Module 1 Introduction
1/1 1.1 Introduction 1/21.2 The Concept of Risk 1/2 1.3 The Basic Risk Types 1/5
1.4 The Concept of Risk Classification 1/26 1.5 Exposure, Sensitivity and the Risk Profile 1/30
1.6 The Concept of Risky Conditions for Decision Making 1/32 1.7 The Concept of Risk Management 1/34
Module 2 Background to Risk
2/1 2.1 Introduction 2/22.2 Some Common Questions about Risk 2/3 2.3 Some Common Misconceptions about Risk 2/6 2.4 The Variable Significance of Risk 2/13
2.5 Risk and the Decision-Making Process 2/21 2.6 Risk Conditions 2/28
2.7 Risk and Risk Management 2/37 2.8 Case Studies 2/40
Module 3 The Concept of Risk Management
3/1 3.1 Introduction 3/23.2 Some Common Questions about Risk Management 3/3 3.3 The Concept of Risk Management 3/5
3.4 Risk Management Methodology 3/11 3.5 Risk, Contracts and Procurement 3/48 3.6 Risk Management Strata 3/61
Module 4 Strategic Risk
4/1 4.1 Introduction 4/24.2 The Concept of Strategic Risk 4/3 4.3 Strategic Planning 4/10
4.4 Using Scenarios to Respond to Uncertainty 4/50 4.5 Risk in Strategy Implementation 4/91
4.6 Corporate Governance 4/101
Module 5 Change Risk and Project Management as a Tool for Managing Change
5/1 5.1 Introduction 5/25.2 The Concept of Change Risk 5/3 5.3 Change Management 5/23 5.4 Project Management 5/35
5.5 Project Management as a Tool for Managing Change 5/58 5.6 Case Studies 5/87
Module 6 Operational Risk Management
6/1 6.1 Introduction 6/26.2 The Concept of Operational Risk 6/3 6.3 Operational Risk Management 6/9 6.4 Operational Risk – Categorisation 6/31 6.5 Operational Risk Treatment Options 6/55
6.6 Operational Risk Transfer by Insurance and Other Financial Means 6/78 6.7 Case Studies 6/84
Module 7 Unforeseeable Risk
7/1 7.1 Introduction 7/27.2 Some Common Questions about Unforeseeable Risk 7/4 7.3 Some Common Misconceptions about Unforeseeable Risk 7/7 7.4 The Concept of Unforeseeable Risk 7/11
7.5 Unforeseeable Risk Types 7/17 7.6 Developing the Response 7/44 7.7 Business Continuity Planning 7/53 7.8 Contingency Planning 7/59 7.9 Crisis Planning 7/66 7.10 Case study 7/70
Module 8 The Risk Interdependency Field and the Development of a Process Model
8/1 8.1 Introduction 8/28.2 Some Common Questions about Risk Interdependency and Process Models 8/4 8.3 Some Common Misconceptions Risk about Interdependency and Process Models 8/7 8.4 The Concept of Horizontal Risk Levels 8/10
8.5 The Concept Of Vertical Functional Divisions 8/17 8.6 The Concept of the Risk Interdependency Field 8/22
8.7 The Development of a Process Model for Strategic Risk Management 8/37 8.8 Case Study on Risk Interdependency: Edinburgh Housing Subsidence 8/62
Appendix 1 Answers to Review Questions
A1/1Appendix 2 Practice Final Examinations
A2/1Index
I/11 - Introduction
1.1 Introduction 1/2
Level and complexity of risks increase as function of organisational size and complexity
1.2 The Concept of Risk 1/2
New forms of risk emerge (e.g. increased reliance on IT) - Malicious interference, fraud, theft
- Increased vulnerability to external risk (e.g. power interruption) Risk is inherent in every human endeavour
Maximum loss limit: upper limit of range of acceptable outcomes Risk analysis: function of human cognitive process
Risk is not negative
- Must identify, manage, ensure do not threaten continued existence - Positive: intimidates competitors
- Risk appetite: own range of acceptable outcomes
1.3 The Basic Risk Types 1/5
Classification topologies around origin of risk and nature of effect Risk level
- Strategic risk - Change/project risk - Operational risk - Unforeseeable risk
Nature of risk: origin, characteristics, interdependencies - Financial and knowledge risk
- Internal and external risks - Speculative and static risks - Risk interdependency Can overlap
1.3.1 Strategic Risk 1/6
Corporate level: development/implementation of strategy Assessment of market conditions & forecast of changes - Market: economic variables
- Corporate governance: reputation, ethics
- Stakeholders: shareholders, business partners, customers, suppliers Examples:
- Incorrect strategic plan: assumptions, environment, resources, organisational objectives
- Compromised plan: reorganisations, expected changes, processes not introduced (satisfactorily) - External changes: environment, competitors, competing products, statutory controls
Strategic risk more difficult to model/assess than operational and change/project risk
Variance envelope:
A: current position (market position, size, vulnerability, gearing, asset base...) B: desired position in X years
Warning is signalled when strategy diverges beyond limit
Strategic Risk Management must detect, predict consequences, justify corrective actions 1.3.2 Change Risk 1/9
Change risk relates to both:
- Planned changes: engineered to achieve objectives Projects (definition):
- Not main process of production - Short
- Clear start & finish - Relatively complex
- Clear time, cost, performance objectives - Multidisciplinary teams (usually)
1.3.3 Operational Risk 1/10 Related to production process:
- Asset base - People - Legal controls
1.3.4 Unforeseeable Risk 1/10 Cannot be accurately forecast
Can sometimes be allowed for up to a point with contingencies - After depletion must secure resources from elsewhere Insurance: fire, flood, subsidence
Risk mitigation with appropriate precautions Establishment of reserves
Business continuity plan (BCP) includes disaster recovery plan (DRP) 1.3.5 Financial Risk and Knowledge Risk 1/12
Financial Risk: market, credit, capital structure and reporting risk Knowledge Risk:
- Information stored using IT
- Access to crucial business information
- People knowledge: acquired specific knowledge o Post-acquisition departures:
Disillusionment
Resentment
Loss of power and/or authority
Loss of motivation and commitment
Inability/unwillingness to adapt 1.3.6 External and Internal Risks 1/13
Internal risks: somewhat calculable and controllable External risks: may be calculable but not controllable External risks:
- Interest rate risk (influence on discount rate for NPV)
- Volatility risk: purchased options volatility increases value; written options volatility increases risk - Convexity risk: e.g. change in interest rate leads to greater change in bond prices
- Time-dependent risk: insurance policy expiration - Competitor risk: new company, product
- Customer demand risk
- Exposure risk: gearing, borrowing; oil producers to oil prices
- Shareholder risk: (loss of confidence makes it difficult to raise capital) - Political risk: home and neighbouring countries, fiscal policy, UK/Euro - Legislative risk: change existing statutes, introduce new one, (e.g. green) Internal risks:
- Operational process: HR, staff availability, capacity limit
- Legal risk: contracts, insurance policies – protection and liability not as perceived - Liquidity risk
- Supply chain risk: more efficient SC => more dependent: supplier production continuity, supplier reliability (quality of products)
- Competence risk: employee and management
- Complexity risk: modern electronic systems difficult to understand/interpret quickly - IT and Technology risk
- People risk: difficult to replace, succession planning, IPR, expertise=>rival
Speculative can lead to gain or loss: investment, internal reorganisation
- Share flotations, competitor activities, R&D investment, new products, economic activity - Speculative business risk: trading with assets; spread among stakeholders
- Speculative financial risk: gearing ratio Static can only lead to loss
- Minimise risk with safeguards and protection
- Insurance: fire, public liability, professional indemnity, personnel
- Reduce effects with insurance and by diversifying; no reward can be expected from static risk 1.3.8 The Concept of Risk Interdependency 1/23
Strategic risks can affect implementation of strategic plan
Plan implementation involves internal changes which also produce change risk - May also involve internal operational changes
1.4 The Concept of Risk Classification 1/26 First level equation for risk:
Risk = f(event, likelihood, impact) Second level equation for risk
Risk = f(event, hazard, safeguard) Hazard: source of danger
Safeguard: mitigation or defence
Risk is residual and reflects the reduction of absolute risk attained through the control
1.5 Exposure, Sensitivity and the Risk Profile 1/30
