to understand exactly how organisations become exposed to risk and
how this exposure provides insights into managerial responses.
Leading students toward an appreciation of the various perspectives of risk that live within
organisations and particularly how professional cultures (finance, legal, engineering) can
combine with national and corporate cultures to influence how organisations and managers
look at risk.
Providing students with the proper language to discuss the various aspects of risk within
specific areas of an organisation.

© IRM Sept 2011
Enabling students to begin to develop a comprehensive understanding of the “integrating

and coordinating” role of risk management – specifically, to provide insight into the
challenge of leading organisations toward cross-functional responses to key risks.
Imbuing students with an appreciation of the distinct and unique nature of an individual
organisation‟s risk profile and providing insights into the challenges that arise in developing
a risk management response that is specific and relevant to each organisation.
By the time students successfully complete Module Two, they should be confident that they have
acquired the tools and the knowledge that will allow them to think about organisational risks and to do
so in an open and comprehensive basis. At that point, students will need to embark on an exploration
of the technical and conceptual challenges of organising, analysing and utilising this risk information.
Module Three is designed to help students address those issues.
All organisations will face certain common or generic risks, such as the loss of vital staff, potential
increase in the cost of finance to run the business and loss of customers or clients to competitors.
With finite resources, decisions have to be made in prioritising risk management efforts.
Having noted this, the make-up of core business risks will differ from organisation to organisation. So,
human resource risks may be common to all organisations, but of “core” or “non-core” concern to
specific organisations. Thus, students should recognise common risks, but also develop some
sensitivity as to which of these risks are central to the success of a particular organisation.
The technical nature of at least many risks will be important to understand or appreciate. Thematically,
students have already seen that modern risk management practices span an extraordinarily wide
range, and the risk management effort may ultimately require that highly technical risks like the
management of nuclear technology might have to be part of an integrated programme that includes
more prosaic efforts like managing the risk of lower back injuries for physical labourers.
Although not directly addressed in great detail in this module, students should appreciate that a single
individual or department is unlikely to command all the necessary technical knowledge to directly
manage all organisational risks. Module Two, therefore, focuses on providing a broad examination of
risk characteristics, and this should allow students to develop two critical thinking skills:
1. An awareness of what they do know about risk and the limits of their risk knowledge, and
2. Sufficient understanding to be able to find the answers or to ask the right people for the
answers.
The search for commonalities and interdependencies is an important theme in Module Two. In one
critical sense, students must assume that all organisational risks are interdependent because they all
have an impact, or potential impact, on a single exposure – the organisation and its goals. Indeed, one
methodology for organising an analysis of risks is based upon the notion that organisations are
collections of contracts, commitments, agreements and obligations which they enter into for the
specific purpose of fulfilling their goals. Within all such arrangements are embedded risks that
influence, positively and negatively, the achievement of goals.
Thus, it will be difficult for managers to look at risks in isolation and to ignore the fact that treatment of
one risk might have unintended effects on others. Or perhaps more frequently, the failure to address a
particular risk may have unintended consequences on risks that otherwise seem well risk managed.

© IRM Sept 2011
Finally, even at the start of Module Two, students are likely to have some sense that risks have
different meanings at different levels or in different locations of an organisation. Part of the
appreciation of organisational risks is recognition that the materiality of risk varies at different levels of
the organisation. Some risks are best understood as being strategically material, while others are
highly material at operational levels. Other methods of stratification may be appropriate. Students
should note here that the various professional perspectives that populate the typical organisation
(finance specialists, legal specialists, engineering specialists) will also influence the way in which risks
are seen and valued.
Further, the level of risk between organisations will tend to vary, and the way that organisations within
the same type of business deal with risks will differ as well. However, there are also some risks that
are specific to an organisation or to the particular industry that overshadow the organisation‟s risk
profile, and the major, potentially fatal risks to an organisation will naturally dominate management‟s
thinking. Hence, there will be variation in the way that an organisation structures and resources its risk
management response.
In this sense, an overriding idea contained in Module Two becomes evident:

Risk management relies on the belief that there are broad and common risk management ideas and
methods that can be employed in any organisation. Nevertheless, the aggregation of risks within an
organisation and the appropriate form of response will be unique to that organisation.
Student note
Module One contains nine units of study while Module Two contains four.
Despite the apparent difference in structure, the material in each module is similarly weighted, and
students should budget a reasonably equal amount of time for studying both modules.
Students must read both this module handbook and the prescribed core reading materials.

© IRM Sept 2011
4 Module aims in summary
The aims of this module are to take students through the different dimensions of risk and how risk
influences organisations. This then leads to an understanding of how risks change for different
organisations and how they respond. Analysis of corporate governance styles and the over-riding
culture of a firm and review of case studies will create the ability in students to understand and
assimilate the management approaches that result in a given response to risk.
The key learning message in Module Two is that the risk management techniques that are learned
through the IRM Diploma course are highly practical, but they need to be adapted to the specific, real
world organisational setting in which the student will be applying that knowledge.
The case studies contained within the core text are employed to illustrate real life examples of how
risk issues are addressed. Students will gain experience of looking at each organisation‟s unique
approach to risk management.
5 Module learning outcomes
By the end of Module Two students should be able to:
1. Understand that the risks that organisations face vary according to the nature of the business
and operating environment of the organisation.
2. Understand the global risks and the wider context in which organisations operate. (See the
2010 Global Risk Report of the World Economic Forum)
3. Identify the “risk emphasis” of organisations.
4. Understand that the way that risks are addressed will vary according to the management style
of the organisation.
5. Explain how organisational structures vary and how risk management activities become
embedded in those structures.
6. Understand the importance of communication of risk and risk language in an organisation.
7. Explain the influence of corporate governance practices on risk management responses.
8. Explain how an organisation considers and sets its risk appetite and tolerance.

© IRM Sept 2011
9. Review the crisis management and contingency plans of organisations and set these in context
of the wider risk management framework.
10. Review the publicly available information on an organisation‟s risk profile and gain an
understanding of the risk management activities within the organisation.
Student note
Students should consider and review the module learning outcomes above and those listed for each
of the units. These go a long way toward informing students what they are expected to learn and,
importantly, what the basis of evaluation and examination will be.
6 Module syllabus
Understanding how risks change for different organisations and how they respond. Why different
organisations react differently.

