Philip Green is CEO of First Resource Management Group Inc., which manages forests in Canada. Before this he was president of Greenbridge Management Inc., which provided risk management, process management, continuous improvement and statistical consulting services to industries in North and South America, Europe and Asia. He is co-author of misLeading Indicators: How to Reliably Measure your Business (with Prof George Gabor of Dalhousie University) published by Praeger. He has an M.Sc. in Statistics from McMaster University (1984).
Enterprise Risk Management: A Common Framework for the Entire Organization discusses the many types of risks all businesses face. It reviews various categories of risk, including financial, cyber, health, safety and environmental, brand, supply chain, political, and strategic risks and many others. It provides a common framework and terminology for managing these risks to build an effective enterprise risk management system. This enables companies to prevent major risk events, detect them when they happen, and to respond quickly, appropriately, and resiliently. The book solves the problem of differing strategies, techniques, and terminology within an organization and between different risk specialties by presenting the core principles common to managing all types of risks, while also showing how these principles apply to physical, financial, brand, and global strategy risks. Enterprise Risk Management is ideal for executives and managers across the entire organization, providing the comprehensive understanding they need, in everyday language, to successfully navigate, manage, and mitigate the complex risks they face in today's global market. - Provides a framework on which to build an enterprise-wide system to manage risk and potential losses in business settings- Solves the problem of differing strategies, techniques, and terminology within an organization by presenting the core principles common to managing all types of risks- Offers principles which apply to physical, financial, brand, and global strategy risks- Presents useful, building block information in everyday language for both managers and risk practitioners across the entire organization
Front Cover 1
Enterprise Risk Management 4
Copyright Page 5
Dedication 6
Contents 8
Author Biographies 14
1 Introduction to Risk Management Principles 20
What is Risk? 21
Risk Context 23
Risk Assessment 23
Risk Identification 24
Risk Analysis 24
Risk Prioritization 26
Risk Treatment 26
Risk Monitoring and Review 28
Reasoning about Probability, Uncertainty, and Likelihood 28
Structure of this Book 31
Notes 31
I. Physical Risk Management 34
2 Environmental Risk 36
Environmental Risks—the Social Dimension 36
Environmental Risk—the Legal Dimension 38
Types of Environmental Risks 39
Identifying Environmental Risks 41
Document Review 41
Site Review 42
Formal Environmental Risk Assessments in Operations 43
Environmental Risk Management: The Noranda Model—and Beyond 44
Approvals for Large Industrial Projects: The Environmental Risks 46
Who Does What? 47
Line versus Staff Roles 47
The Role of the Board of Directors and Senior Managers—Governance 48
Management Incentives 48
The Importance of Corporate Culture—from the Board Room to the Shop Floor 49
Notes 49
3 Health and Safety Risk Management: Perspective of a Petroleum Refinery Manager 52
Effects of Health and Safety on Organizations 52
Human Effects 53
Material Effects 53
Intangible Effects 53
Legal Effects 53
Personal Effects 54
Financial Effects 55
Safety Culture 55
Risk Assessment—Cornerstone of the Program 58
Risk Identification 59
Risk Analysis 60
Risk Prioritization 61
Risk Treatment 62
Risk Monitoring and Review 63
Current Trends in Health and Safety Risk Management 64
Notes 65
4 Project Risk Management 66
Background 67
Types of Risks in Projects 68
Sources of Project Risks 68
Sources of Technical Risks 70
Managing Risks during the Project Life Cycle 71
Conceptual Study 71
Prefeasibility Study 72
Feasibility Study 73
Project Execution 74
Managing the Risk of Being Late and Exceeding Budget 75
5 Operational Risk: Building a Resilient Organization 78
Operational Risk—Context 79
Why Things Go Wrong 80
Alignment Around Risk Communication 82
The Elements of Operational Risk Resilience 85
Awareness and Risk Assessment 86
Treatment through Prevention and Detection (“Preparation”) 87
Response and Recovery 89
Adapt and Operate in the Face of Change 90
Operational Risk Resilience Model 91
Note 92
6 Supply Chain Risk Management 94
Supply Chain Risk Management for the Business Line Manager 94