Risk profile: risks that are acceptable for a given organization at a given time - Simple representation: list identified risks with impact and probabilities - Complex software: conditional modelling with probabilistic branching Exposure –measure of extent to which organisation’s functions are open to risk Outsourcing: transfers risk (doesn’t eliminate)
Risk may impact Key Performance Indicators Firm sensitivity is function of:
- Severity of exposure to occurrence of events - Likelihood of events
- Ability to handle events Questions for risk taker:
- What are possible outcomes - Are outcomes related
- How sensitive are strategies, earnings etc to occurrence - Is achievement of critical objectives affected
- How capable are we of responding
- How much potential reward is required to accept risks
- If we accept to we have sufficient capital to absorb unforeseen losses
1.6 The Concept of Risky Conditions for Decision Making 1/32
Conditions of risk: known unknown events, reasonable likelihood of event and impact is assessable Conditions of certainty: known event
Uncertain condition: unknown unknown event (e.g. great storm) - Identify range of outcomes or discrete set of scenarios - Resolve as much uncertainty as possible
- Reduce uncertainty to a level that it can be contained in limits of RMS o Sufficient reserves and responsive mechanisms to cope
1.7 The Concept of Risk Management 1/34
Risk Management System can reduce and control but not eliminate risk (not even desirable) - Control mechanism to ensure risk remains within acceptable limits
- Typical RMS includes: o Identification
o Analysis and classification
o Controlled consideration of attitude/strategy o Safeguard related to appetite
o Response process
2 - Background to Risk
2.1 Introduction 2/2
2.2 Some Common Questions about Risk 2/3 2.2.1 Introduction 2/3
2.2.2 Ten Questions 2/3
Risk so bad that should be eliminated at all costs? Zero risk unachievable, cost exponential as risk approaches zero Risk takers adopt portfolio approach.
Risk breeds innovation.
2.3 Some Common Misconceptions about Risk 2/6 2.3.1 Introduction 2/6
2.3.2 Some Common Misconceptions 2/6 !! Risk is bad
!! Better not to take risks: opportunity cost Pitfalls
- Risks taken for sake of taking risk: groupthink, bravado, desperation - Potential gain greater than risk stake (may risk a lot of a little) - Inaction due to opposition or apathy of others
- Risk more than can afford to lose
!! Some Risks are so great they must be eliminated !! If in doubt play safe
- People tend to avoid Type II errors (reject hypothesis unless they are sure) o Hypothesis Right but rejected: Type I easier to quantify
o Hypothesis Wrong but accepted: Type II difficult to quantify !! Groups make less risky decisions than individuals
- Anonymity in group
- Appearance as risk seeking preferred
- Increased risk shift over time and with greater diversification !! Well-established groups more efficient at identifying and handling risk
- Groupthink: displacement (assuming group’s objectives)
o High peer pressure, delusions of importance, sense of invincibility, team filters (suppress dissent)
2.4 The Variable Significance of Risk 2/13 2.4.1 Introduction 2/13
2.4.2 Issues Related to the Significance Risk 2/14 Most significant risks are those not identified
- Decree of assessment accuracy and monitoring extent - Root cause:
o Failure to identify o Failure to assess o Failure to monitor o Failure to control 2.4.3 Risk Profile 2/19
Risk profile: probability of given return for risk or group of risks - Summary of all the individual risks facing an organisation
Human cognition is enormous and extremely complex 2.5.2 Pattern Recognition and Attention 2/21
Decisions related to perceived rewards and risks
Pattern recognition: brain presented with stimulus through sensory organs Attention: filter so brain can focus on relevant information
Memory:
- Short-term memory stored basic pattern recognition information. After interpretation and subjective assessment it moves to long-term memory
- Long-term memory stored information about previous events where risks were evident and where they did or did not occur
o Greater emphasis on negative past events 2.5.3 Bounded Rationality 2/23
Individual or organisation will generally opt for rational behaviour - Pattern recognition and learning naturally preferred 2.5.4 Risk Forecasting and Prediction Momentum 2/24
Bounded rationality uses knowledge of past events and extrapolates: risk forecasting - Use of past to analyse the present
- Use past and current to forecast the future - Largely qualitative or subjective
- Modelling techniques can support it - Not restricted to mathematical modelling - Requires breadth of vision as well as modelling - Is time-based (accuracy diminishes over time)( Two-stage process:
- Predict future based on past (without proposed action) - Predict future based on past (with proposed action) Forecasting considerations:
- Only as accurate as data
- Time-dependent: longer the timescale the less accurate - Degree of change increases potential for inaccuracy
- Expensive: accurate records, complex modelling, intensive labour - Vulnerable to intuition and bias
- Impact of unforeseeable events
- Takes place within dynamic environment
Intuition: combination of experience and extrapolation using instinct - Example of pooled interdependency using cognitive process - Can be individual or organisational
2.5.5 Summary 2/26
2.6 Risk Conditions 2/28 2.6.1 Introduction 2/28
2.6.2 Conditions of Certainty 2/29
Decision-maker knows which state of nature will occur. Double-headed coin
2.6.3 Conditions of Risk 2/30
Probabilities and payoffs are known.
2.6.4 Decision Making under Conditions of Uncertainty 2/32 No assigned probabilities. Possible outcomes can be identified..
Firm doesn’t know in advance the magnitude and change in key (external or internal) variables Hurwicz criterion: Maximax
- Optimistic: Maximise profits of best-case Wald criterion: Maximin
- Pessimistic: minimise the maximum losses Savage: minimax
- Bad loser: minimise the maximum regret (difference between best & actual) Laplace:
2.6.5 Section Summary 2/37
2.7 Risk and Risk Management 2/37 2.7.1 Introduction 2/37
2.7.2 The Need for a Risk Management Strategy 2/38 Structured risk management system:
- Range of analytical tools
- Operates at all levels (strategic, operational, project...) - Risk universe: interdependencies
- Risks can be foreseeable, partly foreseeable, and unforeseeable - Not infallible
- Complex and expensive - Must be dynamic - Organisation-wide
- Only as reliable as people using it - Must be calibrated
o Danger of information overload or information omission Emerging Risks of phasing/fast-tracking and concurrent engineering 2.7.3 Risk and Risk Management 2/39
Identifiable stages: - Registration system - Classification
- Control of risk attitude - Risk response
2.7.4 Summary 2/40
2.8 Case Studies 2/40
2.8.1 Case Study 1: Black Gold 2/40
3 - The Concept of Risk Management
3.1 Introduction 3/2
3.2 Some Common Questions about Risk Management 3/3 3.2.1 Introduction 3/3
3.2.2 Some Questions 3/3 3.2.3 Summary 3/5
3.3 The Concept of Risk Management 3/5 3.3.1 Introduction 3/5
3.3.2 Characteristics of an Effective Risk Management System 3/5 Effectiveness: able to identify and assess all risks that affect objectives Enterprise-wide capacity: and consider external risks
Practicality: usable, standardised across organisation
Realism: Detail not required for every risk, selective and sufficiently sensitive to highlight important risks Compliance with internal and external standards
Cost efficiency: must add value to organisation (difficult to identify losses that have been prevented) Life-cycle applicability: Duration of strategy, change implementation process, operational process 3.3.3 Organisational Requirements for the Successful Implementation of a Risk Management System 3/9 Formal Risk Management policy
Commitment to organisation-wide risk management Accurate design and implementation planning
- Time, cost plan, long-term operation, resource allocation, formal management review and sponsorship Design, implementation and operation managemnet
3.3.4 Summary 3/10
3.4 Risk Management Methodology 3/11 3.4.1 Introduction 3/11
3.4.2 The Main Elements of a Risk Management System 3/11 Stages of framework:
- Risk context
o Strategic, process, operational framework - Risk identification
- Risk classification, analysis, evaluation o Primary risk drivers => risk map, grid - Risk evaluation
o Evaluate consequences - Risk appetite
o Attitudes of decision maker - Risk response
o Keep, transfer...