Risk emphasis
Difference in the approach to risk management between sectors
What drives the changes in the risk environment
The global risk picture
How the definition of risk differs between sectors.
Unit 2: Organisational structures and their impact on risk management

Centrally controlled versus diversified organisations
The role of the centre in establishing risk management response
Culture of devolution of responsibility with accountability
Understand how the basis of „power‟ and that of the Risk Manager

How risk management functions are positioned within organisations: reporting lines, chief risk
officer (CRO) function, terms of reference for risk/audit and other teams
How all aspects of risk are managed in organisations: risk committees and risk round tables
How corporate governance requirements motivate directors towards risk management
Role of shareholders in influencing risk management
Importance of risk reporting, internally up through and across organisations and externally to
stakeholders

How risk appetite drives an organisation‟s response to risk
What characterises an organisation‟s approach to the appetite for risk
National cultures and their influence on the risk profile of an organisation
How contingency planning, crisis management and recovery planning play their part in
managing risk.

© IRM Sept 2011
7 Module learning activities
The module requires students to read the Module Two core text (Butterworth, M and Archer, R, Risk
and Organisations, 2011) and other assigned readings, and also to carry out some research in order
to understand the real world context of how organisations address risk. The Module Two core text
contains case studies throughout and students are recommended to research how different
organisations address risk through the information available on organisations‟ websites, especially in
annual reports and accounts.
7.1 Required reading
1. Butterworth, M and Archer, R, Risk and Organisations, 2011, (Core study text)
2. Research into the Benefits of Enterprise Risk Management, undertaken by DNV for
AIRMIC, 2008
3. Global Risks 2010: A Global Risk Network Report, The World Economic Forum, 2010
See www.youtube.com/watch?v=qRjnTV5wZAg for an introduction to Global Risks 2010
4. Rethinking Risk Management in Financial Services: Practices From Other Domains,

The World Economic Forum and Boston Consulting Group, April 2010
5. Biodiversity and Business Risk, The World Economic Forum, 2010
6. Young, P C, “Private sector and public sector risk management: Is there a difference?”,
Managing Risk in Local Government, Chapter Three appendix, April 2007.
7. Executive Summary: Evidence based evaluation of the scale of disproportionate

decisions on risk assessment and management, prepared by Greenstreet Berman
Limited for the Health and Safety Executive, RR536 2008
8. Ward ,S. Risk Management Organisation and Context, Chapter 6 – Roles of the
Corporate Risk Manager, 2004
9. Waring, A, and Glendon A I, (1998), Managing Risk, Thompson Learning, Chapter 5 -

Power and Risk.
10. The Turnbull Guidance on Internal Control: Revised Guidance for Directors on the
Combined Code, Financial Reporting Council, 2005. (or the governance code of
another than the UK that guides internal control.)
11. Hutter, B M, and Jones, C J, Business Risk Management Practices: The Influence of
State Regulatory Agencies and Non-State Sources, London School of Economics -
Centre for the Analysis of Risk and Regulation, 2006
12. AIRMIC Risk Appetite Supplement, September 2008

© IRM Sept 2011
13. P Woodman and P Hutchings Disruption and Resilience: the 2010 Business Continuity
Management survey, , March 2010
14. M Layton and R Funston, The Value Killers, Strategic Risk, June 2005
15. IRM, Risk Appetite and Tolerance, September 2011
7.2 Reading materials and reading expectations
“What am I required to read?” This is a question commonly asked by Diploma students, and it is
important that they understand the IRM‟s position on this matter.
Students will immediately notice that this module handbook lists only required reading and does not
include recommended reading lists. Required reading is self-evident: the texts that are listed must be
read. Failure to do so virtually guarantees that the student will fail.
However, the IRM also expects students to read and study beyond the required reading list. As the
Diploma represents a higher order learning experience, it is appropriate that students should
undertake some self-directed learning. How does IRM enforce its expectation? The structure of the
examinations and the marking scheme include recognition of additional reading and research. In other
words, part of the mark a student obtains will be based upon evidence that he/she has gone beyond
the required readings and brought other perspectives and material into his/her exam responses. It is
difficult to imagine that a student could receive the highest marks without including evidence of
additional study.

© IRM Sept 2011
8 Unit 1: Understanding the risk environment
Life consists mainly of uncertainties. This stark fact should influence the perspective of any student
aspiring to a career in risk management. The almost complete absence of certainty in our lives will
come to mean two specific things in the Diploma programme:
1. It is imperative that a means be devised to organise one‟s thinking about risks, and
2. The ubiquity of risk should leaven our efforts with an appropriate degree of humility.
Total and effective risk management will always remain just beyond the manager‟s grasp, simply
because the future is not ever known with certainty and because it is beyond our mortal powers to fully
comprehend the great complexity of life. This humility, however, is not an admission of weakness.
Rather, an appreciation of our limits should serve as a spur to greater effort in understanding, greater
scepticism about the prognostications of experts and others, including ourselves, and a healthy view
about the best laid plans. Importantly, humility is also a critical ingredient of “resiliency”, which will be
identified later in the Diploma programme as an essential characteristic of a well risk-managed
organisation.
Given the extent of the challenge, the actual process of organising one‟s thinking about risks seems
daunting – and it is. However, there are ways to begin organising an understanding of risk in
organisational settings. Arguably, a few basic principles can help students begin to develop a view.
They are:
1. In organisational settings, “exposure” to risk is the essential motivation. As human beings,

managers may have concerns about many of life‟s risks and uncertainties but, as a disciplining
factor, exposure to risk is the primary motive for risk management. Does the presence of a risk
directly influence the organisation, its value and the pursuit of its goals? Without a clear or
compelling connection (exposure), it is managerially difficult to make the case that the risk is
an organisational concern.
2. The actual number of risks that matter is not large. This statement, of course, requires the
word “matter” to be clearly defined, and students will learn that materiality is not easily
established. Further, materiality can differ within the organisation itself (what worries line
managers may not worry executives). However, a disciplined approach to setting a standard of
materiality will narrow down risks to a more reasonably manageable array.