Main Causes of Supply Chain Disruption 95
Risk Assessment 97
Risk Assessment Challenges 99
Risk Analysis and Prioritization 100
Basic Supply Chain Health Check Questions 100
Risk Treatment 100
Risk Monitoring and Review 102
Emerging Risks in Supply Chains 102
Climate Change 102
Global, JIT, Lean Supply Chains 103
Increasing Social Inequity and Potential Supply Chain Risks 103
Increased Population and Migration 104
Dependence on Information Technology 105
The Benefits of Improving Supply Chain Risk Management 105
Notes 106
II. Intangible Risk 108
7 Cybersecurity 110
Cyber Risk Management Overview 110
Leadership and Governance 110
Leadership 111
Governance 111
Legal and Compliance 112
Risk Assessment 113
Sources of Risk 113
Cybercriminals 113
Petty Criminals 113
Organized Criminals 114
Hacktivists 114
Nation-state–sponsored Criminals 115
The Underground Economy 116
Noncompliance with Cybersecurity Requirements 116
Errors and Omissions 117
Events 118
Risk Analysis and Prioritization 118
Identifying Asset Value 118
Risk Criteria 119
Likelihood 119
Consequence 120
Risk Treatment 121
Business Continuity 121
Securing the Human Element 122
Security Awareness Training 123
Background and Personnel Checks 123
Operations and Technology 124
Technology 124
Operations 124
Transferring Risk 125
Risk Monitoring and Review 125
External Threat Monitoring 125
Visible Web 125
Invisible Web 126
Security Metrics 126
Postmortem Cybersecurity Event Reviews 127
Notes 127
8 Brand Risk 128
Why Brands Matter 129
The Importance of Trust 129
Who Owns Brand Risk Management? 130
The High-Speed Landscape of Brand Risk 131
How Counterinsurgency Theory May Help Us Manage Brand Risk 132
Key Takeaways 141
Notes 141
9 Human Capital Risk: The Threat from Inside 144
Nasty Events Can Happen: Source of Human Capital Risk 145
Fraud: Deliberate Misuse or Misappropriation of a Company’s Resources, Often for Personal Gain 145
Infiltration: An Insider Threat Having Both Internal and External Consequences 146
Espionage: A Clandestine Process for Acquiring Secrets 146
Sabotage: A Deliberate Act Causing Destruction, Disruption, or Physical Harm 147
Infiltration through the Contracted Workforce 147
Employees as Targets 148
Hostile and Aggressive Workplace Events 148
Managing Human Capital Risk 149
Changing Culture 149
Employee and Contractor Screening 150
Security Policies, Procedures, and Systems 153
Awareness and Training 153
Employee and Contractor Life Cycle Management 154
Terminations 154
Conclusion: An Integrated Approach to Managing Malicious Human Capital Risks 155
Notes 155
Further Reading 156
III. Financial Risk Management 158
10 An Aggregated Approach to Risk Analysis: Risk Portfolios 160
The Challenges of the Traditional “Siloed” Approach to Risk Analysis 160
The Benefits of an Aggregated (Risk Portfolio) Approach to Risk Analysis 162
Operationalizing a Risk Portfolio 164
Risks Associated with Implementing a Risk Portfolio 166
Making a Decision to Implement a Risk Portfolio 166
Notes 167
11 Managing Common Financial Risks 170
Types of Financial Risk 170
Currency Risk 170
Commodity Risk 171
Credit Risk 172
Liquidity Risk 172
Market Risk 173
Financial Risk Mitigation Strategies 173
Behavioral Biases that Create Financial Risk 173
Cognitive Errors 174
Emotional Biases 175
Unhedged Strategies 176
Hedging 176
Notes 178
12 The Role of Insurance in Enterprise Risk Management 180
Risk and Value 181
Determinants of Value 181
How Risk Affects Value 183
The Supply of Insurance 184
Insurance Pricing in a Competitive Market4 184
Factors Limiting the Availability of Insurance 185
Demand for Insurance by Public Companies 186
Shareholder Diversification of Risk 186
Commercial Insurance Reduces Firm-Specific Risk 186
Impact of Systematic and Firm-Specific Risk on Value 187
Effect of Insurance on Expected Cash Flows7 187
Demand for Insurance by Closely Held Companies 189
Other Management Objectives and Risk Management 189
Interaction between Mitigation and Insurance 190
Summary Questions to Ask 191
Notes 191
IV. Global and Strategic Risk 194
13 Risk Culture 196
Risk Culture and Organizational Culture 197
Risk Culture in Financial Services 198
Safety Culture 201
Measuring Risk Culture 202
Managing Risk Culture 205
Rewards and Performance Management 205
Incentives Create Rather than Control Risk 207
Risk Identification 207
Risk Analysis 208
Risk Prioritization 208
Actions to Treat Incentive Risk 209
Incentive Governance 210
Performance Management 210
Conclusions 211
Notes 212
14 The Role of the Board of Directors in Risk Management 214
Directors Govern, Managers Manage 214