- Risk management system monitor and review 3.4.3 Risk Context 3/13
Define objectives and processes to attain objectives - Strategic objectives, change, operational objectives Organizational sensitivity: reserves, borrowing capacity Work-breakdown structure
3.4.4 Risk Identification 3/15
Identified risk may give rise to new risks Consequential risks
Cascade risks
Risk identification methods - Source and effect
o Identify risk effect
o Brainstorm to identify cause and effect o Draw effect box and prime arrow
o Identify possible causes
o Develop proposed corrective action - Brainstorming
- Delphi method
o No expert interaction, anonymous contribution, steering group consolidates and distributes - Nominal group technique
o Brainstorm problem, list answers, discuss ideas, private individual ranking, display collective ranking - SWOT Analysis
3.4.5 Risk Classification, Analysis and Evaluation 3/24 Quantitative approach:
- accurate, absolute variables Semi-quantitative approach:
- approximation or equivalent
- numerical approximation of qualitative assessment Qualitative approach:
- text, graphical representation; majority of risk assessments
Risk Classification: - Risk type
- Risk source/scope - Risk impact
Risk Analysis:
1. Identify and evaluate all relevant information 2. Consider risk appetite
3. Consider risks characteristics a. Controllability
4. Establish measurement system a. Modelling/ subjective 5. Interpret results
6. Make decision Alternate approach:
1. Identify source and extract all relevant information 2. Identify all threats/opportunities (SWOT)
a. Map variables that determine probability/impact 3. Assess probability and impact
4. Consider all available options a. Develop target risk map
5. Assess value added through approach 6. Set up monitoring and reporting system
Risk Evaluation
- Code or descriptor labels the magnitude of risk o E.g yellow, A1...
o Defines response options Risk Map
- Similar to risk profiling, aka risk foorprinting - Quadrants (Y: Impact, X: Likelihood)
o Red: immediate action
o Yellow 1: HI, LL: Contingency planning, monitor o Yellow 2: LI, HL: Net effect as for Y1
o Green: ensure do not propagate - Map is dynamic
o Current risk map, Target map, risk migration - Variability limits
o Boundaries and limits with confidence and sub-probabilities Risk Matrix
3.4.6 Risk Appetite 3/37
Risk seeker, Risk neutral, Risk averse Most organisations balance risk attitude
- Higher risk investments for large earnings
- Lower-risk investments “as bankers": stable income stream Creativity and risk inherent in some job types
3.4.7 Risk Response 3/39 Depends on:
- Nature of risk - Detail of analysis - Attitude of risk taker Range of variables - Company policy - Duration of exposure - Individual interests - Voluntary/involuntary risk - Alternatives
Risk distribution (contract) - Is outcome worth the risk - Who has greatest risk control - Who has greatest risk liability
o Onus on least affected; concept of vicarious liability (e.g. implied by employee action) - What incentive does each party have
Risk response stages
- Identification of response options o Risk reduction
Training and development; redefinition of objectives o Risk transfer
Contract
Damage clauses
Insurance Insurability Premium cost
Maximum probable loss Likely cost of loss
o Full reinstatement
o Probably cost if uninsured o Risk avoidance
Decision not to proceed
Rescission (determination) following breach of contract
Court rectification of unreasonable term: can nullify risky condition o Seeking information
o Risk retention
Residual risk
- Evaluation of cost/benefit of option o Low cost for large risk reduction
Safety training
o High cost for low risk reduction
E.g. flooding more common due to global warming - Preparation/implementation of response plan
o Project sponsor
o Defined time, cost, quality o Clear aims and objectives o Monitoring and control system 3.4.8 Risk Monitoring and Control 3/46
Record all assumption and evaluation processes - System may be incorrect
- Items may be missed in identification - Errors may occur during evaluation Regular reports on red quadrant
- Constant programme review for handling risks 3.4.9 Summary 3/47
3.5 Risk, Contracts and Procurement 3/48 3.5.1 Introduction 3/48
For transactions with external contract or supplier Purpose:
- Define risk
- Create degree of control Competitive bids
- Description of works - Terms and conditions
Protection against disagreement and conflict - Inadequate documentation
- Incorrect estimates and pricing - Unreasonable risk
- Insolvency
- Ambiguous specification Commensurate risk:
- Inability to fulfil obligation due to own inadequacy or interference from outside events Some contracts depend on uberrima fides (utmost good faith)
- Obligation to disclose all relevant information 3.5.2 Basic Contract Theory 3/49
Contract document:
- Signature block and project title - Definition of terms and scope
- Information/facilities provided by client - Approvals
- Terms of payment - Working drawings - Specifications - Schedules
- General conditions (sector generic) - Specific conditions
- Provision for change and variations - Form of tender
- Appendix
- Dispute resolution o Arbitration
o Alternative dispute resolution (ADR) - Bonds and insurances
Pre-requisites:
- Offer and acceptance
- Consideration (deposit, full payment) - Capacity
- Legal relations (e.g. not valid if goods are illegal) - Communications (of acceptance)
Alternatives to performance:
- Breach (one party acts in contravention)
- Rescission (error or misunderstanding judged by court) - Rectification (judged by court)
- Void (e.g. goods are illegal)
- Termination/determination (of one party potentially with reimbursement) 3.5.3 Procurement 3/53
Strategic versus project procurement Procurement options consider:
- Internal environment (policy, strategy)
- External environment (external variables: e.g. interest rates, inflation, statutes) Procurement phases
- Objective phase
o Reconcile with project and corporate objectives - Exposure phase
o List possible sources
o Advertise requirements and invite expression of interest - Alternative phase
o Testing and evaluation o Verify capability - Documentation phase
o Works/requirements in full detail for bidders - Tendering phase
- Award phase
o Scrutinise bids: contract terms - Contract administration stage 3.5.4 Characteristics of Contracts 3/56 Controllable risks
- Defective manufacture Uncontrollable risks
- Adverse weather Fundamental contractual risks
- Adequacy of design
o Latent and patent defects - Project eventual cost
- Safety & indemnification for accidents (professional indemnity insurance) - Third party insurance
- Rife, flood...
