RISK MANAGEMENT FOR SUCCESS AND SURVIVAL
Risk Assessment - The Need
Risk management includes identification of risks; appreciation of their impact on the business and the likely frequency of occurrence; and implementation of steps to reduce that frequency to an acceptable level. There are legal and regulatory requirements for risk assessment and an implicit requirement for the officers of an enterprise to assess and mitigate the risks to it.
Control of Major Accident Hazards Regulations 1999 (COMAH)
In 1976, in a factory in Seveso, Italy, a toxic release from a pesticide process caused widespread contamination. This led ultimately to Control of Major Accident Hazards Regulations 1999 (COMAH). COMAH identifies ten generic categories of dangerous substances (e.g. "toxic", "flammable").
The principle of prevention is to reduce risk to A Level As Low As Reasonably Practicable (ALARP), using the Best Available Technology Not Entailing Excessive Cost (BATNEEC). Sites must also prepare a major Accident Prevention Policy (MAPP). High risk sites replace MAPP by a safety report which must be updated every five years and it will be made public.
Risk Management for Finance and the Finance Sector - Compliance Issues
One of the recent initiatives, with a global impact, is the Basel Accord, generated by the Basel Committee on Banking Supervision. The Basel Committee has produced a series of consultative papers, including A New Capital Adequacy Framework
In essence, the higher the risk, the greater the need for capital to cover its downside. This will also apply, directly or indirectly, to the risk weighting of exposures to banks, securities firms and corporates. The result will be that less has to be put aside to cover low risks, while high risks might require to be covered by more than the sum immediately at risk.
Food and Drugs Industries
The US Federal Drug Administration regulations demand batch and defect tracing which cannot be achieved following a disaster unless risk management and recovery planning is in place. Many industries have compliance and regulatory requirements, which require risk assessment and mitigation. An executive officer of a company can also be liable to criminal prosecution for a company's failure to comply with certain duties imposed by statute.
Hazard Analysis Critical Control Point forms the basis of the European Commission Hygiene Directive (93/43/EEC) commonly known as the HACCP principles. This covers food risk assessment literally from field to plate.
Statutory Requirement and Duty of Care
In many countries, the health and safety of staff is legally a personal responsibility of managers that cannot pass by delegation. Failure to assess and mitigate risk to employees could lead to the manager's imprisonment.
There is a growing tide of generic Health and Safety EC directives and legislation and laws and regulations involving specific hazards. Typically, employers' duties require a balance between protection and what is "reasonable and practical". The employer is required to balance cost against risk - but lack of cash or resource is not a defence against a known risk.
Being the victim can also create legal liabilities. In the UK, when a fire spread to an adjoining building, over 100 employees died because the doors to the fire escape were locked shut and the fire doors in the corridors were locked open. Prosecutions started for breach of fire regulations. The directors were prosecuted for manslaughter, the maximum sentence for which is life imprisonment. The company itself was also prosecuted. In The Herald of Free Enterprise trial (concerning the sinking of a roll-on roll-off ferry), the judge held that a company itself could be guilty of manslaughter.
Even if criminal liability is not established, loss of goodwill could kill the company. The media and the relatives of those who died can bring enormous pressure to bear - witness the aftermath of the sinking of the Marchioness (a pleasure boat on London’s River Thames).
A long line of US Cases stretching from Mozingo in 1905 to CBS Inc. v Henkin in 1992 has established that officers of a company may be personally liable to pay compensation for unsafe products and environmental damage.
In the UK there has been increasing government pressure - the Turnbull, Hampel, Greenbury and Cadbury reports and Home Office guidelines - to adopt risk management and mitigation as part of best practice management. There is also pressure from insurers and auditors - one auditor stated he would not sign off a company’s accounts unless they had a business continuity plan since he felt he could not certify it as a "going concern".
The Turnbull Report
Turnbull recommends that Directors set business targets to be achieved within timeframes. Directors should consider risks to these achievements. A risk approach identifies market changes, delivery mechanisms and operational process requirements and permits the company to respond to them swiftly, to grasp new opportunities promptly, and so gain, maintain or increase competitive edge.
The Turnbull approach is connected, through the Combined Code on Corporate Governance, to the Listing Rule disclosure requirements of the London Stock Exchange. Non-compliance with Turnbull would result in a disclosure on the annual report that could quickly attract adverse media comment and affect share price and credit rating.
Companies are challenged to create and maintain a high marketcapitalization and attract funds - both made easier by being able to prove strong risk management and internal control.
The Approach
High level business goals need to be broken down into very specific critical success factors and key performance indicators that can be monitored. These higher level indicators need to be cascaded down into very specific performance and risk markers. Early warning and reporting mechanisms need to be put in place immediately to highlight any deviation from the performance necessary to achieve the goals.
Focus should be on significant risks - those that could prevent mission and goal achievement. The guidance emphasizes a combination of a "top down" approach together with company-wide consultation as a basis for establishing sound risk management and internal control processes and methods.