© IRM Sept 2011
3. Organisational goals, especially risk management goals, will define the field of play. The
ultimate frame of reference for risk management is one in which the goals are clearly set, but
also in which the actual practice is left to the managers. Thus, it will prove important to set
expectations for risk management but less important that any one manager has a
comprehensive and technical command of all risks. With appropriate guidance, individual
managers will be able to identify and address the risks within their scope of responsibility.
4. Sometimes nothing can be done. At the end of the day, there may be a range of risks for which
no remedy is possible. The best that can be done is for managers to be aware of such risks
and to reach some level of agreement that such phenomena can be tolerated.
One of the structural purposes of Unit 1 is to take the discussion about risk covered in the readings in
Unit One and begin to sharpen the student‟s focus on risk in organisational settings. In the interest of
facilitating that transition, this course handbook offers a brief and general summation of the subject of
risk with a particular eye on organisational implications. In the process of doing this, students will also
be reminded of basic terms and concepts they were expected to know upon entering the Diploma
programme.
Categories of risk
Over time, various categorisations of risk have been developed. While all the categories may be
useful in certain situations and contexts, the most commonly discussed are pure risks and speculative
risks. Pure risks are those risks with two possible outcomes: either nothing will happen or a loss will
occur. An organisation will either suffer a fire loss to a building or it will not. Speculative risks have
three possible outcomes: nothing happens, a loss occurs or a gain occurs. An investment in a stock
will result in investment gains, losses or a neutral outcome.
The pure risk/speculative risk distinction is somewhat arbitrary. However, psychologists have
demonstrated that individuals react differently to pure and speculative risks. (Basically, the presence
of a chance for gain in speculative risks tends to alter behaviour and provides an incentive for risk
taking). Thus, students should recognise that reactions to risk differ depending on the type of risk
involved. However, in many other respects, risks are risks.
What is ‘risk’?
„Risk‟ can have different meaning in different contexts. The ISO definition is “Effect of uncertainty on
objectives”. This is a broad definition of risk, which includes event-based risks and also uncertainties
(such as a lack of information or ambiguities). It also includes downside and upside uncertainty.

© IRM Sept 2011
The traditional heath and safety risk definitions are event-based, as it is the uncontrolled energy
release the causes the harm. A definition of an event-based risk might be „Combination of the
probability of an event and its consequences‟. These are often drawn as bowtie diagrams, such as
below.
Event
In bowtie diagrams, the major event is placed in the middle, with immediate and underlying causes to
the left, and immediate consequence and ultimate consequence to the right.
At the board-level of large organisations, risks are often seen as changes in key long-terms trends.
Examples of such risks could be a worsening in the industry‟s gross margin, increasing R&D costs and
brand erosion.
For engineers, with Hazard and Operability (HazOp) Studies, risk can be seen as a deviation from the
intent. Within a HazOp study, all the different ways that flows in each component can deviate from the
intent are considered. Examples of deviations for a pipe might be: too hot, too cold, pipe contains
liquids other than indented, liquid in pipe flows the wrong way etc. HazOp risk identification is very
systematic.
Risks within a Failure Mode and Effects Analysis (FMEA) study are considered to be failure modes.
Within an FMEA, the failure modes for each design intent is identified for each component. For
example, if the design requirement of wheelie bin is that is should be mobile, there are three basic
high-level failure modes: too much movement, too little movement or no movement. The failure
modes are a matter of pure logical rather than brainstorming.
A hazard is something that has the potential to cause harm. They contain no events, although risks
can be easier to identify once hazards are know. For the insurance industry, hazards may produce
perils which are actual causes of loss. The hazardous condition of an improperly maintained electrical
system may result in the peril of fire. The term opportunity serves as a speculative risk analogue to
peril. Changes in interest rates (a risk factor) may create an opportunity for less costly financing of a
major construction project.

© IRM Sept 2011
Levels of risk
As noted previously, there is a broad consensus that at least three, and more likely four, levels of risk
exist within a typical organisation:
1. The political/governance level

2. The strategic level
3. The tactical or managerial level, and
4. The operational or functional level.
The political/governance level

Risk (and as will be shown, risk management) in organisations has a distinct political dimension. This
is the governance aspect of management, entailing the relationship of executives to shareholders and
stakeholders including regulators, rating agencies, consumers and the media. Primarily, but not
exclusively, this is the domain of the executive or the directors.
The strategic level

Sometimes overlapping with the political/governance level, this is the policy setting,
mission/goal/objective formulation part of the organisation. Generally, this is at the level of the
management team as well as top mid-level managers.
The tactical/managerial level

This level of risk and risk management within an organisation is essentially a mid-level manager
perspective. It focuses on risks related to budget and objective execution, programme management,
tactical decision making and intermediate-range decisions.
The operational/functional level

This can sometimes overlap with the tactical/managerial level, but it contains risks related to day-to-
day operations, short-term planning and execution, and functional performance.
The principal insight for students is that, in addition to the personal and individual factors that influence
a manager‟s view of risk, risk also is influenced by that manager‟s position within the organisation.
Thus, the vantage point he/she occupies will influence the process of
educating/training/communicating with colleagues.
8.1 Unit 1 Readings
In Unit 1, students are asked to think about the broad risk environment that surrounds and permeates
organisations. As will be discussed, that environment might be differently defined and structured, but
clearly there are a wide range of risk sources that must be understood. While it is not an exhaustive
listing, students should develop some awareness of risks arising from the physical, economic, political
and legal, social and operational environments. Additional segmentations might be useful to
understand, but the main point for students will be to recognise that risks arise from many sources and
that organisations “encounter” those risks in many different ways. The AIRMIC / DNV research
presents five case studies with different risk environments that have different approaches to
Enterprise Risk Management (ERM).
The risks that organisations face are inherently a product of the nature of their business. For example,
in financial services companies the regulatory regime is a primary factor in risk management.