- Completion deadlines
o Liquidated (cash) and ascertained damages Express and implied terms (professional services) 3.5.5 Transfer of Risk in Contracts 3/58
Risk transfer through indemnity clauses (“hold harmless” clauses) - Ability of risk bearer to absorb damages
o Ability to pay the costs incurred if the risk is realised 3.5.6 Variation Orders and Change Notices 3/58
Always some information that is missing at tender pricing stage
- Variations allow for changes to be make to a contract without invalidating it 3.5.7 Claims Risk 3/59
Client risk:
- Documentation: Failure to provide; Late; Errors
- Delays by client consultant or nominated subcontractors - Changes in statute
- Civil commotion, exceptional weather, war - Determination of contract by client
Contractor can claim extension and/or costs Client expected to carry insurance for:
- Fire, flood, lightning, aerial devices, radiation Contractor expected to carry insurance for
3.6 Risk Management Strata 3/61
Strategic, change/project, operational, unforeseeable risk
Learning Summary 3/61
4 - Strategic Risk
4.1 Introduction 4/2
4.2 The Concept of Strategic Risk 4/3 4.2.1 Introduction 4/3
4.2.2 Strategic Risk Management 4/5 4.2.3 Ten Questions 4/6
4.2.4 Summary 4/9
4.3 Strategic Planning 4/10 4.3.1 Introduction 4/10 Strategic Planning tenets:
- Must set strategic objectives - Objectives must be realistic - Resources must be allocated - Rewards must show return for effort
Some organisations seek to reduce strategic risk related legislative and political process through lobbying 4.3.2 Definition of Strategy 4/14
Long-term direction and scope which organization achieves through allocation of resources in changing environment to meet stakeholder needs
Constantly changing but needs proactive approach - Take all available information
o From all sources/interfaces in the organisation - Retain flexibility
- Use of structure establishes priorities and allocates resources 4.3.3 Strategy Process Model 4/16
Objectives - Strategists
- Mission statement - Gap analysis Analysis and Diagnosis
- Continuous process - General environment
o Identify issues/risks o Determine impact
o Determine area of impact within organisation o Formulate response procedures
o Monitoring by relevant department (e.g. sales for competitors) - Industry and international environment
o Location
Protectionism, tariffs, repatriation, currency stability o Product life cycle
o Economic cycle o External risk events - Internal factors
o Target best opportunities available o Marginal analysis
o NPV
o Research and Development
Which costs to measure, how to measure
When to abandon
Sensitivity analysis o Resource management
Reactive versus proactive
Short-term (hiring and firing) versus long-term o Vertical integration
Economies of scale, efficiency, supplier control o Value Chain
Primary activities: logistics, transformation, marketing, sales, servicing
Support activities: procurement, technology, HR, management o Diversification
New customer base
Substitute for lack of R&D o Competence
Routine-based diversification
Resource-based diversification
Replication-based diversification
Unrelated
o Culture (collective traditions)
M&A issues o Joint ventures
Acquisition of core competencies
Management of larger market risks o Competitive position
Distinctive capabilities
Strategic Advantage Profile Strategic choice
o Generic Strategy Alternatives
Stability (not stagnation)
Expansion
Retrenchment
Combined approach o Business-level alternatives
Cost-leadership Differentiation Niche
Tactical Implementation
- Resource allocation
Risk breakdown structure
4.4 Using Scenarios to Respond to Uncertainty 4/50 4.4.1 Levels of Uncertainty 4/50
Two levels
- Can organisation identify risks - Can it quantify likelihood and impact Sources:
- People (subject matter experts, internal & external)
- Publications (Economist, Sloane Management Review, Harvard Business Review) - Internet
- Tools (e.g. brainstorming...)
Scenario should reflect likely future trading environment Three scenarios common: Bad, Moderate, Good.
4.4.3 Scenario Planning 4/59 Plausible views of the future
- What if?
- Acknowledges future unknowns by highlighting critical areas of uncertainty Steps
1. What are you trying to determine
a. Go / No-go?: Acquisition, Advertising, Investment) 2. What are the risks and opportunities
a. Discontinuity drivers: dramatic and often unpredictable b. Trends drivers: may be predictable, often revolve around
population and demographics
3. Rank risks and opportunities (impact, likelihood with map) 4. Understanding connectivity
a. Bowtie diagrams (cause/effect) 5. Develop the Logic of the scenarios
a. Identify and map critical variables i. Internal and External
6. Develop the Scenarios
a. Set of narratives for each scenario 7. Implications
a. Consider vulnerabilities, exposure, sensitivity
b. May consider entire risk profile as separate but linked variables in risk interdependency field 8. Implementation and monitoring
Residual Uncertainty
- Future is not reflected in one of scenarios - Unforeseeable events
- Positions
o Define the future (shape the market) o Adapt to the future (rely on agility)
o Contingent development (small investment that allow it to later join the market) Methods in conditions of uncertainty
- Bet the company (large investment)
- Options: Limit risk, appropriate in dynamic world o Time-based: option to delay
o Investment: stagger investment o Implementation: test with pilot o Value: different ways to create value o Exit option
- No loss alternative
o E.g. reduce costs, research the market, develop competence Risk-appetite
- Should all capital be invested or some retained for alternatives
- Should risk be borne by organisation or transferred through hedging or contracts - How long should shortfalls be absorbed before investing in remedial action Attitudes:
- Risk seeking: define the future regardless
4.5 Risk in Strategy Implementation 4/91 4.5.1 Introduction 4/91
Implementation process is long-term, high-cost - Key reason for failure is execution
Strategic drift: deviation from objectives due to internal and external forces - If external, must be corrected
- Failure to align internal resources
- Control depends on early detection (monitoring and control system) Susceptibility to strategic drift
- Incremental rather than transformational change - Strong authority culture
- Power centres around individuals
- Poor formal and informal communications - Ignored warning signs
4.5.2 Strategic Drift Internal Control 4/95 Cascade process to detect change and respond
- Review the strategy o Allocate resources
o Challenge assumptions (validity and relevance) - Critical success factors (organisational level) - Key performance indicators (functional level)
- Critical business activities (may be organised hierarchically) - Supporting issues (e.g. organisational culture)
o Monitor and control process
Operational review and internal audit
Information system Staff turnover Accident rates Sales visits
Product development times Quantity and reliability rates 4.5.3 Strategic Drift – External Monitoring 4/100
Key environmental indicators – risks that can have a direct effect on outcome of organisation strategy
4.6 Corporate Governance 4/101 4.6.1 Introduction 4/101
Corporate governance – way in which organisations are directed and controlled - Primary governance: legislation on trading, directors, involvency...