Providing Leadership and Affecting Risk Culture 216
Structuring Boards to Govern Risk Management 218
The Information on Which Boards Rely 221
Demands on Directors from Stakeholders and Litigation 222
Conclusion 223
Notes 224
15 Political Risk 226
The Arab Spring 227
Identifying Sources of Political Risk 228
Crisis Contagion 228
How Likely Are the Risks You Face? 229
Responding to the Unexpected 229
Political Risk May Be Counterintuitive 229
Reputational Risk 230
Political Risk Assessment 231
Mitigating Political Risk 233
Notes 236
16 Strategic Risk: The Risks “of” and “to” a Strategy: The Case of Blockbuster and the Need for Strategic Flexibility 238
Tradeoffs and the Risks of a Strategy 240
Innovation and the Risks to a Strategy 242
Assessing Strategic Risks 244
Strategy, Innovation, and Flexibility 248
Notes 249
Index 250
Introduction to Risk Management Principles
Philip E.J. Green*
This chapter defines a common process and vocabulary for managing and implementing enterprise risk management in an organization. The process is common to all types of risks and is applied in the remaining chapters of the book. This eliminates semantic differences between chapters and topics so that the reader can focus on the substantive aspects of each type of risk and how it relates to other types of risk and enterprise risk management as a whole. The main elements of the process are establishing the context for risk management, risk assessment, risk treatment, risk monitoring, and risk review. Reasoning about probability, probabilistic reasoning, uncertainty, and likelihood, as well as the challenges of “measuring” risk, are also covered.
Keywords
risk management; risk assessment; risk mitigation; enterprise risk management; ISO 31000; probability; uncertainty; key risk indicators
Ultimately it is the business manager, not the risk specialist, who is responsible when things go wrong. The challenge the manager faces is that the many fields of risk management are dominated by specialists and jargon. The insurance broker, the safety manager, the cybersecurity specialist, the financial risk manager, and the engineer all use different language to describe risk. Even within each specialty there are variations in the way language is used, making it hard for a generalist to distinguish between what is particular about risk management in one field versus another—say, cybersecurity versus safety—and what is common, and thus what should be done by the specialist and by the generalist.
Another challenge is the seemingly infinite variety of risk management processes. If you search the Internet for “risk management process,” you will quickly see the wide variety of approaches favored by different consultants and experts. There are four-, five-, six-, and nine-step risk management processes. There are risk management cycles, flowcharts, pyramids, and decision trees. There is obviously value in the creativity of the human mind applied to risk. But there is also value in simplification and standardization.
This book aims to equip the reader to effectively manage an organization’s risks, to provide the reader with a common vocabulary and process for managing all types of risk and to provide insights into each of the particularities of several critical types of risk. The idea is to help readers focus on the substantive aspects of several risk specialties, rather than on the semantic and procedural.
This chapter sets out a vocabulary and risk management process common to the remaining chapters of the book (terms commonly used throughout the book are underlined in this chapter). All the authors have contributed to this chapter. In their own chapters, they have applied its concepts to their specific field of risk management. The terminology and the risk management process we have adopted for the book are inspired from an international risk management standard.1 This book is respectful toward, but does not take a position on, that standard; nor does it blindly adhere to it. We do not claim that the words and the risk management process are novel. But what is novel is our use of them as a common approach applicable to the entire enterprise as well as to multiple types of risk—hence the title. This book cannot cover all types of risk that an enterprise faces. By showing that different experts use a similar thought process and language, but employed from different viewpoints, I hope that the common approach will be clear to readers, allowing them to extend principles covered in this and the other chapters to specialties not covered herein.