© IRM Sept 2011
Similarly, airlines operate under regulatory and licensing frameworks, and gaming organisations must
comply with strict legal controls.
Some industries involve especially hazardous activities, such as construction and engineering firms
where the dangers of injuries or fatalities to staff are ever present. Where organisations operate
overseas, they must take account of political and cultural risks, legal constraints and religious
expectations, as well as the risks associated with employment practices and language differences.
Further, many organisations need to take care to avoid collateral risks associated with their business,
such as pollution risks associated with chemical or process industries, food contamination in food
preparation and retailing, and even weather risks for concert or sports event promoters.
Students must also be mindful that there are broad and significant distinctions between risks in the
public and private sectors. The Young article presents an important set of distinctions between public
and private risks – a discussion that is particularly timely given the widespread interest in “outsourcing”
and “privatisation”. In numerous ways, the boundaries between public and private sectors are blurring,
and yet many issues that separate public from private risks remain. Thus, whether students work in
the public or private sectors, the subjects of risk and publicness are important to understand.
Risk analysis is more properly a topic in Unit 3, but students should begin to develop a sense in Unit 1
that a distinct shape will emerge to an organisation‟s risk profile, and that certain risks and risk
categories will emerge as central or core concerns. In the readings, an organisation‟s dominant strand
of risk is identified as the “risk emphasis”, and in general terms it is against this risk emphasis that a
major part of the organisation‟s risk management response is directed.
Students should be aware of the global risks faced by nations. It is within this context that
organisations operate. Every year the World Economic Forum publishes its view on what are the most
significant core risks facing the world. The Forum also publishes research into specific risks – in 2010
it published „biodiversity and business risks‟, which considers how biodiversity risks impact on different
sectors.
The public perception of risk management that it is excessive. Students should be aware what factors
can lead to disproportionate treatment of health and safety risks, such as the fear of litigation. This is
outlined in the HSE report RR536
8.2 Unit 1 Reading materials
Butterworth, M and Archer, R, Risk and Organisations, 2011, Unit 1 Reading
Research into the Benefits of Enterprise Risk Management, undertaken by DNV for AIRMIC, 2008
Global Risks 2011: A Global Risk Network Report, The World Economic Forum, 2011
Biodiversity and Business Risk, The World Economic Forum, 2010

© IRM Sept 2011
Young, P C, “Private sector and public sector risk management: Is there a difference?”, Managing
Risk in Local Government, Chapter Three appendix, April 2007.
Executive Summary: Evidence based evaluation of the scale of disproportionate decisions on risk
assessment and management, prepared by Greenstreet Berman Limited for the Health and Safety
Executive, RR536 2008
8.3 Unit 1 Self-assessment
Students will be ready to move to Unit 2 when they can confidently answer the following study
questions.
1. What is the meaning of a “risk environment?”
2. Is it possible to define/identify underlying characteristics of organisations that influence the

form taken by the organisation‟s risk environment?
3. What is meant by the idea that organisations are “collections of contracts, obligations,
commitments and agreements?” What bearing does this have on the way we look at
organisational risks?
4. In general terms, what differences might be seen between the risk environment of a private
manufacturing firm and a governmental entity like a local authority?
5. Map a tentative “risk environment” for a generic organisation. The point here is not to be too
concerned with the characteristics of the organisation but rather to think about the general
structure of a standard risk environment.
6. Taking 5 a step further, reflect on the risk environment of an organisation with which you are
familiar (the organisation where you are/were employed, a famous business, an important local
firm or public organisation). Is it possible to rough out a risk environment map specific to that
organisation?

© IRM Sept 2011
9 Unit 2: Organisational structures and their impact on risk

management
If students accept that risks arise from the fundamental nature of organisations, a moment‟s reflection
on the implications of that view will reveal the daunting challenge of identifying, analysing and
measuring every single risk in an organisation‟s risk portfolio (and doing so in a systematic, timely, and
ongoing basis at that). How might such an undertaking commence? Putting some flesh on the bones
of the contractarian idea can help prepare students for the reading materials that accompany Unit 2.
An organisation is the result of conscious and rational, spontaneous and opportunistic, and required or
unavoidable arrangements between managers and resource holders. “Resource holders” is a term
that refers to a wide range of stakeholders and stakeholder interests. Regulators hold resources that
might be useful to an organisation, among them licences, permissions and legal authorisations.
Customers hold financial and other resources. Employees hold their own labour as a resource.
Vendors and suppliers have various resources, as well.
9.1 Unit 2 Readings
In a curriculum like the Diploma programme, it is sometimes difficult to draw lines around subject
matter. How far afield should the material wander to provide students with an adequate understanding
of risk management? The most expansive answer to that question would result in a programme very
much akin to an MBA, because risk is a phenomenon enmeshed in every aspect of organisational
management.
Certainly, one could argue, a student should come to understand financial management, managerial
accounting, marketing, operations, organisation theory and behaviour, human resources, leadership
and business law. Practicalities and logic dictate against imposing the MBA structure on the Diploma.
However, students should recognise that most of these subjects do make significant appearances
throughout the programme.
The governing principle in each case is to treat these subjects in the specific context of their
relationship to risk and risk management: a rule that allows IRM to introduce a wide range of topics in
a manageable fashion.
Here in Unit 2, the intention is to cover questions of organisation theory/design/behaviour and law in
the service of expanding students‟ understanding of organisational risks. An organisation is the
“playing field” for the practice of risk management, but organisations must also be understood
fundamentally as the conduits for risk and as a source of risk – and, to be exact, as a risk
management tool.

© IRM Sept 2011
Organisations develop an operational and management framework according to various structural

factors. These will include structure by product line or industry specialisation, geographical area,
holding and subsidiary companies or “component” divisions, such as engines, bodywork, research and
development in a car manufacturer, or perhaps divisions as might appear in a police force, such as
crime prevention, criminal investigation, traffic, anti-terrorism, etc. Where the organisation has a
central head office, the question arises whether to address risk management uniformly and controlled
from the centre or by decentralised responsibility. There is scope for a hybrid option that is examined
in the study text.
Students should also come to recognise that, apart from the visible structure of the organisation, the
actual legal form of the organisation will have significant influence on the nature of risks. The most
obvious illustration of this point is the legal distinction between a public entity and a private firm.
Requirements, rights and duties are imposed on organisations depending on the legal form of
organisation, and these obligations are a significant source of risk in their own right. But, importantly,
there is a sense that the legal form of organisation is a form of risk management as well. The obvious
example of this is the joint-stock or limited liability organisation – a form that expressly exists to
distribute or limit the burden of risk.
A key issue that weaves throughout the discussion here is the nature of risk in international settings,
an issue prompted by the Unit 1 reading on global risks. It is somewhat true that risks are risks, no
matter where they occur, but the management of an international organisation does lead to rather
different issues and challenges.
The obvious challenges are anchored in cultural and language differences, but the actual technical
nature of risks can differ (weather and geological differences can lead to key differences in the
behaviour of natural phenomena), and the specific act of operating internationally can present some
distinctly unique issues (coordinating management of a global work force with differing rules and
requirements, or managing multiple regulatory regimes). Risk management in international
organisations is not just “risk management, except more so”. In many respects, it involves unique
issues and responses.
Unit 2 also highlights the importance of good communication. Understanding the respective roles of
the central and subsidiary managers is key to effective management of the organisation as a whole –
not least the activities that focus on risk management.
The responsibility for operating business controls will rest with all managers and staff, but the
overriding appetite for risk acceptance may well be dictated by the centre in the organisation. In all
cases of multi-function, diversified and international organisations, ultimately there must be
consolidation of risk information for management consideration at the highest level.
The Ward Chapter explores the role of the risk manager and the factors that influence the extent of
these roles. The Waring and Glendon chapter explores the relationship between power and risk.