- Secondary governance: within the organisation (often in response to legislation or codes of practice) 4.6.2 Elements of the Governance Structure 4/102
Companies must demonstrate alignment of actions with stakeholder interests Key competencies of directors
- Strategic perception - Analytical understanding - Communication and interaction - Achievement through risk taking - Resilience, integrity, independence
High degree of transparency and disclosure to stakeholders
Learning Summary 4/105
5 - Change Risk and Project Management as
a Tool for Managing Change
5.1 Introduction 5/2
5.2 The Concept of Change Risk 5/3 5.2.1 Introduction 5/3
Change is good (innovation) and bad (disruption) 5.2.2 Risk Levels and the Impact of Change Risk 5/3 Strategic-change risk
- Strategy incorrectly planned
o Strategic realignment risk (operational processes) o Corrective/tactical response risk
o Cascade risk
- Original objectives incorrectly assessed o Strategic realignment risk
o Objective definition risk (still not correct) o Corrective error risk (location of current point) o Corrective impetus risk
o Resource consumption risk (during appraisal and evaluation) o Customer attitude risk (market misalignment)
- Original objectives changed
o E.g change in policy as response to external changes - Unforeseen events
o Reserve depletion risk
o Response strategy implementation realignment risk
- New strategies evolved (business opportunities, unforeseen events) o Strategy/substrategy misalignment risk
o Implementation system absorption Operational Change risk
Internal factors
- New internal policies and procedures - Obsolescence of processes and products - Implementation of new sub-strategies - Operational cost/budget reduction - New products or working practices - Innovation
External factors
- Changes in competition
- Evolution of competing products - Varying customer demand - Statutory compliance standards
- Absorption of non-standard work after merger Project-Change risk
Delays
- Errors/omissions
- Late instructions, deliveries, design - Approval time lag
Costs
- Inaccurate estimates - Increased scope - Price increases Performance/quality - Defect rate
- Customer expectations - New standards
Unforeseeable-change risk
- Degree to which can be foreseen depends on o Previous occurrences
o Level of information available Response requirements
- Contingency depletion risk (unknown unknowns) - Variance envelope amplification risk
- Unforeseeable risk creation and evolution
o Innovative change can create new unforeseeable risks
o E.g. new location => restrictions, suppliers, culture, infrastructure - Competitor stimulation (innovation will be copied)
Planned change
- Originates as optional decision; may be strategic or tactical response Imposed change
- External: government, competitors - External-linked: shareholders - Internal: e.g. departure of employee Internal and external change risk
Source Internal:
- Type 1 Internal: effects largely internal - Type 2 Internal: effects internal and external Source External
- Type 1 External: effects largely internal - Type 2 External: effects internal and external
5.3 Change Management 5/23 5.3.1 Introduction 5/23
Significant proportion of change is planned - Generates risk through disruption
- Generates follow-on change with creates further risk 5.3.2 Change Scope 5/23
Organisational change
- Risk from structure change Cultural Change
- Cultural characteristics Organisational change
- Operational level opposition
o New work practices, skills, duties, colleagues, communications systems o Pay cuts, job uncertainty
- Senior opposition
o Reduction in authority, control
o Personality clashes, promotion opportunities - Pre-implementation:
o Speculation/rumours - Implementation
o Disillusionment - Post-implementation
o Accustomed - Magnified resistance
o Strong cohesion
o Poor formal, primarily information communications o Perception of inequity
o Process-driven / process-dependent systems
- Process dependence make change more difficult to implement Cultural change
- High levels of change resistance and inertia Implications
- Allow importance of culture - Remember leadership - Recognise politics
- Consider interrelationships - Allow for organisational causality
5.3.3 The Concept of Change Management 5/29
Change cycle – short periods of large-scale change interspersed with longer periods of lower-level changes Change process components in problem solving paradigm:
- Current state - Desired future state
Objectives
- Transition objectives
o Identify start and finish and degree of difference o Qualitative or quantitative
- Alignment objectives
o Alignment of processes to converge current/desired state - Application objectives
o Securing resources/processes to support alignment Approaches to change management
- Reward-based approach - Coercive approach
- Expectant approach (later reward)
- Normative approach (normative pressure)
- Adaptive approach (people accept change if seen as necessary for competitiveness) - Cooperative approach (democratic, consultative)
5.3.4 The Issue of Resistance 5/32
Resistance is one of main obstacles to change - From minor resentment to industrial action Approaches
- Driver restraint balance (force-field analysis) o Identify the goal
o Identify the current condition o List the change drivers o List the change restraints o Assess the forces
Magnitude, amenability to change o Initially accept or reject the change
Probability of successful completion of change o Perform trade-offs
- Leadership
o Way to achieve consensus Levels:
o Ordering
o Selling (better than ordering)
o Participation (better than selling or ordering) o Sponsorship (best)
- Participation
o Employee commitment o Employee contribution
- Cooperation to improve the status quo Drivers:
o Degree of dissatisfaction with status quo o Desirability of end state
o Practicality and risk with achieving end state
5.4 Project Management 5/35 5.4.1 Introduction 5/35
5.4.2 The Concept of Project Management 5/35 5.4.3 What Is a Project? 5/38
Primary alternatives for production - Mass production
- Batch production - Project (one-off)
5.4.4 Project Characteristics of Change 5/39 Primary characteristics of a project:
- Client specific - Relatively complex
- Not main concern of organisation - Multidisciplinary
- Short lifespan; full lifecycle - Multiple objectives
5.4.6 Project Resources 5/43 Labour, plant materials
5.4.7 Project Planning and Control 5/43 Major steps:
- SOW: Statement of Work - WBS: Work breakdown structure - PLE: Project logic evaluation
- Separate time, cost, quality planning
- Network analysis: CPM/PERT for DMS: Draft master schedule - Use trade-off analysis to re-plan
- Produce PMS: project master schedule 5.4.8 Project Cost Control 5/53
5.5 Project Management as a Tool for Managing Change 5/58 5.5.1 Introduction 5/58
5.5.2 Change in Project Success Criteria 5/58 Cost-change factors
- Cost of resources
- Over-expenditure of reserves - Contract changes
- Interest, exchange rates Time-change factors
- Delays in suppliers, instructions - Variation orders
- Revision to handover/acceptance dates - Delay of critical resources
Performance-change factors: - Customer demands - Statutory controls
- Emerging incompatibilities - Technology changes - Competitor response
5.5.3 Change Moderation by Contract 5/60
Contract a primary responsibility of project manager Objective of contract:
- Allocate risks to mutually acceptable level of risks Example of effect of unforeseeable risk:
- Invalidate contract
- Grounds for determination - Grounds for reimbursement - Grounds for time extension 5.5.4 Change Control Response 5/64 Stages of change control response (CCR)
- Detection and identification - Forecasting of consequences - Design and implementation of CCR - Monitoring and re-evaluation of CCR Burn-rate (ACWP) output tradeoffs
- Do nothing: will result in overspend - Reduce ACWP (actual costs) - Modify the cash flow of BCWS
o Usually PM has no direct control - Speed up parts of works (BCWP)
o Without increasing costs Other trade-offs
- Time-cost trade-off most common - Performance-cost
Probabilistic response PERT
- Develop precedence diagram
- Calculate activity mean and standard deviation - Identify critical path
- Calculate mean and standard deviation o Mean = (a + 4m +b)/6; SD= (b-a)/6
- Identify target completion date and variance about target o Project SD=sqrt(sum(SD))
o Variance: 1SD 0.67, 2SD, 0.95, 3SD 0.99 Change Control System (CCS):
- Uncertainty around underlying technology (e.g. IT projects) - Creeping scope from increasing client awareness
- Changes to project baselines and execution rules o Moving goalposts: e.g. external event
Components
- Information tracking system
- Early identification of relevant information - Research of scope, consequences
- Verification of accuracy
- Generation of formal change notice (COR: Change order request) - Approval from authorising body
- Monitoring propagation of decision - Circulation of notice
- Final assessment of impact
Configuration Management System (CMS) - Organisation-wide CCS
- Also controls other project-relevant information
- Security identifiers for each member (authorisation level)
5.6 Case Studies 5/87
5.6.1 Case Study 1: GEC Marconi 5/87
5.6.2 Case Study 2: Change Implementation Teams 5/91
Learning Summary 5/99
6 - Operational Risk Management
6.1 Introduction 6/2
Main involvement with risk management is operational
Not only controlling potential loss but also failure to realise opportunities - Monitor and control strategy implementation
Risk profile is shaped by nature of operations