The idea of a risk specialty is somewhat fluid. A single event may have multiple consequences; sometimes they can escalate or cascade in a ripple effect. These consequences may even affect areas of the business considered to be under the domain of different risk specialties. For example, a pipeline spill may injure employees or the public (health and safety risk), kill fish and pollute a river (environment and sustainability risk), shut down operations (operational risk), harm a pipeline company’s brand or reputation (brand risk), disrupt supply chains (supply chain risk), increase insurance premiums and cost billions to clean up, causing share prices to drop (financial risk), change the political context in which the pipeline company is hoping to gain approval for a new pipeline (political risk), and disrupt the company’s growth strategy (strategic risk). Complicating matters, specialists often view risks through their own lenses: The safety manager might classify a pipeline spill as a safety risk, the marketing executive as a brand risk, and the loss control manager as a financial risk, and so on, all dealing with the risk with their own specialty’s tools and jargon. It is much better to have a common approach and an enterprise-wide risk management system.
What is Risk?
What is risk? The word contains two key ideas: uncertainty and outcomes. In common usage, people associate risk with negative outcomes more than with positive ones, but usually both are present. The idea of outcomes can be broadened to think of goals or objectives. A jaywalker may have two objectives: to save time instead of waiting for a green traffic light, and to cross the street without being hit by a car. There is uncertainty about whether he can jaywalk and meet those objectives. The first objective relates to a positive outcome (saved time), the second to a negative outcome (injury).
Risk can thus be thought of as the effect of uncertainty on objectives. This book expresses risk as the consequences of an event, such as being hit by a car while jaywalking, and the associated likelihood of that event.
There are several ways that people commonly use the word risk. Some use it to refer to the likelihood of an event’s happening, others to the consequences if it does happen. For example, when someone states that California has greater earthquake risk than New York, he or she could be saying that earthquakes are more likely in California. Or when someone states that XYZ Corp has greater risk, should a cyberattack occur, than another company does, he or she could mean that XYZ Corp would have a greater loss if a cyberattack were to occur. In fact, risk deals with both likelihood and consequences. People also commonly use the term risk to refer to unpredictability or variability in outcomes. For example, financial analysts will say that a high-tech stock has greater risk than a utility stock because the returns on the high-tech stock have greater variability or are thus more difficult to predict. In other words, there is greater uncertainty over the desired outcome of a return on the investment.
What is enterprise risk management? Enterprise risk management is a system in which managers are concerned with managing the risks of the entire enterprise. In a more traditional approach various specialists focus on specific or “pure” risks, which are not aggregated to provide a view of the risk the enterprise faces.
What is risk management? Risk management is the coordinated set of principles, processes, activities, roles and responsibilities, and infrastructure, combined into a system and used to control the actions of an organization in light of the risks it faces.
Enterprise risk management applies many of the fundamental principles of management; indeed, it is an integral part of management. The contributors to this book have emphasized these principles from different viewpoints, but two receive special attention: communication and accountability (or responsibility). The authors look at these issues through the perspective of their own risk specialty, but taken together, they provide useful insights that are applicable to other types of risk. For example, Chapter 5 discusses operational risk and describes a top-to-bottom communication process (illustrated by Figure 5–2 of that chapter) that melds nicely with the process described in Chapter 9 regarding the portfolio method of aggregating risks. A challenge with the portfolio risk approach is communication of the risks that should be included in the portfolio. It also melds nicely with the approach in Chapter 2 regarding internal communication processes of environmental risks. The principles outlined in these chapters apply to many other areas.
To manage the risks of the entire enterprise suggests that some individual, perhaps a chief risk officer or a group reporting to him or her, knows the risks of the entire enterprise. But this is impractical and bureaucratic. Or perhaps people on the top of the organization should manage the small number of large risks and the people on the bottom the large number of small risks. This has appeal, but because a small mishap, indiscretion, or malevolent act by a single employee can in some cases cause disaster for the entire enterprise, the top cannot just leave it up the bottom to deal with risk unsupervised.
The solution that emerges from the contributors is that communications is a mix. Top management must use its communications to set tone, direction, and policy for the enterprise in relation to risk. It should provide training about the risks the enterprise faces and how to manage them. It must seek out information to determine whether risks, big or small, are being managed systematically throughout the...
| Erscheint lt. Verlag | 6.8.2015 |
|---|---|
| Sprache | englisch |
| Themenwelt | Wirtschaft ► Betriebswirtschaft / Management ► Unternehmensführung / Management |
| Wirtschaft ► Betriebswirtschaft / Management ► Wirtschaftsinformatik | |
| ISBN-10 | 0-12-800676-5 / 0128006765 |
| ISBN-13 | 978-0-12-800676-4 / 9780128006764 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 3,5 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 3,1 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