© IRM Sept 2011
Ward, S, Risk Management Organisation and Context, Chapter 6 – Roles of the Corporate Risk
Manager, 2004
Waring, A, and Glendon A I, (1998), Managing Risk, Thompson Learning, Chapter 5 - Power and
Risk.
questions.
1. How does the design and structure of an organisation influence its risk environment?
2. What are the basic concepts that underlie “theory” of organisations?
3. What are the risk distinctions between international/global firms and firms that operate in a
single country? What is the general influence of culture on organisational risks?
4. What is power?

© IRM Sept 2011
10 Unit 3: Risk governance
In Unit 3, students will be introduced to the technical aspects of organisational governance. In that
broader context, the issues of risk governance will be reviewed in some detail. This is important
because new corporate governance requirements around the world have created an environment of
external expectations for the practice of risk management. Risk management is no longer just a good
idea. It is, to a significant extent, required.
While governance is an issue appropriately placed in the context of risk leadership (Module Four of
the Diploma), it is also relevant to Module Two, but in the context of an exploration of organisational
risks. Specifically, students will be directed to think about how the management and administration of
an organisation are, of themselves, a source of risk.
How does the nature of the organisation‟s risk environment and its structure influence the ultimate
response that the organisation will devise? Also, conversely, how does that activity of management
within the organisation serve as a source of risk for that organisation?
The actual technical process of designing and implementing a risk management programme is fully
taken up in Diploma Modules Four and Five. Therefore, the discussion here in Unit 3 focuses on the
relationship of an organisation‟s risks to its general approach to risk management and vice versa.
For example, Diploma Module Four – Risk Leadership looks at the relationship of risk management
policy to overall organisational strategy, and examines external requirements that may impose risk
management expectations on an organisation. However, this discussion does not directly address the
question of how the risk environment shapes the organisation‟s risk management response.
To elaborate here, the nature of the risks and the organisation itself will go a long way towards
determining whether the risk management policy will be highly structured and bureaucratic or flexible
and informal. Policy mainly is dictated by the “facts on the ground”; only infrequently is it the other way
around.
Students must also be aware of the distinction between the discussion here and in Diploma Module
Five – Risk Solutions. Module Five enables students to design and implement a risk management
programme within an organisation, but there will only be indirect treatment of how the organisation
and its risk environment influence the design and management choices. For instance, a risk manager
may design a programme that stratifies responsibilities for risk management (Module Five), but the
question of where and why to draw those lines of demarcation is a distinctly different matter (Module
Two).
Specifically in Unit 3, students will review in more detail the positioning of the risk management
function within the framework of the organisation. The module discusses the role of the risk manager
and his/her positioning in the hierarchy of the organisation. The importance of the risk committee or
risk roundtable is analysed. This leads to discussion on risk communication, a unified risk language
and an agreement on the application of a risk management standard as the foundation for risk
management activities.
The unit then touches on the development of corporate governance and reviews how the growth of
influence of governance requirements has prompted actions from directors and senior managers in
regard to risk management. The unit reviews the development and importance of reporting across the
© IRM Sept 2011
organisation – upwards to senior management, to regulators and externally to shareholders, rating

agencies and other stakeholders – as an extension to corporate governance.
One aspect of governance that deserves special attention is the influence of regulation on risk in
organisations. Government regulatory bodies and even non-governmental organisations like industry
councils, pressure groups and NGOs (non-governmental organisations, such as Oxfam) can have a
major influence on “external expectations”.
This is, perhaps the best example of the Unit 2 perspective. Do elements of governance actually serve
as sources of risk in their own right?
The Diploma does not intend to present students with a theory of regulation, but it is perhaps worth
noting a few salient aspects of regulation concepts and practices.
1. The presence of formal regulatory environments may be explained in a number of ways but
broadly is seen as a public reaction to a failure of self-regulation or of markets. At least in most
advanced democracies, the general objectives of regulation are to safeguard public interests,
to meet certain political/economic objectives (protecting national industries), delivering desired
services that are not otherwise available and restoring poorly functioning markets to some
semblance of acceptable performance.
2. Regulatory actions might be conceived as existing on a continuum from benign neglect to

government-run markets (nationalised industries). There has been a tendency in recent years
to retreat from heavy governmental involvement in certain sectors (privatisation), so it is
possible to generalise that the overall vector of development has been toward de-regulation.
3. Having noted the importance of de-regulation, globalisation has produced a number of effects
on the regulatory environment, perhaps none more notable than the struggle to produce
uniform regulations and regulatory environments for a global economy. The key underlying
tension in this area has been the inability of sovereign nations to cooperate/collaborate and to
relinquish some autonomy in economic and political matters. This is not to say that
developments have not taken place. Indeed, the European Union is a living demonstration of
both the effort to find common ground as well as the huge difficulties in doing so.
4. Broadly speaking, regulatory regimes can adopt many philosophical approaches, but in the
Diploma it is useful to note that most schemes rest on either a “rules-based” framework or a
“principles-based” framework. Rules frameworks rely on reasonably explicit requirements for
compliance, whereas principles frameworks lay out broad outcome-oriented guidance, but are
less explicit about the specific measures necessary to meet regulatory expectations.