6.2 The Concept of Operational Risk 6/3 6.2.1 Introduction 6/3
Direct consequences - Loss of life
- Destruction of equipment/property - Lost production => lost revenues Indirect consequences
- Reputation - Legal restrictions - Exclusion from mergers
- Requirement for strategic realignment 6.2.2 Classification of Operational Risk 6/4 Subject classification
- People, competence, knowledge Relate processes to business
- What must occur for operation to be successful Identify critical activities (pinch points, bottlenecks)
Allocate success and performance criteria to each bottleneck Consider asset and resource dependence
Enterprise-wide risk management
- Align / coordinate internal control activities
- Ensure that investments reflect priorities of business Functional manager oversees day-to-day risk management
- Specialists can provide advice and undertake complex procedures
Risk profile is a function of risk portfolio, risk attitude, external factors and way the organisation manages them Managing risks over which there is no control
- Contingency approach (alternatives)
6.3 Operational Risk Management 6/9
6.3.1 Introduction – From Conformance to Performance 6/9
Opportunities more likely to be rewarding if manager understands risks and has resources to manage them Most people still see risk management as
- Complying with external standards - Controls to protect assets and resources Should also
- Improve linkage between risk and performance to exploit opportunities to maximum 6.3.2 Risk Management Silos 6/10
Functions developed risk management in response to needs: - Protect assets/resources
- Legal compliance
- Internally developed standards - Transfer risk
- Manage residual risk Prevent
- Prosecution, legal disputes - Asset loss
- Traditional focus: control, compliance, finance - New requirements:
o Improving business processes o Assuring risk management o New profit sources
- Assurance over: o Revenue protection o Cost control
o Risk management
o Safeguarding information assets Legal Issues
- Increased complexity o Internationalisation
o New fields (computer law, environmental protection) and increased sophistication (finance, company) o Liberalisation, deregulation
o Increased litigation from consumers, citizens - Responsibilities
o Prevention and control of legal risks
o Identification of legal means to achieve objectives o Optimisation of legal rights
o Administration of company lay o Support contractual negotiation o Responsibility for litigation o Issue of legal opinions
o Advising on relevant legal developments Treasury
- Transferring risks that arise out of transactions o Payments from abroad (currency fluctuations) o Terms of debt
- Treasury activities
o Monitoring short/long term liquidity
o Monitoring financial position with regard to covenant terms o Taking currency positions
Insurance
- Increased scrutiny as transfer medium given size of expenditure - Emergence of captive insurance companies
o May open up to third parties
- Convergence of insurance with securities market o Insurance only pure risks --- not speculative losses - Premiums dictated by:
o Value/liability at risk
o Capability of organisation to manage risk o Competiveness and eagerness of market - Capacity limitations
o Verification of claim-paying capability
- No insurance for some of biggest risks (e.g. economy, competition) Quality Management
- Level of risk depends on business (airliner, legal...)
- Insurance may cover direct financial consequences but not reputation
- ISO 9000 applies to both product and services organisations regardless of size o Create and implement quality policy
o Internal audit
o External audit and certification - Main components of QM policy
o Leadership requirements (strategy) o Product design
o Purchasing o Contract review o Production
o Inventory management o Inspection and testing
o Non-conformance (feedback mechanism to improve corporate memory, avoid repeating mistakes) o Measurement
- Direct drivers
o Government statutes o Risk of civil claims - Indirect
o Reputation
o Up to 20x cost of compensation - Central function
o Providers guidance and training o Sets umbrella policy and procedures
o Incident investigations, audits, liaison with enforcement agencies - Preselection process for suppliers (BP)
o Show capability to manage risk Environment
- Less for cost of breach legislation; more for reputation o Duties further than legal requirements
- ISO 14001 Environmental Management System
- Direct financial costs: environmental taxes or levies (Kyoto: energy consumption) Facilities Management
- Security (physical) - Fire
- Planned maintenance - Utilities
- Insurance can only cover direct financial consequences o Customer, investor confidence
- Business continuity planning:
o Critical services, equipment, production facility IT Security
- Ongoing security (confidentiality), Integrity, Availability - Risk assessment and profiling
- Development of internal control policies and standards o IT Security business strategy and policies
o BCP and DRP - Operations
o Security administrations, backups, training, monitoring , incident respose - Network
o Firewalls, IDP, AV, Remote access - Infrastructure
o Asset management, application security, AAA 6.3.3 Moving to Enterprise-Wide Risk Management 6/22 Failure of silo-based risk management
- Potential for omissions, duplication
- Focus develops that considers risk in isolation
- Lack of understanding (incorrect assumption on insurance) Common language and terminology
- Risk for production different than finance - Consider appetite for risk
EWRM
- All risks considered together by various business managers - Specialists only advise and facilitate
- Identify risks, map likelihood and impact
- Consider Risk response options and produce modified risk map, consider costs of mitigation - Common understanding through shared language
o Determine most significant risks across operations - Additional benefit (beyond allocation)
o Leverages the collective and coordinated capabilities (collective wisdom) across individuals and functions - Trend:
o Improve communication o Assess risk across business
o Align control functions to manage risks - Implementation status
o Enron was leader in field in 2000 o Basel II imposes on financial institutions 6.3.4 Summary 6/30
6.4.1 Introduction 6/31
6.4.2 The Main Categories 6/31
Risks to assets, resources and processes that are vital to deliver performance objectives People
- Right number of appropriate people - Right skill mix
- People who own relationships or have unique knowledge - Global hot spots (e.g. call centres in Bangalore)
- Skills development and competence - Succession planning
o Unexpected and expected departures
- Covenants over employee activity (e.g. no-compete clause) may be unenforceable (“specific performance”: restriction of trade)
- Risks
o Leadership (direction, motivation)
o Performance management (objectives are realistic, understood, aligned) o Communications
o Personal activity (prohibited activity by employees due to inadequate communication of authority and responsibility)
o Culture (agility to respond to new initiatives, strategies) Processes
- Function that transforms inputs into a product/service of value to customer (internal, external) o Productions, management, support
- Risks
o Alignment to business objectives o Inability to meet requirements o Inefficiencies
o Transaction errors - Risk breakdown
o Customer service
o Research and development o Performance
o Capacity o Quality o Supply chain o Distribution
o Business interruption
o Intellectual property/patent (withdrawal from market) o Product / service pricing (too low)
o Contract commitments (unable to fulfil) o Control and monitoring
o Budget and planning (incorrect decisions) o Accounting information
o Financial reporting o Knowledge management o Investment evaluation Asset and Resource Dependency
- Efficient asset utilisation implies higher dependency - Risks
o Capacity (elasticity)
o Supplier dependency (single supplier)
o Asset or resource bottleneck, single-point-of-failure o Business interruption
o Knowledge
Learning, repeated mistakes, slow competence development o Contracts
Knowledge of contract commitments, monitoring => risk of litigation and damages, reputation o Monitoring through IT
Information Technology
- Confidentiality, Integrity, Availability - Risks
o Legacy: inability to advance o Authorisation: breaches of control o Dependency: loss of HW, SW or data o Capture risk (data interception)
o User development: rogue application development, no monitoring and support o IT misalignment
o Data Corruption
6.4.3 Operational Risk – Alternative Analysis 6/42 Dependency and reliance create risk exposure
- Appear to represent pure losses but coupled tightly to opportunity Next level: requirement to perform at certain level
- Internal: QMS - External: Statute
- Represents risk treatment (risk of failure to meet standard) o Reputation
Internally Created risks
- Initiatives to manage another area of risk
o E.g. implement a strategic plan (itself a response to internal and external factors) - Quality Management Systems
o Initially differentiator
o Now prerequisite for many customers (ISO 9000)
ISO 9000-2000: Focus on customer Understand needs
Meet requirements Exceed expectations o Double-edged sword:
Differentiator
Set expectations: reputation suffers if not met Externally Created Risks
- Globalisation => faster pace of change
- Compliance with health, safety, environmental regulation o Dependence on suppliers and subcontractors