Where a company is part of a group, "top down" and "bottom up" processes should be synchronized. Primary focus should be on risks significant to the whole group, while also addressing risks that are also significant to each subsidiary.
Turnbull also addresses joint ventures and associates and expects disclosure where these have not been dealt with as part of the group. International operations need to consider cross-border risk.
The Process
Threats are identified at a conceptual level (fire, flood, power loss etc.). Each asset is examined to identify how vulnerable it is to these theoretical threats. With these vulnerabilities in mind, risk can be analyzed and counter-measures considered. Cost justification of the risk reduction measures follows once the Business Impact Analysis (impact in cash and non-cash terms) has taken place. Thus the cost of the counter-measure can be balanced against the potential for loss.
Options for Risk Management
Options are:
- Accept the risk (do nothing)
- Avoid the risk (do something else - e.g. do not relocate to a flood plain)
- Reduce the risk (change the equation - e.g. install surveillance equipment to deter thieves; install uninterruptable power supply)
- Contain the risk (minimize the impact - e.g. do not put all eggs in one basket)
- Transfer the risk (give it to someone else - e.g. insure or outsource dangerous activities).
Effective risk management is a judicious selection from these options.
A Basic Approach to Risk Assessment
Risk can be categorized as Business, Financial, Compliance, and Operational. Examples of Financial risks could include Liquidity, Market, Overtrading, Interest, Currency, Fraud, Treasury etc. Risks can be priorities by categorizing them as:
- High impact, high probability
- High impact, low probability
- Low impact, high probability
- Low impact, low probability.
The Board can then determine
- The level of risk they find acceptable, depending on the risk / reward ratio
- The control strategy to avoid or mitigate the risk
- Who is accountable for managing the risk and maintaining controls
- What is the residual risk
- What is the early warning mechanism.
While the Board is overall responsible for a company’s internal control system and policies, line management is responsible for implementing policies adopted by the Board. It is responsibility of management to identify and manage risks, while a Board Committee could be responsible for monitoring risk and control, based on reports to them from management.
Operational Risk Management
For existing and new facilities, projects and processes we can examine risk in planning, development, implementation, operational use and after-use.
Geographically, we can examine risk associated with the place of use - the exact location, the area and the line (end to end topography of the infrastructure). This should cover both processes and technology used in them and processes and the infrastructure upon which they depends.
Management risks can be reviewed in terms of strategy, of the production process and operations.
For production activities, risk data may be gathered concerning pre-process activity, the core process itself, and post process activities. This should reveal risks related to operational strategy, management and operations. Interaction with associated (dependent) processes and parallel processes (e.g. using the same facilities) and any consequential processes can also be considered.
This will provide not just a powerful tool-set for risk management, but a risk-aware culture which benefits the whole operation. Often a risk and impact assessment provides the stimulus for improved control, procedures, resilience or processes - and this benefits the organization every day - not just in disaster.
Unfortunately many organizations still simply rely solely on insurance. Insurance has finite limits in the duration of business interruption payments; moreover the cause of the disaster may not be covered by or be excluded from insurance. Insurance usually only covers 30% - 50% of losses of disaster. Insurance pay-out can take a long time - up to several years - in complex cases or where several insurers are involved.
Critical Component Failure Analysis
Critical Component Failure Analysis identifies key dependencies and assesses the possibility of the failure of components and the lead-time to recover. A mathematical model (Monte Carlo Analysis) can be run to identify the likelihood of multiple component failures. When the impact of the loss of the component is identified, a cost/benefit case may be made to introduce redundancy, resilience or alternative paths and processes.
An Output Approach
One perspective on risk is to identify mission-critical outputs or deliverables. Having done this, one can then trace the facilities, processes and channels used in the development, creation and delivery of those outputs and deliverables. Interdependencies can be identified. The risk in each of these can then be assessed.
Risk Areas
When undertaking a Risk Assessment, we review the threats relating to:
- The business
- The neighborhood
- The premises
- The equipment or technology
- Personnel
- Materials and processes
- Suppliers.
Business risks may include making products with an unpredictable life cycle; over-dependence on key customers or suppliers; erratic cashflow; over-exposure to seasonal trade or fashion.
Neighborhood risks include the actual location. There may be neighbors undertaking dangerous processes or posing targets for malicious attack. The site may be at risk from seasonal flooding.
The premises may be more or less vulnerable to theft; they may be inherently secure or insecure.
Equipment and technological risks include reliance on obsolete technology; investment in unproven technology; exposure to premature obsolescence.
Personnel risks may include dependence on rare skills that are one deep or reliance on key teams who could be head-hunted by competitors.
Process and material risk arise from use of dangerous chemicals; processes creating potentially explosive dust or build up of potentially flammable grease; dependence on rare materials or materials with high price volatility.