© IRM Sept 2011
10.1 Unit 3 Readings
The core text addresses a number of broad issues pertaining to governance issues from within the
organisation. These include consideration of the location of the risk function and the general
relationship of those with risk responsibilities to other managers. Students are asked to think about
governance and overall management requirements and their influence on risks. Obviously,
governance sets terms and conditions within which risk management is undertaken, but here the core
text also emphasises governance as a basis for a range of risks that must be managed.
Students should be familiar with the major governance codes that relate to risk governance in at least
one country, such as SOX in the USA and The Revised Turnbull Guidance in the UK. They should
also be familiar with the latest developments.
The final material comes from Hutter and Jones and offers students a close consideration of the
impact of regulation on organisational risks and risk management. It provides a number of insights
about the interface of regulation and risk management. Some of these are rather abstract (what are
the regulator‟s goals and how is the regulator expecting an organisation to respond?), and some are
relatively practical (how much of a risk manager‟s time must be spent on monitoring the regulatory
environment?).
The Turnbull Guidance on Internal Control: Revised Guidance for Directors on the Combined Code,
Financial Reporting Council, 2005. (or the governance code of another than the UK that guides
internal control.)
Hutter, B M, and Jones, C J, Business Risk Management Practices: The Influence of State Regulatory
Agencies and Non-State Sources, London School of Economics - Centre for the Analysis of Risk and
Regulation, 2006.
questions.
1. What is meant by “risk governance”?
2. How do the challenges of risk governance influence the risk environment for a typical
organisation?
3. What are the possible levels of risk within an organisation? What is the meaning of risk
“materiality”?
4. How might the design or structure of an organisation influence the choices regarding the
design and structure of the risk management programme?
© IRM Sept 2011
5. Reflect on an organisation with which you are familiar. How might the governance and the
management structure influence the practice of risk management within that organisation?
6. What is the influence of regulatory regimes on the nature of risk within organisations and even
the practice of risk management?

© IRM Sept 2011
11 Unit 4: Acceptance of risk in organisations
Unit 1 introduces the idea of risk perceptions and preferences, and Unit 3 takes students through a
critical review of the subject in the context of decision making (How do perceptions of risk influence
managerial decision processes and the decisions themselves?). In Unit 4, the focus of discussion is
on the relationship of risk to the organisation as a whole, and its influence on the development of that
organisation‟s “view” of risk and its management.
To some students this may appear to be slicing the subject too thinly. However, this will prove not to
be the case for the following reasons:
An organisation‟s risk policy is not simply the additive result of all individual managers‟ views of
risk, nor is it solely the result of group interaction. The organisational environment and the risk
environment impose constraints upon the development of an organisational risk policy and it is
essential that the policymakers explicitly understand those constraints.
Organisation behaviour, certainly in response to risk, can only be understood in a holistic

context by looking at the organisation: its structure, culture, actions and processes, outputs,
constituent parts and stakeholders.
The question of risk leadership (covered in detail in Modules Four and Five of the Diploma) requires
managers to understand their organisations at a fundamental level. It can be argued that nothing is
more important to a risk leader than a firm understanding of his or her own specific organisation, its
environment and its behaviours.
At a human level, we all have a mental model for how comfortable we feel about risky situations.
Whether we seek high adrenaline activities such as mountain climbing, motor racing or skydiving, or
perhaps avoid these activities for more sedate activities, such as chess and music appreciation, there
are, nevertheless, risks associated with each approach. Why people are attracted to one risk profile or
another depends very much on the inherent nature of the individual.
So it is in regard to business or organisational risk. Some chief executives may be more comfortable
taking open-ended risks, venturing into the unknown and taking an informed gamble. Others will prefer
to have detailed analysis of new opportunities and to be very cautious about risk acceptance.
Derived from this, one will see a “corporate risk culture” that flows from the stance taken at the top
(managers quickly learn not to promote high risk strategies to a risk averse chief executive), which will
then manifest itself as the organisation‟s risk appetite.
As well as the stance that derives from an individual chief executive‟s risk position, national trends, or
“norms” may influence an organisation‟s risk appetite, such as US firms that often have strong
entrepreneurial personalities.

© IRM Sept 2011
Delivering a coherent risk acceptance/aversion strategy requires good communication to ensure a

unified approach. Risk acceptance levels may be stated in written documents or management
manuals. Other organisations with more relaxed attitudes to risk taking may set policy more informally.
As an adjunct to its risk appetite stance, an organisation will develop a strategy for accepting or
otherwise treating risks.
Following on from the establishment of a risk appetite, organisations will take steps to minimise the
impact of events when they occur, through efforts like contingency planning, crisis management and
recovery planning. The extent of an organisation‟s investment in these activities is an important
feature of risk acceptance and the wider stance on risk management generally.
As students proceed through Unit 4, an opportunity for reflection arises – an opportunity which
students are advised to undertake. How do organisations come to a consensus view about risk?
Diploma Modules Three, Four and Five will address this issue from a number of technical and
practical perspectives, but at this point in the programme it is useful to think about the question in a
very broad, general way.
Throughout the balance of the programme, students will come to see the critical importance of
organisations developing a view about risk and, in fact, developing a formalised policy regarding risk.
There will be illustrations and cases that expand upon this point, but at this moment students should
stop to consider how collections of individuals can or do move to some level of agreement about risk
and its management and, beyond that, how does a view, belief or value regarding risk become
integrated into an organisation‟s culture. Students already know that individuals bring very personal
influences into their perception of risk, and getting a collection of individuals to reach consensus is, to
put it plainly, easier said than done.
Equally importantly, students should reflect on how organisations and their cultures can change
previously held views about risk. Indeed, this is a common challenge for the typical risk manager.
Such an individual is rarely dealing with a newly forming organisation that has the opportunity to start
with a blank piece of paper to consider risk. Rather, the manager typically enters an existing
organisation and must work with or against pre-existing views or beliefs. So, the question of how
consensus forms must be supplemented with consideration of how consensus can be changed.
11.1 Unit 4 Readings
The core text discusses the concept of risk policy and the text anticipates many of the issues covered
in Unit 3, especially with respect to psychological and cultural aspects of risk within organisations.
However, here the focus is mainly on the way organisations think about the totality of their risks.
The report „Managing Threats in a Dangerous World report, March 2011 gives‟ an overview of
Business Continuity Management (BCM), including sector statistics that show BCM differs between
sectors.
The Value Killers document describes what are the major causes of loss of value, based on research.
The Vale Killers are very different from the risks that Business Continuity Plan (BCP) are traditionally
developed to manage.

© IRM Sept 2011
IRM, Risk Appetite and Tolerance, September 2011
P Woodman and P Hutchings, Managing Threats in a Dangerous World report, March 2011
M Layton and R Funston (Deloitte), Disarming the Value Killers – A Risk Management Study, 2005
Students should only proceed to preparations for the examination when they have completed the
following activities.
1. Students should consider their own risk appetite. As an extension to this, students should think
about how they view strategic developments in organisations, such as a merger, acquisition,
new product development or perhaps changes to internet trading, and ask themselves how
“risky” they feel the venture is.
2. Students should research major risk events and consider the business interruption implications
and how they feel an organisation handled the immediate crisis and the longer-term business
recovery.