- Statutory enforcement (e.g. Financial Services Authority) o Maintain confidence in (financial) system
o Promote public understanding
o Secure right degree of protection for consumers o Contribute to reduction of (financial) crime - Regulation after privatisation (e.g. utilities)
o Protect and advance interests of consumers Unforeseeable risks
- Cannot be foreseen with information available
- May be detectable but likelihood is small so occurrence is unforeseeable - Most unforeseeable risks result from cascade effects
6.4.4 Operational Risk Delivering Performance and Implementing Strategy 6/49 Risk management closely linked to strategic planning
- Many organisations relegate to internal audit o Over-reliance on assurance
o Inability to develop risk ownership
- Most significant risk exposure is to implement company strategy Criteria set context for risk assessment
- Understand risks than hinder objectives - Prioritise risks, allocate resources
- Responsible for CSFs and KPIs must implement controls - Internal audit to review progress and effectiveness Strategy Route Map
6.4.5 Operational Risk Protecting the Creation of a Brand 6/52 Risk of brand damage high if organisation is brand conscious Corporate social responsibility
- Environment
- Human rights (labour exploitation) - Health and safety
- Social policy
- FTSE4 Good index
6.5 Operational Risk Treatment Options 6/55 6.5.1 Introduction 6/55
Internal Control system
- Risk assessment aligned to objectives o Determine level or risk acceptable - Develop control environments and activities
o Communicate throughout organisation
Critical to establish control - Reliable monitoring system
o Early warning system 6.5.2 Control Measures 6/57
Risk avoidance means abandoning the opportunity If opportunity kept then two options: transfer, control Risk register
- List of all significant risks - Organisation can track exposure
- Managers can monitor effectiveness of control measures - Identify and track necessary corrective actions
Order of preference and efficacy:
1. Preventive Hardware controls (most preferred) 2. Detective hardware controls
3. Preventive software controls
4. Detective software controls (least preferred) Hardware controls
- Embedding control (e.g. time in microwave) - Cost-benefit analysis
o Preventive versus detective (reactive) controls o Alarms usually detective
- Involve training
- Risk of failure or override Software-based control
- Group or individual action; rely on human behaviour o Misaligned priority risk
- Impairment 1: if controls are undertaken grudgingly - Impairment 2: controls incorrectly located
- Policies on risk and control management
o General statement of commitment and SMART objectives
Reflect organisation’s objectives
Error targets, quality, accidents, efficiency gains - Responsibility, authority and accountability
Responsibility, authority, accountability - Early identification of responsible
o Appropriate authority, job description or responsibility o Reporting, assisting auditors
o Necessary competence, allocation of resources (time, funds...) - Accountability
o Collection and analysis of data Competence
- In the past acquired primarily through experience - Training is now more common
- Determine role requirements and measure skills
- Continuing professional development to improve skill-base across organisation Work procedures and instructions
- ISO 9000 uses as fundamental element in managing quality - Standard operating procedures
- Need to be correct and accurate Communications
- Critical linkage for software-based control - Email is high volume but not always effective
Monitoring
- Responsibility of risk owner
- Determine what to monitor, how (visual, sampling, testing) , frequency - Should be defined by standard procedure
6.5.3 Maintaining Control and Improving Performance 6/66 Internal audit and control review processes
- Corporate conscience
- Promote Operational efficiency, internal control and risk management - Recommend to board and management
- Work to defined plan
- Break business down into series of interlinked processes - Role not to develop controls but to ensure they are executed External auditors
- Financial auditors for annual report (ensure GAAP-compliance)
- Other industry-specific bodies for operational risk (shipping, petroleum, aviation) o Set performance criteria, may be voluntary or compulsory
- Verification of performance may be provided by standard-setting body 6.5.4 Contingency Planning 6/69
Controls can only reduce probability and magnitude of risk but not eliminate it Unforeseen risk not necessarily unforeseeable, also possible through
- Insufficient information
- Inadequate risk management system - Inexperience
- Lack of foresight
Unforeseeable risk cannot be foreseen. Usually result of cascade risks with unforeseeable effects Contingency planning part of business continuity planning
Emergency response
- Evacuation, summoning emergency services, automatic shutdown - Communications are often forgotten; central coordinator
- Perrier: denial => poor reputation
- Johnson&Johnson: recall, relaunch with tamper-proof packaging => high recognition - Emergency response procedure
o Reporting procedures for internal and external communications o Pre-incident preparation (roles, authorities, responsibilities) o Immediate actions to take
Detailed procedures o Protection of personnel o Containment of incident o Assessment of effect
o Communications with all stakeholders o Consider public authorities
Crisis management
- E.g. lost contact with aircraft
- Communications is main component (rumour/speculation)
- Map main risks to stakeholders and develop crisis management plan Business continuity planning
- Primary concern is with unforeseeable risk - Return to normal level after sustaining loss
- Pre-planned response to mitigate long-term impact - May need to outsource functions, even to competitors - Steps for defining plan
o Business impact assessment o Incident response plan - Business continuity plan
o Immediate actions o Roles, contact details Contents
o Job descriptions of those involved in delivery o Action plans and checklists
o Recovery team, roles, responsibilities o Support staff, coordinators
o Location and equipping o Requirements
Telecommunications, workspace, personnel, information - Exercising plan
o Verify that it is practically workable o Familiarise staff with operation of plan
6.6 Operational Risk Transfer by Insurance and Other Financial Means 6/78 6.6.1 Introduction 6/78
Insurance only covers financial loss - Recognisable and quantifiable
Insurance business has tried to recapture losses of 11 Sep by increasing premiums Questionable value for multinationals to insure with smaller providers
- Stable cash flow, budgeting
- Alternatives: captive insurance, specialist financial vehicles 6.6.2 General Insurance Policies 6/79
General insurance policy - cover assets, resources and business revenue - Buildings and contents
- Business interruption
- Transit and marine (stock, equipment in transit) - Computer insurance
- Public liability (damage or injury to 3rd parties through activities or premises)
- Product liability
- Employer’s liability (injury, illness of employees) - Professional indemnity
- Contractor’s all risks Covers only defined events
Most cases potential liability is predetermined Loss determined by post-loss assessment Ambiguity as to which policy applies Deductibles reduce insurance costs 6.6.3 Captive Insurance Companies 6/81
General insurance is based on overall performance but some organisations (e.g. telco) may have different risk profile/ performance
Captive insure risks of parent (sometimes use reinsurer to front arrangement) - Located in tax havens: tax deductible benefit in home country
o Benefit depends on fiscal regime
o US. /Europe imposing more stringent policies
- High-frequency/low-cost events: uneconomic to transfer to standard insurance carriers - Low-frequency/disasters for which no cover is available
Specialist insurance pool: created by industry rather than company - International Oil Pool
6.6.4 Alternative Risk Transfer 6/82
Generic name for variety of financial vehicles to transfer financial consequences of loss - Insurance derivatives, risk securitisation, catastrophe equity inputs
- Chicago Board of Trade introduced insurance derivatives in 1992 (futures->options->option-spreads) Multi-line Multi-year products (MMPs
- Risk bundles (“baskets”) where payment is contingent on joint losses of multiple risks Contingent Capital
- Option to raise capital subject to specified conditions
- In ART, instruments with terms that specify when and how much o Natural disasters, financial market risks
Insurance-linked security - Catastrophe bonds
o Coupon and principal payments depend on performance of pool or index of catastrophe risks - Investor, purchaser, issuer
o Investor buys bonds from issuer: funds deposited in trust
o Interest and payments from purchaser paid to investors as coupon
o Otherwise at maturity repayment of principal to investor
6.7 Case Studies 6/84
6.7.1 Case Study 1: The Risk Overview 6/84
6.7.2 Case Study 2: Enterprise-Wide Risk Management 6/86
Learning Summary 6/87
7 - Unforeseeable Risk
7.1 Introduction 7/2
Both risks and their consequences can be foreseeable/unforeseeable
7.2 Some Common Questions about Unforeseeable Risk 7/4 7.2.1 Introduction 7/4
7.2.2 Ten Questions 7/4
Critical window: time lag from impact of unforeseeable risk to detection
Unforeseeable risk can impact at strategic, change and operational levels. But much more difficult to identify and analyse.