Supplier risks could include supplier dependence. It may be difficult to find another alternative with sufficient immediate capacity. Over half of all outsourcing contracts involve dispute. Risk of prolonged service outage is often hidden in support contracts: a 95% monthly availability service level means something under four hours outage per month. If the maintenance contract has a four-hour "response" the service will inevitably fail its service level.
Enterprise Risk Management
Many of the basics of good risk management and internal control may have already been put in place by Business Continuity Managers, Risk Managers, Compliance, Operational Risk and Internal Audit functions. There is an increasing "emergence of convergence" of the various risk management activities into a single integrated function. We have named this holistic, coherent approach to risk "Enterprise Risk Management".
Table 1 provides examples of risks. Clearly the most significant threats should be the focus of attention.
Summary
Review the regulatory risk requirements for your industry: check compliance.
Consider risks to:
- The business
- The neighborhood
- The premises
- The equipment or technology
- Personnel
- Materials and processes
- Suppliers.
Identify:
- Threats
- Assets, including key outputs and deliverables
- Countermeasures, and decide whether to:
- Accept the risk
- Avoid the risk
- Reduce the risk
- Contain the risk
- Transfer the risk
Focus on the most significant threats. Weight the threats according to the probability of their occurrence. Prioritize risks in a risk reduction program. Consider insurance aspects.
Risk management is becoming fully integrated with the way businesses operate every day, and has benefits every day. Those organisations that manage risk effectively will increase productivity, improve profitability, reduce waste and create competitive edge. Risk management is not only about survival - it is about success.
Table 1: Example Threats
Threats may include the following:
|
Natural Disasters |
Operational & Man-made Disasters |
|
Flood |
Product failure |
|
Hurricane |
Loss of reputation - criminal act |
|
Tornado |
Loss of reputation - business error |
|
Typhoon |
Loss of critical customer |
|
Gales |
Fire |
|
Earthquake |
Terrorist activity |
|
Volcanic activity |
Civil disobedience |
|
Lightning strikes |
War / invasion |
|
Subsidence |
Contamination |
|
Insect infestation |
Neighbor's problems |
|
Rodents |
Denial of access |
|
Hacking |
|
|
Virus |
|
|
Theft |
|
|
Product contamination |
|
|
Equipment & Supply Failure |
Impact |
|
Air conditioning / plant failure |
Pressure waves |
|
Product contamination |
Building defects |
|
Software failure |
Operator error |
|
Hardware failure |
Loss of data |
|
Network failure |
Extortion |
|
Electro-magnetic radiation |
Out of stock situations |
|
Power failure |
Service level failure |
|
Loss of supplied services |
Quality defects |
|
Loss of special consumables |
Failed outsourcing / supply contract |
|
Premature technological obsolescence |
Failure of major project |
|
Loss of other critical assets |
Lack of innovation |
|
Failure to manage change |
|
|
Security breach |
|
Business |
Compliance |
|
Failed business strategy |
Breach of financial regulations |
|
Price war |
Breach of Companies requirements |
|
Recession |
Breach of monopolies legislation |
|
Political interference / policy changes |
Breach of competition laws |
|
Premature obsolescence of technology |
Breach of Listing requirements |
|
Cheaper alternative products / services |
Tax penalties |
|
Acquisition target |
Sales tax penalties |
|
Lack of innovation |
Health and Safety breach |
|
Inadequate management information |
Breach of environmental regulations |
|
Breach of industry-specific regulations |
|
|
Seizure of records by tax or customs authorities or by Anton Piller order |
|
|
Financial |
Health & Human Resource Issues |
|
Starvation / high cost of capital |
Salmonella |
|
Over-trading |
Legionnaires' disease |
|
Credit risk |
Malicious damage |
|
Interest risk |
Industrial action |
|
Exchange rate risk |
Loss of key staff |
|
Treasury exposure |
Succession issues |
|
Fraud |
Espionage |
|
Claims |
Breach of confidentiality |
|
Failure to deliver returns |
Skills / staff shortage |
|
Share price slump |
|
|
Cashflow / liquidity problems |
|
|
Rogue trading |
Table 2: Example of a Simple Risk Analysis Form
|
Risk ID: |
Risk Title:
|
Owner:
|
Date Initiated: |
||||
|
Risk Description: |
|||||||
|
Impact Description: |
|||||||
|
Trigger and Monitoring Details: |
|||||||
|
Mitigating Strategy: |
|||||||
|
Fall-Back Strategy: |
|||||||
|
Date last Reviewed and Comments: |
Probability: |
Impact: |
Category |
||||
|
Approved: |
Approved: |
||||||
Credit:
Andrew Hiles is Founder and former Chairman of Survive, the Business Continuity Group and a director of Kingswell, international consultants in Enterprise Risk Management. He is author of Business Continuity Management – Best Practice, published 2000 by Rothstein Inc (www.rothstein.com)