© IRM Sept 2011
Appendix: Self-assessed answers, comments and suggestions

1. What is the meaning of a “risk environment”?
In general, the term refers to sources of risk. Risk environment is a construct that is widely used to
organise thinking about the wide range of risks that organisations encounter. There is a wide degree
of variation in models that set out risk environments, but commonly the term is applied generically to
refer to the universe of risks an organisation faces. However, the term is refined to also apply to
specific types of risk sources, such as the physical environment, the economic environment, and so
on.
2. In what way is it possible to define/identify underlying characteristics of organisations that

influence the form taken by the organisation‟s risk environment?
There are several ways to answer the question. One could first differentiate between the sector in
which an organisation operates (public, private, non-profit) as there are general distinctions that are
influential to the form and substance of the risk environment. Size and organisational structure (small
or large, bureaucratic or matrix) can be important and, of course, culture (informal versus. formal,
closed versus open) can be a factor. The specific nature of the work may be an underlying factor
(manufacturing, research, consumer product design). External factors like the regulatory climate and
even the geographic location may be other underlying factors.
3. What is meant by the idea that organisations are “collections of contracts, obligations,
commitments and agreements?” What bearing does this have on the way we look at
organisational risks?
The “contractarian” view of risks might be called the microbiology of organisational risk management
in as much as it organises our understanding of risks at the smallest observable unit of measurement.
This is metaphorical, but the imagery is useful because the challenge of building a comprehensive
view of organisational risks can be daunting.
Considering that organisations are built through the assembly of various formal and informal
arrangements allows risk managers to think about the individual arrangement and to understand the
risk dimensions of each arrangement within an organisation. Importantly also, it is a point more
relevant in later modules.
Considering risks in this way allows to the risk manager to project his/her role into the early decision
making phase of contract formation where – arguably – one has the first and best chance to assess
and address risk.

© IRM Sept 2011
4. In general terms, what differences might be seen between the risk environment of a private
manufacturing firm and a governmental entity like a local authority?
There are many possible differences in relation to:

Forms of ownership (shareholders versus members of the public)
Legal forms of organisation (private limited liability versus constitutionally authorised
entity)
Form of financing
Nature of responsibilities
Nature of stakeholders
Rules and regulations
5. Map a tentative “risk environment” for a generic organisation. Do not to be too concerned with
the characteristics of the organisation but rather think about the general structure of a standard
risk environment.
The main point of this activity is to have the student get an organising idea in his/her mind, but any
overall risk environment is likely to have to allow for some consideration of such features as the
physical, the economic, the legal and political, the social/cultural and internal operating environments,
and perhaps a few other features.
6. Taking 5 a step further, reflect on the risk environment of an organisation with which you are
familiar (the organisation where you are/were employed, a famous business, an important local
firm or public organisation). Is it possible to rough out a risk environment map specific to that
organisation?
Students will answer this question in their own way.

© IRM Sept 2011
Unit 2: Organisational structures and their impact in risk management
1. How does the design and structure of an organisation influence its risk environment?
There are many ways to answer this, but one can imagine that organisations can be either big or
small, highly formal and bureaucratic, or informal and “flat”, concentrated or dispersed, focused (one
product or service) or diverse, and so on. The influences of design and structure will be fairly specific
to each organisation one might consider.
It would seem, however, that size would influence the organisation‟s ability to resist large risk events,
that informality might broadly enhance resiliency or flexibility, and that diversity of activities might
serve to “hedge” an organisation‟s exposure to any single event. One might also note here that
financial design and structure of the organisation would be nearly as important as the non-financial
aspects of design and structure.
2. What are the risk distinctions between international/global firms and firms that operate in a
single country? What is the general influence of culture on organisational risks?
Many answers are possible. Part of the distinction between global and national organisations is that
the geographic spread and issues pertaining to time and distance are different. Part of the difference
is found in the challenge of managing in multiple legal and regulatory regimes. Cultural and language
differences could be immense. The reading material also noted that the simple fact that a global firm is
managing and coordinating work in multiple environments might, in fact, lead to distinct issues that
just are not present in any analogous form in a national firm. For example, the work needed to
harmonise differences in culture and language might involve activities wholly unique to the global firm.
The impact of culture on organisational risks is profound. Culture shapes managers‟ and employees‟
views of risks and this happens in obvious and subtle ways. Even organisational culture (as opposed
to national cultures) can be influential in shaping how the organisation and its people see the risk
environment. This subject got significant treatment in the Module One Adams‟ reading and will be
revisited in detail in Module Three.

© IRM Sept 2011
3. What is power?
Power can be defined as “the probability that a person can carry out his or her own will despite
resistance” (Weber 1947).
Within an organisation, power is often treated as a unitary concept although it is a complex

phenomenon. French and Raven (1960) identified five bases of power. These are:
Coercion - threat of decreasing another‟s outcome

Reward - promise of increasing another‟s outcome
Expertise - formal or specialised knowledge
Legitimacy - rights or control / obligation of control
Referent - personal affect, e.g. charisma.
Coercion and reward are exercised through sanctioning. Expertise and referent is exercised through
influence. Legitimacy is exercised through authority.
Risk Managers tend to gain power through expertise. Not having line manager power, they often lack
the power of coercion or reward. Chief Risk Officers that sit on Board carry legitimacy power.

© IRM Sept 2011
1. What is meant by “risk governance”?
Governance refers to the rules and requirements for leading and directing organisations and may
consist of a number of factors: stockholder interests, regulatory requirements, standards of practice,
social responsibility and other expectations from stakeholders. Risk governance specifically relates to
those activities to comply with rules and expectations related to risk and risk management, and it
usually falls within the purview of directors and top managers.