Overall level of unforeseeable risk is increasing due to growing complexity of environment. Insurance premiums generally increase exponentially with degree of uncertainty.
7.2.3 Summary 7/7
7.3 Some Common Misconceptions about Unforeseeable Risk 7/7 7.3.1 Introduction 7/7
7.3.2 Some Common Misconceptions 7/7 7.3.3 Summary 7/10
7.4 The Concept of Unforeseeable Risk 7/11 7.4.1 Introduction 7/11
7.4.2 The Relative Magnitude of Unforeseeable Risk 7/11 Examples:
- Hurricane, flooding, fire, terrorist attack - Staff migration, death
- IT virus, hackers, system failure, website failure
- Industrial action, financial crisis, market demand change - Corruption, espionage
- Process breakdown, product defects 7.4.3 Unforeseeable Risk Time Dependency 7/12 Response-time requirement
- Foreseeable risks have time to analyse risk and develop formal response - Unforeseeable risk may only be identified on (or after) impact
Forecasting reliability
- Impact functionality: likelihood of given unforeseeable risk impacting the organisation in a time-scale (risk increases with longer time-scale)
- Emergence functionality: likelihood of an unforeseeable risk emerging into to the risk universe Impact delay
- Non-time-dependent: e.g. fire (immediate impact)
- Strongly-time-dependent: warranty (defect appears years after design) 7.4.4 The Scale of the Issue 7/16
Hurricane Andrew: $19.78B Los Angeles earthquake: $16.3B 11 September: $25-30B
7.5 Unforeseeable Risk Types 7/17 7.5.1 Introduction 7/17
Disaster is outcome of unforeseeable risk 7.5.2 Natural and Man-Made Disasters 7/17 Natural disasters
- Increasing magnitude and frequency
o Global warming: storms in NA, Europe; drought in Middle East, North Africa o Population increase
Man-made disasters:
- Most are systems failure or human error Combined Natural and Man-made
- E.e. ship sinking in hurricane due to welding defect - Exacerbation of vulnerability
o Deforestation, agricultural development, human density, wrong advice on hurricane path... 7.5.3 Internal and External Unforeseeable Risk 7/20
7.5.4 Project, Operational and Change Unforeseeable Risk 7/21 Risk can impact across all three risk levels
Also possible to classify according to the parts of the organisations where risks originate and impact - Process/product
o Production, maintenance, logistics - People
o Senior management, HR - Finance/market
o Finance - Support
o Administration, IT, R&D, Legal Services - Interface
o Sales, Marketing, Customer relations Strategic Unforeseeable Risk
- Process and product
o Market demand changed or incorrectly assessed o New technologies, competitors products
o Creeping scope of product - People
o Fraud, deception, corruption o Labour migration/ defection o Rogue trader
o Resistance to strategy - Finance
o Economic climate
o Investor, competitor, customer trends o Demographic and population patterns o New accounting standards
- Support
o Incompatibility between plan and technology o Unreliable technology
o Evolving obsolescence o Over-ambition
- Interface
o Trading interfaces Operational Unforeseeable Risk
- Process and product
o Human error, configuration and programming errors o Poor maintenance
o Lack of backups and controls o System overload
o Inadequate coordination - People
o Demotivation o Deception, fraud o Sabotage o Industrial action o Error
- Finance
o Production obsolescence (erode market) o Inflated costs
o Changes in supplier process, reliability o Incompatibilities
o Changes in customer requirements - Support
o Hackers, traitor, spies, viruses - Interface
o Direct liability: written warranty
o Implied liability: varies from country to country, test of fairness and reasonableness o Magnitude
Cost of repair and replacement
Direct loss and expense
Additional compensation
Loss of reputation Change Unforeseeable risk
- Process and product
o Design errors and incompatibilities - People
o Risks: reactance, resistance, collusion, IT intrusion, information leakage o Loss: death, illness, defection, dismissal, reallocation, transfer
- Finance
o Share price sensitive to rumours and small levels of change - Support
o Incompatibility of support function with primary functional thrust - Interface
o Changes in public opinion o Interest rates
o Performance of other projects and programmes
7.6 Developing the Response 7/44 7.6.1 Introduction 7/44
Balanced approach – combination of transfer and retention with control 7.6.2 The Informed Response 7/44
Three stages
- Reassessment of risk
- Informed risk financing and/or transfer
- Appropriate continuity, contingency, crisis management Reassessment
- Business category (process, people, finance, support, interface) - Scope
o Brainstorming, what-if, prioritising frequency and severity, isolating mission-critical risks, determining extent of recent change
- Risk breakdown structure
- Risk magnitude (probability and impact) - Risk linkages
- Risk interdependency field Risk financing and/or transfer
- Insurance
o Must cover risk
- Partnering
o Public-private partnering
o Loss of control, creation of dependency - Alliances and partnerships
o Share assets, synergies, customers o Potential leakage, loss of control - Contingency reserves
o Most large organisations have strategic reserves o Banks required to maintain credit reserves
With fully integrated and operational risk management may be able to set level themselves o Operational level through budget
Relatively high at start of planning process; decreasing toward launch - Continuity contingency and crisis planning
o Residual unforeseen risks
o Treated through emergency planning
Continuity planning – keeping organisation running during disruptive event
Contingency planning – identifying and dealing with disruption on organisation-wide basis
Crisis planning – emergency procedures necessary to maintain survival of organisation when impact reaches critical level
7.7 Business Continuity Planning 7/53 7.7.1 Introduction 7/53
7.7.2 Business Continuity Planning 7/53
BCP is part of risk management system but also beyond it - Safety net for major impact not included
- Need due to growing complexity
o Closer integration with suppliers and customers o Dependency on IT support
Related to major incident response plan and disaster recovery plan - More diversified view:
o Processes, communications, linkages needed for organisation to survive Format
- Not standardized format - Usually includes
o Reserve
Financial
Technical (duplicate key areas)
People (some full-time, some allocated to full commitment when impact occurs)
Time (buffer in projects)
o Plan covering procedures and systems
o Organisational support and resource allocation - BCP Management Team
o Assess requirements o Design and operation o Scope definition
o State resource requirements o Operate BCP when needed o Periodic trials
Identify failures, improvement
Report to senior management - Particularly common in IT
- Consider risk criticality hierarchy - Primary sections
o Preliminaries, scope assumptions o People involved
o Operational procedures and processes involved Preliminaries, scope, assumptions
- Scope: Example, limited to IT - Assumptions
o That each functional unit will contribute to BCP
Often called function recovery teams (FRT) o Will evolve in response to changes (internal/external) o Must be tested frequently
People
- Details of people - Operational structure
- FRTs under BCMT, concerned solely with recovery of their function Operational processes and procedures
- Incident detection (functional manager) - Incident alert (to BCMT)