© IRM Sept 2011
The core text details the UK experience in this regard, but most developed countries have a generally
similar story to tell about governance requirements/expectations for managing risks. Students should
be familiar (or make themselves familiar with) the rules that pertain in their country.
2. How do the challenges of risk governance influence the risk environment for a typical
organisation?
It might be argued that 10 years ago, the practice of risk management rested on an intellectual view
that “practising risk management is a good idea because risks can have negative effects on the
organisation‟s ability to meet its objectives and because risks can also lead to positive benefits for the
organisation”. While the intellectual argument still holds, risk governance changes now mean that
increasingly risk management is:
a) Required by external stakeholders (including stockholders, markets, regulators, rating

agencies and so on), and
b) There are penalties for failing to meet governance obligations.
3. What are the possible levels of risk within an organisation? What is the meaning of risk
“materiality”?
There are different ways of organising one‟s thinking about risk levels but students should be
conversant with the political/governance, strategic, the tactical/managerial and operational/functional
levels.
Materiality is, as it must be, a relative word that can be defined only in specific contexts. Generically,
materiality refers to “something that matters”. In more technical settings, like audit, materiality refers to
an issue that rises to the level of significance such that it must be formally reported.
With respect to risk in organisations, significance will vary at different levels of the organisation, which
is why the question here asks both about levels of risk and materiality.
Executives will set a level of materiality to risks (that is, the level to which risk must rise to be of
concern to them), and the other levels of management will, at least implicitly, peg their definitions in
relation to the overall organisational view.
4. How might the design or structure of an organisation influence the choices regarding the
design and structure of the risk management programme?
The answer is fairly obvious. An off-the-shelf approach to programme design will almost invariably fail
because the organisation‟s structure, design, and its culture will reject an alien intrusion. The design
and structure of risk management must accord with the organisation design, structure and culture.
Thematically, students must recall that, while there are many things that can be generalised about risk
management, risk management will be unique to each organisation in which it is practised.
5. Reflect on an organisation with which you are familiar. How might the governance and the
management structure influence the practice of risk management within that organisation?
Students will answer this question in their own way.
6. What is the influence of regulatory regimes on the nature of risk within organisations and even
the practice of risk management?

© IRM Sept 2011
The reading on regulation lays out a reasonably straightforward look at the impact of regulation on
organisations. Students should note that regulatory compliance frequently becomes a major aspect of
the risk manager‟s job, and the dictates of regulators can become one of the key criteria by which risk
management performance is judged. It probably should also be mentioned here that regulatory
environment can be as changeable as the weather, so the uncertainty associated with possible new
rules and requirements can be the basis for a highly material risk.

© IRM Sept 2011
1. What is risk appetite?
Risk appetite is the “amount and type of risk that an organisation is prepared to pursue, retain or take”
ISO Guide 73:2009.
2. What is risk attitude?
Risk attitude is the “organisation's approach to assess and eventually pursue, retain, take or turn away
from risk” (ISO Guide 73:2009). The risk attitude of any organisation states how risk averse it is
without stating how much risk is within acceptable limits.
3. What are the major causes of major shareholder losses?
M Layton and R Funston (2005) identified the causes of major shareholder value losses (which they
called the „Value Killers‟ – see research on reading list). Specifically they identified the largest one
month declines in share price for the 1,000 largest international companies (based on market value)
from 1994 to 2003.
The most important individual Value Killers were:
Demand short fall – 36 occurrences

Industry crisis – 30 occurrences
Cost over run – 22 occurrences
High debt and interest rates – 22 occurrences.
The Institute of Risk Management

6 Lloyd‟s Avenue
London EC3N 3AX
Tel: +44 (0)20 7709 9808
email: studentqueries@theirm.org
web: www.theirm.org

© IRM Sept 2011

Risk and Organisations: International Diploma in Risk Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk and Organisations: International Diploma in Risk Management

Uploaded by

Copyright:

Available Formats

International Diploma in Risk Management

International Diploma in Risk Management

2 The Diploma so far 2

3 Looking ahead to Module Two: Risk and Organisations 4

4 Module aims in summary 7

5 Module learning outcomes 7

7 Module learning activities 9

8 Unit 1: Understanding the risk environment 11

9 Unit 2: Organisational structures and their impact on risk management 17

10 Unit 3: Risk governance 20

11 Unit 4: Acceptance of risk in organisations 24

Module Two: Risk and Organisations 1

2 The Diploma so far

The challenge of managing uncertainty (a state of mind). Uncertainty management is a

Module Two: Risk and Organisations 2

Module Two: Risk and Organisations 3

3 Looking ahead to Module 2: Risk and Organisations

1. Make sense of its impact on an organisation, and

2. Begin to develop a rational managerial response to it.

Developing an understanding of risk as it impacts organisations, comprehending its various guises, as

Module Two: Risk and Organisations 4

Enabling students to begin to develop a comprehensive understanding of the “integrating

Module Two: Risk and Organisations 5

In this sense, an overriding idea contained in Module Two becomes evident:

Module Two: Risk and Organisations 6

4 Module aims in summary

5 Module learning outcomes

By the end of Module Two students should be able to:

3. Identify the “risk emphasis” of organisations.

6. Understand the importance of communication of risk and risk language in an organisation.

7. Explain the influence of corporate governance practices on risk management responses.

Module Two: Risk and Organisations 7

Unit 1: Understanding the risk environment

Unit 2: Organisational structures and their impact on risk management

Unit 3: Risk governance

Unit 4: Acceptance of risk in organisations

Module Two: Risk and Organisations 8

7 Module learning activities

7.1 Required reading

See www.youtube.com/watch?v=qRjnTV5wZAg for an introduction to Global Risks 2010

4. Rethinking Risk Management in Financial Services: Practices From Other Domains,

5. Biodiversity and Business Risk, The World Economic Forum, 2010

7. Executive Summary: Evidence based evaluation of the scale of disproportionate

9. Waring, A, and Glendon A I, (1998), Managing Risk, Thompson Learning, Chapter 5 -

12. AIRMIC Risk Appetite Supplement, September 2008

Module Two: Risk and Organisations 9

15. IRM, Risk Appetite and Tolerance, September 2011

7.2 Reading materials and reading expectations

Module Two: Risk and Organisations 10

8 Unit 1: Understanding the risk environment

1. In organisational settings, “exposure” to risk is the essential motivation. As human beings,

Module Two: Risk and Organisations 11

Module Two: Risk and Organisations 12

Module Two: Risk and Organisations 13

1. The political/governance level

The political/governance level

The strategic level

The tactical/managerial level

The operational/functional level

8.1 Unit 1 Readings

Module Two: Risk and Organisations 14

8.2 Unit 1 Reading materials

Butterworth, M and Archer, R, Risk and Organisations, 2011, Unit 1 Reading